Active Directory Groups 3.4 Manage Active Directory Objects Active Directory Groups TestOut Server Pro 2016: Identity

Section Skill Overview Enumerate group membership. TestOut Server Pro 2016: Identity

Key Terms Distribution Groups TestOut Server Pro 2016: Identity

Key Definitions Distribution Groups: A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions. TestOut Server Pro 2016: Identity

Why Use Groups Organizational Units: Groups provide security options: Facilitate delegation of control Aid with Group Policy Do not provide security Groups provide security options: Can be used to grant rights TestOut Server Pro 2016: Identity

Group Types Distribution: Security: Can only be use by applications. Cannot be used for security. Security: Can be used for distribution and security. TestOut Server Pro 2016: Identity

Group Types Group Type Used Contains Purpose Local Local Workstation Local Users (Forest*) Rights and Permissions Domain Local Domain Forest Global Users and Computers Universal * In a domain, local groups can contain groups from anywhere in the forest. But in practice they will contain global groups from their own domain. TestOut Server Pro 2016: Identity

Local Groups To assign rights on a member server or a workstation, add account to a Local group. Local groups exist in the SAM. Domain controllers do not have local groups. DCs share the same set of Domain Local Groups. Users added to a Domain Local Group on a domain controller have rights on all domain controllers. TestOut Server Pro 2016: Identity

Groups Best Practice HR Use group nesting (adding one group to another group). Nested groups obtain all rights assigned to the parent group. The parent group do not inherit rights specifically given to its nested group. HR Rights: A, B, C Tech Inherits Rights: A, B, C Rights: E, F Not Inherited TestOut Server Pro 2016: Identity

Groups Best Practice Accounts Global group Universal groups Use groups to strategically to provide maximum flexibility. Use A G U DL P when nesting groups. Domain Local Accounts Global group Universal groups Permissions assigned to DL Domain Local group Assign Permissions Universal Global TestOut Server Pro 2016: Identity

Groups Best Practice Example SalesStats SalesData_Modify_DL SalesData_Read_DL SalesReports FS1 SalesSchedules SalesManagers_G SalesData_Modify_DL Rights assigned CorpNet.com SalesPeople_G SalesData_Read_DL TestOut Server Pro 2016: Identity

Groups Best Practice Example FS1 SalesStats SalesReports SalesSchedules SalesData_Read_DL SalesData_Modify_DL SalesManagers_G SalesPlans SalesContracts SalesRead_DL SalesModify_DL SalesExecs_G East.CorpNet.com CorpNet.com FS2 TestOut Server Pro 2016: Identity

Groups Best Practice Example FS1 SalesStats SalesReports SalesSchedules SalesData_Read_DL SalesData_Modify_DL CorpNet.com SalesData_Modify_DL SalesManagers_U SalesManagers_G SalesStats SalesReports SalesSchedules SalesData_Read_DL SalesData_Modify_DL West.CorpNet.com FS3 SalesManagers_G FS2 SalesPlans SalesContracts SalesStatistics SalesRead_DL SalesModify_DL East.CorpNet.com SalesDataModify_DL SalesExecs_G TestOut Server Pro 2016: Identity

Converting Group Types To convert between group types, first change to Universal Domain local to Global example 1 2 3 2 Open the group properties Select Universal and click Apply Select Global and click Apply TestOut Server Pro 2016: Identity

In-Class Practice Do the following labs: 3.4.8 Implement a Group Strategy TestOut Server Pro 2016: Identity

Class Discussion Which PowerShell commands can you use to manage groups? TestOut Server Pro 2016: Identity