1 / 48

Identifying the Types of Group Accounts

(Skill 1). Identifying the Types of Group Accounts. A group is a collection of user accounts or computers with similar rights and permissions The users in a group are called members

Download Presentation

Identifying the Types of Group Accounts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. (Skill 1) Identifying the Types of Group Accounts • A group is a collection of user accounts or computers with similar rights and permissions • The users in a group are called members • Administrators can categorize users into groups based on the functions they perform and the requirements of their jobs so that they can easily manage multiple users as a single entity

  2. (Skill 1) Identifying the Types of Group Accounts (2) Two main types of groups • Security groups • Used to define the rights and permissions users will have to access resources on a computer or a network • Are listed in Discretionary Access Control Lists (DACLs) • Distribution groups • Used only for the distribution of messages by applications such as Microsoft Exchange Server • Cannot be used to assign permissions to users

  3. (Skill 1) Identifying the Types of Group Accounts (3) Group scope • When you create a group, you must specify the group scope • The group scope determines whether the group can be used to access resources in a specific domain or across domains in a network • There are three group scopes in a Windows Server 2003 environment • Domain local scope • Global scope • Universal group scope

  4. (Skill 1) Identifying the Types of Group Accounts (4) Domain local scope • A domain local group is created in Active Directory on a domain controller • The scope of a domain local group is the domain in which the group was created • You can add members to a domain local group from any domain

  5. (Skill 1) Identifying the Types of Group Accounts (5) Global scope • A global group has members with common network access requirements • Members can be drawn only from the domain where the global group was created • Permissions can be assigned to members for resources in any domain

  6. (Skill 1) Figure 7-1 Group types and group scopes

  7. (Skill 1) Identifying the Types of Group Accounts (6) Universal group scope • A universal group is used when there are multiple domains in a forest • Members can be drawn from many different domains • Permissions can be assigned for resources in any domain • Universal groups are available only when Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode

  8. (Skill 1) Identifying the Types of Group Accounts (7) Group nesting • Process of adding groups to other groups is called group nesting • Group nesting minimizes the number of times you need to assign permissions to multiple groups

  9. (Skill 1) Figure 7-2 Nested groups

  10. (Skill 3) Introducing Built-in Groups • Windows Server 2003 includes default groups called built-in groups that have a preset collection of rights and permissions • Built-in groups can be used to manage common tasks performed by users • There are four types of built-in groups • Built-in local groups • Built-in domain local groups • Built-in global groups • Built-in system groups

  11. (Skill 3) Introducing Built-in Groups (2) Built-in local groups • Are created on all Windows Server 2003 computers • Are stored in the Builtin container in the Active Directory Users and Computers console • Account Operators • Administrators • Backup Operators • Guests • Incoming Forest Trust Builders • Network Configuration Operators • Performance Log Users • Performance Monitor Users • Pre-Windows 2000 Compatible Access • Print Operators • Remote Desktop Users • Replicator • Server Operators • Users

  12. (Skill 3) Introducing Built-in Groups (3) Built-in domain local groups • Are automatically created only on domain controllers • Cannot be deleted • Are stored in the Users container in the Active Directory Users and Computers console • The number of domain local groups is different on each domain controller, depending on the type of services the domain controller is running • IIS_WPG (installed with IIS) • RAS and IAS Servers • TelnetClients • WINS Users • Cert Publishers • DHCP Administrators • DHCP Users • DnsAdmins • HelpServicesGroup

  13. (Skill 3) Introducing Built-in Groups (4) Built-in global groups • Are automatically created on all domain controllers • Are stored in the Users container in the Active Directory Users and Computers console • DnsUpdateProxy • Domain Admins • Domain Computers • Domain Controllers • Domain Guests • Domain Users • Group Policy Creator Owner • Enterprise Admins • Schema Admins

  14. (Skill 3) Introducing Built-in Groups (5) Built-in system groups • Are populated with users based upon how they access a computer or a resource • Network administrators cannot add, modify, or delete user accounts because the operating system does so automatically • Anonymous Logon • Authenticated Users • Creator Owner • Dial-up • Everyone • Interactive • Network • Terminal Server Users

  15. (Skill 3) Figure 7-9 Built-in domain local groups in the Builtin container in the Active Directory Users and Computers console

  16. (Skill 3) Figure 7-10 Built-in domain local groups in the Users container in the Active Directory Users and Computers console

  17. (Skill 3) Figure 7-11 Built-in global groups in the Users container

  18. (Skill 3) Introducing Built-in Groups (6) • In Windows 2000 mixed mode environments, the best practice is to use domain local and global groups following what is referred to as the A-G-DL-P strategy • You put user accounts (A) into global groups (G), put the global groups into domain local groups (DL), and grant permissions (P) to the domain local group • In Windows 2000 native mode or Windows Server 2003 mode, universal groups can be used to organize global groups from multiple domains so that they fit between global and domain local (A-G-U-DL-P)

  19. (Skill 4) The pre- Windows 2000 group name is automatically filled in The two types of groups The three group scopes Figure 7-15 The New Object-Group dialog box

  20. (Skill 4) The new group Figure 7-16 The new group in the Active Directory Users and Computers console

  21. (Skill 4) Member of the group Click to remove members from the group Click to add members to the group Figure 7-17 Adding a member to the group

  22. (Skill 6) Creating Group Policy Objects • Group Policies are used to control the computer configuration, user environment, and account policies such as the minimum password length and length of time a password can be used • Network administrators apply Group Policies • To centrally manage configuration settings for groups of users or computers • To control the distribution of software applications in a domain

  23. (Skill 6) Creating Group Policy Objects (2) • Group Policies are applied to objects in Active Directory to control how they and their child objects will function • There are both user settings and computer settings, which can also affect the rights that are given to user accounts and groups • The idea is to enforce uniform corporate policies on a portion of the network

  24. (Skill 6) Creating Group Policy Objects (4) Group Policy Objects (GPOs) • Store all Group Policy settings that are applied to users and computers, along with the properties associated with the objects in the Active Directory store • The policy settings for sites, domains, and organizational units are also stored in GPOs • To create a GPO for a domain or an organizational unit, you use either the Active Directory Users and Computers console or the new Group Policy Management console (GPMC), which must be downloaded from Microsoft • Types of GPOs • Local • Active Directory-based

  25. (Skill 6) Creating Group Policy Objects (6) Group Policy Management Console (GPMC) • Designed as a comprehensive tool for Group Policy administration for Windows Server 2003 and Windows 2000 domains • Provides administrators with the ability to back up, restore, import, and copy/paste GPOs, as well as create, delete, and rename them • Used to link GPOs, search for GPOs, and to delegate Group Policy-related features

  26. (Skill 6) Figure 7-28 Download the GPMC

  27. (Skill 6) Figure 7-29 Creating a GPO

  28. (Skill 6) Figure 7-30 The New GPO dialog box

  29. (Skill 6) Figure 7-31 New Group Policy Object in a domain The new GPO, as listed in the Group Policy Object Links column

  30. (Skill 7) Identifying the Types of Group Policies Types of Group Policies • In the Windows Server 2003 environment, there are different types of Group Policies categorized according to the different network components and Active Directory objects they influence • Most Group Policies are used to update and manage Registry configuration data • Use the Group Policy Object Editor snap-in to modify the default settings for Group Policies according to your requirements

  31. (Skill 7) Identifying the Types of Group Policies (2) • Group Policy Object Editor • Computer Configuration node • Software Settings configuration setting node • Windows Settings node • Administrative Templates node • User Configuration node • Group Policy settings applied in the Computer Configuration node affect the computer objects to which they are applied

  32. (Skill 7) Figure 7-33 Security Settings for computers

  33. (Skill 7) Identifying the Types of Group Policies (4) Group Policy • Can be applied to users and computers • Can be applied at the site, domain, or OU level • Application of Group Policy Objects • Every computer has one Group Policy Object that is stored locally • The Local Group Policy Object (LPGO) is applied first • Then, GPOs assigned to the site are processed • Next, policies assigned to the domain are processed • Finally, policies assigned to OUs and child OUs are processed • Policy settings are cumulative due to inheritance

  34. (Skill 7) Identifying the Types of Group Policies (5) Understanding how GPO settings are applied • If a GPO is assigned to the parent container, but not the child container, the parent container GPO setting applies • If a GPO is assigned to both the parent container and the child container, and there is no conflict, both parent and child GPOs apply • If a GPO is assigned to both the parent container and the child container, and there is a conflict, the child container setting applies • These are the rules unless there is a conflict between a user setting and a computer setting; then the computer setting is applied

  35. (Skill 7) Identifying the Types of Group Policies (6) Blocking inheritance • You can modify the default behavior or inheritance by using the Block Inheritance option • You can block inheritance for the GPO links for an entire domain, for all domain controllers, or for a particular OU

  36. (Skill 7) Figure 7-39 Blocking Inheritance

  37. (Skill 8) Modifying Software Settings Using GPO Software Policies • Group Policies are used to assign and publish applications to groups of users or computers • Applications can be assigned to either users or computers, but they can be published only to users • After you have created the GPO, you can manage the software deployed to users and computers centrally in the Group Policy Object Editor • The Group Policy Object Editor has two parent nodes used to set Group Policies for users or computers: User Configuration and Computer Configuration

  38. (Skill 8) Modifying Software Settings Using GPO Software Policies (2) User Configuration node • Used to set Group Policies for users, which are applied when the user logs on to the domain • Used to modify the settings for the desktop, applications, and security • Used to assign and publish applications, set Group Policies to redirect folders, and set scripts for the logon and logoff processes

  39. (Skill 8) Modifying Software Settings Using GPO Software Policies (3) Computer Configuration node • Used to set Group Policies for computers that are members of the domain, OU, or site, depending on where the GPO is configured • These Group Policies are applied when the operating system initializes • Used to modify Group Policies related to the operating system, applications, and security controls for a computer

  40. (Skill 8) Select to publish applications Select to publish and assign applications Select to assign applications Figure 7-45 The Deploy Software dialog box

  41. (Skill 8) Used to assign or publish applications to users Deployment state of the application Figure 7-46 A published application in the Group Policy Object Editor

  42. (Skill 9) Redirecting Folders Using GPOs Folder Redirection • Allows you to take the most common folders and redirect them to a network server • This means that rather than downloading the full folder at logon, your users are browsing the remote folder, just as if they were browsing a network share • When a user opens an item in a redirected folder, the individual item is downloaded

  43. (Skill 9) Redirecting Folders Using GPOs (2) Folder Redirection • Saves considerable network bandwidth • Significantly reduces the logon time for users with large profiles • You can redirect folders over a network using the Folder Redirection extension located in the Windows Settings folder. • This folder resides in the User Configuration node in the Group Policy Object Editor

  44. (Skill 9) Figure 7-47 Special folders available for redirection

  45. (Skill 9) The Basic setting will redirect everyone’s folder to the same location Figure 7-48 The Target tab

  46. (Skill 9) Use to specify the security group for Folder Redirection Use to specify the location of the redirection folder on the network Figure 7-49 The Specify Group and Location dialog box

  47. (Skill 9) The security groups to which Folder Redirection is applied can be selected, edited, or removed here Figure 7-50 Entering the security group and the location of the redirection folder

  48. (Skill 9) This option leaves the redirected folder in the new location even after GPO is removed Figure 7-51 The Settings tab

More Related