1 / 30

Windows Server 2003 使用者群組管理

Windows Server 2003 使用者群組管理. 林寶森 jeffl@ms11.hinet.net. Instead of. Permissions Assigned Once for a Group. Permissions Assigned Once for Each User Account. Permissions. User. User. User. Permissions. Permissions. Permissions. How Groups Work.

lyre
Download Presentation

Windows Server 2003 使用者群組管理

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Server 2003使用者群組管理 林寶森 jeffl@ms11.hinet.net

  2. Instead of Permissions Assigned Once for a Group Permissions Assigned Once for Each User Account Permissions User User User Permissions Permissions Permissions How Groups Work • Group Members Have the Rights and Permissions Granted to the Group • Users Can Be Members of Multiple Groups • Groups and Computers Can Also Be Members of a Group Group

  3. SAM SAM Member Server Client Computer Domain Controller Groups in Workgroups and Domains Workgroup • Created on Computers That Are Not Domain Controllers • Reside in SAM • Used to Control Access to Resources for the Computer • Created on Domain Controllers • Reside in Active Directory • Used to Control Resources in the Domain Domain

  4. Computer Management Action View Name Description Tree Computer Management (Local) Administrators Administrators have full access to th… System Tools Backup Operators Backup Operators can only use a ba… Event Viewer Guests Guests can operate the computer an… System Information Power Users Power Users can modify the comput… Performance Logs and Alerts Replicator Supports file replication in a domain Shared Folders Users Users can operate the computer and… Device Manager Local Users and Groups New Group Users Group name: Groups New Group… Storage Refresh Description: Services and Applications Export List… Members: View Arrange Icons Line Up Icons Help Add… Remove Create Close Managing Local Groups

  5. Group Types • Purpose of Group Types • Security groupsUse to assign or deny rights and permissions • Distribution groupsUse to send e-mail messages • Selecting a Group Type • Use distribution groups unless you need security capabilities • Distribution groups improve logon performance

  6. Domain Local Group • Members from any domain in forest • Use for access to resources in one domain Global Group • Members from own domain only • Use for access to resources in any domain Universal Group • Members from any domain in forest • Use for access to resources in any domain Group Scopes

  7. Groups and Domain Functional Levels

  8. What Is Group Nesting? • It means adding a group as a member of another group that is the same kind of group scope Group Group Group Group Group • Nest groups to consolidate group management • Nesting options depend on whether the domain functional level of your Windows Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed

  9. What Are Global Groups? Global group rules

  10. What Are Universal Groups? Universal group rules

  11. What Are Domain Local Groups? Domain local group rules

  12. New Object - Group Create in: nwtraders.msft/Users Group Name Group name: Public Group name (pre-Windows 2000): Group scope: Group type: Domain local Global Universal Security Distribution OK Cancel Creating and Deleting Domain Groups • Use Active Directory Users and Computers to Create and Delete Groups • When You Delete a Group Its: • Rights and permissions are removed • Members are not deleted • SID is never used again

  13. Group 01 Properties Members General Member Of Managed By Members: Select Users, Contacts, Computers, or Groups Name Active Directory Folder Look in: nwtraders.msft Name In Folder Select Casablanca Portland Seattle Denver Administrator Guest TsInternet User nwtraders.msft/Casablanca nwtraders.msft/Portland nwtraders.msft/Seattle nwtraders.msft/Denver OU nwtraders.msft/Users nwtraders.msft/Users nwtraders.msft/Users Add Check Names Add Casablanca; Portland Add... Remove OK Cancel Apply OK Cancel Adding Members to Domain Groups

  14. Why Assign a Manager to a Group? • To enable you to: • Track who is responsible for groups • Delegate to the manager of the group the authority to add users to and remove users from the group • To distribute the administrative responsibility of adding users to groups to the people who request the group Manager Group

  15. Changing Group Scope Global to universal Domain local to universal Universal to global Universal to domain local Available in native mode Changing Group Type Security to distribution Distribution to security Available in native mode Modifying Groups • Deleting a Group • Deletes the group but not the objects that are members • Cannot restore a group and its permissions

  16. L L L Add Add Add P P P A A A The Strategy for Using Local Groups in a Workgroup L Add Assign P A Assign Assign Windows Server 2003 Workgroup Windows XP Professional Assign Windows 2000 Server Windows 2000 Professional = = = A L P User Accounts Local Group Permissions

  17. User Accounts Global Groups Permissions A G P Group Strategies (1)

  18. User Accounts Domain Local Groups Permissions A DL P Group Strategies (2)

  19. User Accounts Global Groups Domain Local Groups Permissions A G DL P Group Strategies (3)

  20. User Accounts Global Groups Local Groups Permissions A G L P Group Strategies (4)

  21. User Accounts Global Groups Universal Groups Domain Local Groups Permissions A G U DL P User Accounts Global Groups A G Group Strategies (5)

  22. User Accounts Global Groups Global Group Domain Local Group Permissions A G G DL P DLG Add Domain User Accounts into Global Groups (Optional) Add Global Groups into Another Global Group Add Global Group into Domain Local Group Assign Resource Permissions to the Domain Local Group The Strategy for Using Groups in a Single Domain

  23. Why Use Group Strategies

  24. Guidelines for Planning a Group Strategy • Assign users with common job responsibilities to global groups • Create a domain local group for sharing resources • Add global groups that require access to resources to domain local groups • Use universal groups to grant access to resources in multiple domains • Use universal groups when membership is static

  25. Default Groups on Member Servers

  26. Default Groups in Active Directory

  27. When to Use Default Groups • Default groups are: • Created during the installation of the operating system or when services are added such as Active Directory or DHCP • Automatically assigned a set of user rights • Use Default groups to: • Control access to shared resources • Delegate specific domain-wide administration

  28. Examples of User Rights What Are User Rights?

  29. User Rights vs. Permissions User Rights: Actions on System Permissions: Actions on Object

  30. System Groups • System groups represent different users at different times • You can grant user rights and permissions to system groups, but you cannot modify or view the memberships • Group scopes do not apply to system groups • Users are automatically assigned to system groups whenever they log on or access a particular resource

More Related