Windows Server 2003 使用者群組管理 林寶森 jeffl@ms11.hinet.net

Permissions Assigned Once for Each User Account How Groups Work Permissions Assigned Once for Each User Account Permissions Assigned Once for a Group Instead of Permissions User Group Permissions User Permissions Permissions User Group Members Have the Rights and Permissions Granted to the Group Users Can Be Members of Multiple Groups Groups and Computers Can Also Be Members of a Group

Groups in Workgroups and Domains Client Computer Member Server SAM Created on Computers That Are Not Domain Controllers Reside in SAM Used to Control Access to Resources for the Computer Domain Domain Controller Created on Domain Controllers Reside in Active Directory Used to Control Resources in the Domain

Managing Local Groups Computer Management (Local) Event Viewer Tree Computer Management (Local) Event Viewer System Information Performance Logs and Alerts System Tools Shared Folders Device Manager Local Users and Groups Users Name Description Groups Storage Services and Applications New Group… Refresh Export List… Action View Arrange Icons Line Up Icons Help Administrators Backup Operators Guests Power Users Replicator Administrators have full access to th… Backup Operators can only use a ba… Guests can operate the computer an… Power Users can modify the comput… Supports file replication in a domain Users can operate the computer and… New Group Group name: Description: Members: Add… Remove Close Create

Group Types Purpose of Group Types Selecting a Group Type Security groups Use to assign or deny rights and permissions Distribution groups Use to send e-mail messages Selecting a Group Type Use distribution groups unless you need security capabilities Distribution groups improve logon performance

Group Scopes Use for access to resources in one domain Universal Group Members from any domain in forest Use for access to resources in any domain Domain Local Group Use for access to resources in one domain Global Group Members from own domain only

Groups and Domain Functional Levels Windows 2000 mixed (default) Windows 2000 native Windows Server 2003 Domain controllers Supported Windows NT® Server 4.0, Windows 2000, Windows Server 2003 Windows 2000, Windows Server 2003 Windows Server 2003 Group scopes supported Global, domain local Global, domain local, universal

What Is Group Nesting? It means adding a group as a member of another group that is the same kind of group scope Group Group Group Group Group Nest groups to consolidate group management Nesting options depend on whether the domain functional level of your Windows Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed

What Are Global Groups? Global group rules Members Mixed mode: User accounts from same domain Native mode: User accounts and global groups from same domain Can be a member of Mixed mode: Domain local groups Native mode: Universal and domain local groups in any domain and global groups in the same domain Scope Visible in its own domain and all trusted domains Permissions All domains in the forest

What Are Universal Groups? Universal group rules Members Mixed mode: Not applicable Native mode: User accounts, global groups, and other universal groups from any domain in the forest Can be a member of Native mode: Domain local and universal groups in any domain Scope Visible in all domains in a forest Permissions All domains in a forest

What Are Domain Local Groups? Domain local group rules Members Mixed mode: User accounts and global groups from any domain Native mode: User accounts, global groups, and universal groups from any domain in the forest, and domain local groups from the same domain Can be a member of Mixed mode: None Native mode: Domain local groups in the same domain Scope Visible only in its own domain Permissions Domain to which the domain local group belongs

Creating and Deleting Domain Groups Use Active Directory Users and Computers to Create and Delete Groups When You Delete a Group Its: Rights and permissions are removed Members are not deleted SID is never used again New Object - Group Create in: nwtraders.msft/Users Group name: Group name (pre-Windows 2000): Group scope: Domain local Global Universal Group type: Security Distribution OK Cancel Public Group Name

Adding Members to Domain Groups Group 01 Properties General Members Member Of Managed By Members: Name Active Directory Folder Add... Remove OK Cancel Apply Select Users, Contacts, Computers, or Groups In Folder Look in: nwtraders.msft Casablanca Portland Seattle Denver Administrator Guest TsInternet User Add Casablanca; Portland Check Names nwtraders.msft/Casablanca nwtraders.msft/Portland nwtraders.msft/Seattle nwtraders.msft/Denver OU nwtraders.msft/Users Select

Why Assign a Manager to a Group? To enable you to: Track who is responsible for groups Delegate to the manager of the group the authority to add users to and remove users from the group To distribute the administrative responsibility of adding users to groups to the people who request the group

Modifying Groups Changing Group Scope Changing Group Type Global to universal Domain local to universal Universal to global Universal to domain local Available in native mode Changing Group Type Security to distribution Distribution to security Available in native mode Deleting a Group Deletes the group but not the objects that are members Cannot restore a group and its permissions

The Strategy for Using Local Groups in a Workgroup Add L Assign A P L P A Add Assign L P A Add Assign Windows Server 2003 Workgroup Windows XP Professional L P A Add Assign Windows 2000 Server Windows 2000 Professional A = L = P = User Accounts Local Group Permissions

Group Strategies (1) A P G Global Groups Permissions User Accounts

Group Strategies (2) A P DL Domain Local Groups Permissions User Accounts

Group Strategies (3) A P DL G Domain Local Groups Permissions Global Groups User Accounts

Group Strategies (4) A P L G Local Groups Permissions Global Groups User Accounts

Group Strategies (5) A P DL G U Domain Local Groups Permissions Global Groups User Accounts Universal Groups U

The Strategy for Using Groups in a Single Domain User Accounts Global Groups Global Group Domain Local Group Permissions A G DL P DLG Add Domain User Accounts into Global Groups (Optional) Add Global Groups into Another Global Group Add Global Group into Domain Local Group Assign Resource Permissions to the Domain Local Group

Why Use Group Strategies DL or L P Managing User Managing Resource Domain Controller Member Server

Guidelines for Planning a Group Strategy Assign users with common job responsibilities to global groups Create a domain local group for sharing resources Add global groups that require access to resources to domain local groups Use universal groups to grant access to resources in multiple domains Use universal groups when membership is static

Default Groups on Member Servers

Default Groups in Active Directory

When to Use Default Groups Default groups are: Created during the installation of the operating system or when services are added such as Active Directory or DHCP Automatically assigned a set of user rights Use Default groups to: Control access to shared resources Delegate specific domain-wide administration

Examples of User Rights What Are User Rights? Examples of User Rights

User Rights vs. Permissions Actions on System Permissions: Actions on Object

System Groups System groups represent different users at different times You can grant user rights and permissions to system groups, but you cannot modify or view the memberships Group scopes do not apply to system groups Users are automatically assigned to system groups whenever they log on or access a particular resource