11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

Slides:

Advertisements

Similar presentations

Managing User, Computer and Group Accounts

Advertisements

Windows Server 2003 使用者群組管理林寶森

MOAC : Installing and Configuring Windows Server 2012

Module 4: Implementing User, Group, and Computer Accounts

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Administering Active Directory

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

Group Accounts; Securing Resources with Permissions

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.

Understanding Active Directory

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

Chapter 7 WORKING WITH GROUPS.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

Guide to MCSE , Enhanced 1 Activity 4-1: Creating and Adding Members to Global Groups Objective: Use Active Directory Users and Computers to create.

Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

8.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 8: Introducing Computer Accounts.

Managing Active Directory Domain Services Objects

Chapter 7: WORKING WITH GROUPS

Designing Group Security Designing security groups Designing user rights.

Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.

Chapter 10: Rights, User, and Group Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

Managing Local Users & Groups. OVERVIEW Configure and manage user accounts Manage user account properties Manage user and group rights Configure user.

Module 3 Creating Groups and Organizational Units.

1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.

Administering Groups Chapter Eight. Exam Objectives In this Chapter:  Plan a security group hierarchy based upon delegation requirements  Plan a security.

1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.

Chapter Six Working with NDS Security. Chapter Objectives Describe NDS security and list the object and property rights Identify the NDS security needs.

OVERVIEW OF ACTIVE DIRECTORY

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Three Managing Recipients.

MIS Chapter 41 Chapter 4 – Implementing and Managing Group and Computer Accounts MIS 431 – Created Spring 2006.

1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access.

Module 3: Managing Groups. Overview Creating Groups Managing Group Membership Strategies for Using Groups Using Default Groups.

Chapter4 Part2. User Account Management Once Active Directory is installed and configured, you enable users to access network servers and resources through.

Planning an Active Directory Deployment Lesson 1.

6/19/2016 أساسيات الأتصال و الشبكات Communication & Networks Fundamentals lab 4.

Implementing Active Directory Domain Services

ACTIVE DIRECTORY ADMINISTRATION

ACTIVE DIRECTORY ADMINISTRATION

Active Directory Administration

Windows Server 2008 Administration

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

Windows Server 2003 使用者群組管理

Implementing and Managing Group and Computer Accounts

Chapter 9: Managing Groups, Folders, Files, and Object Security

Unit 6 NT1330 Client-Server Networking II Date: 7/19/2016

Presentation transcript:

11 WORKING WITH GROUPS Chapter 7

Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand the difference between local groups and domain groups.  Identify the two group types and three group scopes, and their proper use.  List the predefined and built-in groups included in Windows Server  Understand the functions of groups and how to use them.  Understand the difference between local groups and domain groups.  Identify the two group types and three group scopes, and their proper use.  List the predefined and built-in groups included in Windows Server 2003.

Chapter 7: WORKING WITH GROUPS3 CHAPTER OVERVIEW (continued)  Understand the difference between groups and special identities.  Create, manage, and delete groups using graphical and command-line tools.  Understand the difference between groups and special identities.  Create, manage, and delete groups using graphical and command-line tools.

Chapter 7: WORKING WITH GROUPS4 UNDERSTANDING GROUPS

Chapter 7: WORKING WITH GROUPS5 USING GROUPS AND GROUP POLICIES  Group policy and groups are not related.  Group policy cannot be directly applied to a group.  Group policy that is set on a site, domain, or OU can be configured to apply to groups in that site, domain, or OU.  Group policy and groups are not related.  Group policy cannot be directly applied to a group.  Group policy that is set on a site, domain, or OU can be configured to apply to groups in that site, domain, or OU.

Chapter 7: WORKING WITH GROUPS6 UNDERSTANDING DOMAIN FUNCTIONAL LEVELS  Domain functional levels  Windows 2000 mixed  Windows 2000 native  Windows Server 2003 interim  Windows Server 2003  Determines the level of functionality used by Active Directory  Domain functional levels  Windows 2000 mixed  Windows 2000 native  Windows Server 2003 interim  Windows Server 2003  Determines the level of functionality used by Active Directory

Chapter 7: WORKING WITH GROUPS7 UNDERSTANDING DOMAIN FUNCTIONAL LEVELS (continued)  Available levels depend on the operating system servers are running  Some features are not available in certain levels  Functional level can be raised but not lowered  Available levels depend on the operating system servers are running  Some features are not available in certain levels  Functional level can be raised but not lowered

Chapter 7: WORKING WITH GROUPS8 RAISING THE DOMAIN FUNCTIONAL LEVEL

Chapter 7: WORKING WITH GROUPS9 USING LOCAL GROUPS  Can be used only on the system on which they are created  In a workgroup environment, can contain only users from the local system  In a domain environment, can contain users and global groups  Cannot be created on a domain controller  Can be used only on the system on which they are created  In a workgroup environment, can contain only users from the local system  In a domain environment, can contain users and global groups  Cannot be created on a domain controller

Chapter 7: WORKING WITH GROUPS10 USING ACTIVE DIRECTORY GROUPS  Types  Security  Distribution  Scopes  Local  Global  Universal  Types  Security  Distribution  Scopes  Local  Global  Universal

Chapter 7: WORKING WITH GROUPS11 ACTIVE DIRECTORY GROUP TYPES  Security  Distribution  Security  Distribution

Chapter 7: WORKING WITH GROUPS12 SECURITY GROUPS  Used to assign access permissions for network resources.  Membership depends on the type of security group and the domain functional level.  Can also be used as a distribution group.  The most common type of group created and used in Active Directory.  Used to assign access permissions for network resources.  Membership depends on the type of security group and the domain functional level.  Can also be used as a distribution group.  The most common type of group created and used in Active Directory.

Chapter 7: WORKING WITH GROUPS13 DISTRIBUTION GROUPS  Used to group users together for use by applications in non-security-related functions  Can be used only by directory-aware applications  Can be converted to a security group  Used to group users together for use by applications in non-security-related functions  Can be used only by directory-aware applications  Can be converted to a security group

Chapter 7: WORKING WITH GROUPS14 ACTIVE DIRECTORY GROUP SCOPES  Domain local  Global  Universal  Domain local  Global  Universal

Chapter 7: WORKING WITH GROUPS15 DOMAIN LOCAL GROUPS  Available in all domain functional levels  Can only be used to assign permissions to resources in the domain where they are created  Permitted membership depends on domain functional level  Available in all domain functional levels  Can only be used to assign permissions to resources in the domain where they are created  Permitted membership depends on domain functional level

Chapter 7: WORKING WITH GROUPS16 GLOBAL GROUPS  Available in all functional levels  Can include only members from within their domain  Actual membership depends on domain functional level  Can be granted access permissions to resources in any domain in the forest, and in domains in other trusted forests  Available in all functional levels  Can include only members from within their domain  Actual membership depends on domain functional level  Can be granted access permissions to resources in any domain in the forest, and in domains in other trusted forests

Chapter 7: WORKING WITH GROUPS17 UNIVERSAL GROUPS  Available only in the Windows 2000 native and Windows Server 2003 domain functional levels  Can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests  Can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members  Generally used to consolidate groups that span multiple domains  Available only in the Windows 2000 native and Windows Server 2003 domain functional levels  Can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests  Can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members  Generally used to consolidate groups that span multiple domains

Chapter 7: WORKING WITH GROUPS18 NESTING GROUPS

Chapter 7: WORKING WITH GROUPS19 CONVERTING GROUPS

Chapter 7: WORKING WITH GROUPS20 PLANNING GLOBAL AND DOMAIN LOCAL GROUPS  Step 1—Create domain local groups for resources to be shared.  Step 2—Assign resource permissions to the domain local group.  Step 3—Create global groups for users with common job responsibilities.  Step 4—Add global groups that need access to resources to the appropriate domain local group.  Step 1—Create domain local groups for resources to be shared.  Step 2—Assign resource permissions to the domain local group.  Step 3—Create global groups for users with common job responsibilities.  Step 4—Add global groups that need access to resources to the appropriate domain local group.

Chapter 7: WORKING WITH GROUPS21 WINDOWS SERVER 2003 DEFAULT GROUPS  Built-in local groups  Predefined Active Directory groups  Built-in Active Directory groups  Special identities  Built-in local groups  Predefined Active Directory groups  Built-in Active Directory groups  Special identities

Chapter 7: WORKING WITH GROUPS22 BUILT-IN LOCAL GROUPS

Chapter 7: WORKING WITH GROUPS23 PREDEFINED ACTIVE DIRECTORY GROUPS

Chapter 7: WORKING WITH GROUPS24 BUILT-IN ACTIVE DIRECTORY GROUPS

Chapter 7: WORKING WITH GROUPS25 SPECIAL IDENTITIES

Chapter 7: WORKING WITH GROUPS26 CREATING AND MANAGING GROUP OBJECTS  Creating local groups  Creating security groups in Active Directory.  Creating local groups  Creating security groups in Active Directory.

Chapter 7: WORKING WITH GROUPS27 CREATING LOCAL GROUPS

Chapter 7: WORKING WITH GROUPS28 WORKING WITH ACTIVE DIRECTORY GROUPS  Creating security groups  Managing group membership  Nesting groups  Changing group types and scopes  Deleting a group  Creating security groups  Managing group membership  Nesting groups  Changing group types and scopes  Deleting a group

Chapter 7: WORKING WITH GROUPS29 CREATING SECURITY GROUPS

Chapter 7: WORKING WITH GROUPS30 MANAGING GROUP MEMBERSHIP

Chapter 7: WORKING WITH GROUPS31 NESTING GROUPS  Both groups must be created separately, and then one is made a member of the other.  Possible nestings depend on the domain functional level and scope type.  Observe rules on group nesting.  Both groups must be created separately, and then one is made a member of the other.  Possible nestings depend on the domain functional level and scope type.  Observe rules on group nesting.

Chapter 7: WORKING WITH GROUPS32 CHANGING GROUP TYPES AND SCOPES

Chapter 7: WORKING WITH GROUPS33 DELETING A GROUP  Deletes only the group object, not the members of the group.  Deletes the SID for the group. The SID cannot be re-created.  Removes ACL entries for the group.  Deletes only the group object, not the members of the group.  Deletes the SID for the group. The SID cannot be re-created.  Removes ACL entries for the group.

Chapter 7: WORKING WITH GROUPS34 AUTOMATING GROUP MANAGEMENT The following command-line utilities can be used in scripts and batch files to automate group management:  Dsadd.exe: Used to create new group objects  Dsmod.exe: Used to configure existing group objects  Dsget.exe: Used to locate groups in Active Directory The following command-line utilities can be used in scripts and batch files to automate group management:  Dsadd.exe: Used to create new group objects  Dsmod.exe: Used to configure existing group objects  Dsget.exe: Used to locate groups in Active Directory

Chapter 7: WORKING WITH GROUPS35 CREATING GROUP OBJECTS WITH DSADD.EXE  Allows groups to be created from a command line  Useful when scripting group creation for large numbers of groups  Can be used only to create new groups, not modify existing groups  Allows groups to be created from a command line  Useful when scripting group creation for large numbers of groups  Can be used only to create new groups, not modify existing groups

Chapter 7: WORKING WITH GROUPS36 MANAGING GROUP OBJECTS WITH DSMOD.EXE Can be used to configure group objects, including:  Setting the group scope  Adding and removing individual group members  Replacing the entire group membership Can be used to configure group objects, including:  Setting the group scope  Adding and removing individual group members  Replacing the entire group membership

Chapter 7: WORKING WITH GROUPS37 FINDING OBJECTS WITH DSGET.EXE  Command-line utility  Used to locate and show information on an object  Cannot be used to create, modify, or delete an object  Command-line utility  Used to locate and show information on an object  Cannot be used to create, modify, or delete an object

Chapter 7: WORKING WITH GROUPS38 SUMMARY  A group is an object that consists of a list of users.  All permissions assigned to the group are inherited by its members.  The domain functional level determines which group types and scopes you can use, which groups can be nested, and which group conversions you can perform.  Security groups can be assigned permissions, while distribution groups are used for query containers, such as distribution groups, and cannot be assigned permissions to a resource.  A group is an object that consists of a list of users.  All permissions assigned to the group are inherited by its members.  The domain functional level determines which group types and scopes you can use, which groups can be nested, and which group conversions you can perform.  Security groups can be assigned permissions, while distribution groups are used for query containers, such as distribution groups, and cannot be assigned permissions to a resource.

Chapter 7: WORKING WITH GROUPS39 SUMMARY (continued)  Domain local groups are used for assigning permissions to resources. Global groups are used for gathering together users with similar resource requirements. Universal groups are used primarily to grant access to related resources in multiple domains.  You can create domain groups in any container or OU in the Active Directory tree.  Domain local groups are used for assigning permissions to resources. Global groups are used for gathering together users with similar resource requirements. Universal groups are used primarily to grant access to related resources in multiple domains.  You can create domain groups in any container or OU in the Active Directory tree.

Chapter 7: WORKING WITH GROUPS40 SUMMARY (continued)  Group nesting refers to the ability to make one group a member of another group.  Command-line tools such as Dsadd.exe, Dsmod.exe, and Dsget.exe allow you to automate group management tasks.  Group nesting refers to the ability to make one group a member of another group.  Command-line tools such as Dsadd.exe, Dsmod.exe, and Dsget.exe allow you to automate group management tasks.