1 / 50

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group an

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts Objectives Understand the purpose of using group accounts to simplify administration Create group objects using both graphical and command-line tools

jacob
Download Presentation

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group an

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 EnvironmentChapter 4:Implementing and Managing Group and Computer Accounts

  2. Objectives • Understand the purpose of using group accounts to simplify administration • Create group objects using both graphical and command-line tools • Manage security groups and distribution groups • Explain the purpose of the built-in groups created when Active Directory is installed • Create and manage computer accounts 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  3. Introduction to Group Accounts • A group is a container object • Used to organize collections of users, computers, contacts, other groups • Used to simplify administration • Similar to Organizational Units except • OUs are not security principals, groups are • OUs can only contain objects from their parent domain, groups can contain objects from within forest 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  4. Group Types • Security groups • Defined by Security Identifier (SID) • Can be assigned permissions for resources • In discretionary access control lists (DACLs) • Can be assigned rights to perform different tasks • Can also be used as e-mail entities • Distribution groups • Primarily used as e-mail entities • Do not have associated SID 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  5. Group Scopes • Scope refers to logical boundary of permissions to specific resources • Both Security and Distribution Groups have three scopes: • Global • Domain local • Universal Objects possible within each scope depend on the configured functional level of a domain 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  6. Group Scopes (continued) • Three domain functional levels: • Windows 2000 mixed: default configuration, supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers • Windows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers • Windows Server 2003: supports Windows Server 2003 domain controllers only 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  7. Global Groups • Organize groups of users, computers, groups within the same domain • Usually represents a geographic location or job function group • Types of objects in group related to configured functional level of the domain • Depends on the types of domain controllers in environment 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  8. Domain Local Groups • Created on domain controllers • Can be assigned rights and permissions to any resource within the same domain • Can contain groups from other domains • Specific objects allowed in group related to configured functional level of the domain 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  9. Universal Groups • Typically created to aggregate users or groups in different domains • Stored on domain controllers configured as global catalog servers (global catalogs are shared throughout the forest) • Can be assigned rights and permissions for any resource within a forest • Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  10. Universal Groups (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  11. Creating Group Objects • Group objects are stored in Active Directory database • Variety of tools can be used for creation and management • Active Directory Users and Computers • Command-line utilities • DSADD, DSMOD, DSQUERY, etc. 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  12. Active Directory Users and Computers • Primary tool • To create group accounts • Can also be used to configure properties of group accounts • Groups can be created in any built-in containers, at root of the domain object, or in custom OU objects • Possible group scopes determined by the functional level the domain is configured to 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  13. Active Directory Users and Computers (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  14. Converting Group Types • May need to change a security group to a distribution group or vice versa • Type of group can only be changed if domain functional level is Windows 2000 native or above 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  15. Converting Group Scopes • Scope of a group can be changed • Domain functional level must be at least Windows 2000 native • Supported changes • Global to universal • Domain local to universal • Universal to global • Universal to domain local 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  16. Activity 4-1: Creating and Adding Members to Global Groups • Objective: Use Active Directory Users and Computers to create global groups • Start  Administrative Tools  Active Directory Users and Computers  Users container  New  Group • Follow directions to create several global groups and add user accounts to the groups 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  17. Activity 4-1 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  18. Activity 4-2: Creating and Adding Members to Domain Local Groups • Objective: Use Active Directory Users and Computers to create domain local groups • Active Directory  Users  New  Group • Follow directions to create new Domain Local groups and add global groups to them 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  19. Activity 4-3: Changing the Functional Level of a Domain and Creating and Adding Members to Universal Groups • Objective: Change the functional level of a domain to Windows Server 2003 and use Active Directory Users and Computers to create universal groups • Open your domain object in Active Directory Users and Computers 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  20. Activity 4-3 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  21. Activity 4-3 (continued) • Follow directions to raise the functional level of your domain to Windows Server 2003 • Continue the exercise to create a new universal group • Continue the exercise to add existing groups to the new group 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  22. Activity 4-3 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  23. Activity 4-4: Converting Group Types • Objective: Use Active Directory Users and Computers to change group types • Follow directions to create a new global group with distribution type • Verify type of new group • Continue exercise to change type to security and to verify the change 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  24. Activity 4-4 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  25. Activity 4-4 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  26. Activity 4-5: Converting Group Scopes • Objective: Use Active Directory Users and Computers to change group scopes • Follow directions to create a new global group • Add a member group • Note restrictions and warnings that follow from group scope structure as described in exercise • Change the scope of the group to universal 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  27. Command Line Utilities • An alternative to Active Directory Users and Computers • Some administrators have a preference for command-line utilities • Command-line utilities are more flexible for group management and creation in some situations 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  28. DSADD • Introduced in Windows Server 2003 • Used to create new user and group accounts • Syntax is • dsadd group distinguished-name switches • Switches include: -secgrp, -scope, -memberof, -members • More help is available for switches and options at Windows Server 2003 Help and Support Center or at command-line 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  29. DSADD (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  30. Activity 4-6: Creating Groups Using DSADD • Objective: Use the DSADD GROUP command to add groups of different types and scopes • Follow directions to execute dsadd group command to create a new global group • Verify group creation with Active Directory Users and Computers • Create a domain local group with members using dsadd group and verify that group was properly created 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  31. DSMOD • Also introduced in Windows Server 2003 • Allows various object types to be modified from the command line • Syntax is • dsmod group distinguished-name switches • Switches include: -desc, -rmmbr, -addmbr • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  32. DSMOD (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  33. Activity 4-7: Modifying Groups Using DSMOD • Objective: Use the DSMOD GROUP command to modify group accounts • Follow directions to execute dsmod group command to add a description to an existing group • Verify modification with Active Directory Users and Computers • Modify group by adding and removing members and verify changes 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  34. DSQUERY • Also introduced in Windows Server 2003 • Used to query various object types from the command line, returns values • Syntax for groups is • dsquery group query • Supports wildcard character (*) • Output can be piped as input to other command-line tools • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  35. DSMOVE • Used to move or rename various object types from the command line • Syntax for groups is • dsmove group distinguished-name switches • Switches include: -newparent, -newname • Can only be used for groups within a single domain • More help is available for switches and options at Windows Server 2003 Help and Support Center or at the command-line 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  36. DSRM • Used to delete various object types from the command line • Syntax for groups is • dsrm group distinguished-name switches • Switches include: -noprompt • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  37. Managing Security Groups • Strategy for managing security groups uses acronym A G U DL P: • Create user Accounts (A) and organize them within Global groups (G) • Optional: Create Universal groups (U) and place global groups from any domain in universal groups • Create Domain Local groups (DL) and add global and universal groups • Assign Permissions (P) to the domain local groups 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  38. Determining Group Membership • Important task for administrators is to ensure that users are members of correct groups • One method is via Member Of tab in the properties of a user account • Only shows first level of groups (not groups of groups) • Second method is to use DSGET • Returns values to a query 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  39. Determining Group Membership (continued) • Syntax is • dsget group distinguished-name switches • Switches include: -members, -memberof • Can also be used as dsget user to get membership information about a specific user • Output can be saved to a file: • dsget group distinguished-name switches >> filename 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  40. Built-In Groups • When Windows Server 2003 Active Directory is installed • Built-in groups are created automatically • Rights are pre-assigned • Stored in Builtin container and Users container • Use built-in groups where possible • Eases implementation of security rights 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  41. The Builtin Container • Contains a number of domain local group accounts • Allocated different user rights based on common administrative or network-related tasks 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  42. The Builtin Container (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  43. The Users Container • Contains a number of domain local and global group accounts • Some groups only found in the root domain of an Active Directory forest rather than in individual domains 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  44. The Users Container (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  45. Creating and Managing Computer Accounts • Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003 • Can be created during installation or added manually later • Creation and management tools • Active Directory Users and Computers • System applet in Control Panel • Command-line utilities 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  46. Activity 4-8: Creating and Managing Computer Accounts • Objective: Use Active Directory Users and Computers to create and manage computer accounts • Follow directions to create a new computer account from Active Directory Users and Computers • Configure and review the account as directed 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  47. Activity 4-8 (continued) 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  48. Resetting Computer Accounts • Secure channel • Used by computers that are domain members to communicate with domain controller • Uses password that is changed every 30 days • Automatically synchronized between domain controller and workstation • Occasional synchronization issues arise • Administrator must reset computer account • Using Active Directory Users and Computers or Netdom.exe command from Windows Support Tools 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  49. Summary • Group accounts reduce administrative effort by enabling assignment of common rights and permissions to multiple users simultaneously • Two group security types: • Security groups • Distribution groups • Three types of scoping possible for groups • Global groups • Domain local groups • Universal groups 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

  50. Summary (continued) • Group and computer accounts can be created and managed • From Active Directory Users and Computers • From command-line utilities • Builtin and User groups and containers are automatically created at installation with specific pre-assigned rights and permissions • Windows NT 4.0, 2000, XP, and Server 2003 require computer accounts in Active Directory 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

More Related