Module 3: Managing Groups

Overview Creating Groups Managing Group Membership Strategies for Using Groups Using Default Groups

Lesson: Creating Groups What Are Groups? What Are Domain Functional Levels? What Are Global Groups? What Are Universal Groups? What Are Domain Local Groups? What Are Local Groups? Guidelines for Creating and Naming Groups Who Can Create Groups? Practice: Creating Groups

What Are Groups? Groups simplify administration by enabling you to assign permissions for resources Group typeDescription Security Used to assign user rights and permissions Can be used as an distribution list Distribution Can be used only with applications Cannot be used to assign permissions Group Groups are characterized by scope and type

What Are Domain Functional Levels? Windows 2000 mixed (default) Windows 2000 native Windows Server 2003 Windows Server 2003 interim Domain controllers supported Windows NT Server 4.0, Windows 2000, Windows Server 2003 Windows 2000, Windows Server 2003 Windows Server 2003 Windows NT Server 4.0, Windows Server 2003 Group scopes supported Global, domain local Global, domain local, universal Global, domain local

What Are Global Groups? Global group rules Membership can include Mixed functional level: User and computer accounts from same domain Native functional level: User and computer accounts and global groups from same domain Can be a member of Mixed functional level: Domain local groups Native functional level: Universal and domain local groups in any trusting domain and global groups in the same domain Scope Visible in its own domain and all trusting domains Permissions All domains in the forest and trusting domains

What Are Universal Groups? Universal group rules Membership can include Mixed functional level: Not applicable Native functional level: User accounts, global groups, and universal groups from any domain in the forest Can be a member of Mixed functional level: Not applicable Native functional level: Domain local or universal groups in any domain Scope Visible in all domains in the forest and all trusting domains Permissions All domains in the forest and all trusting domains

What Are Domain Local Groups? Domain local group rules Membership can include Mixed functional level and Windows interim 2003: User and computer accounts and global groups from any trusted domain Native functional level: User and computer accounts, global and universal groups from any domain in the forest or trusted domains, plus domain local groups from the same domain Can be a member of Mixed functional level and Windows interim 2003: None Native functional level: Domain local groups in the same domain ScopeVisible only in its own domain PermissionsDomain to which the domain local group belongs

What Are Local Groups? Local group rules Membership can include Local user accounts, domain user and computer accounts, global and universal groups from the computer's domain and trusted domains Can be a member ofNot applicable

Guidelines for Creating and Naming Groups Create groups in organizational units by using the following naming considerations:  Naming conventions for security groups Incorporate the scope in the group name Should reflect the group ownership Use a descriptor to identify the assigned permissions  Naming conventions for distribution groups Use short alias names Do not include a user’s alias name in the display name Allow a maximum of five co-owners of a single distribution group

Who Can Create Groups? In the domain:  Account Operators group  Domain Admins group  Enterprise Admins group  Or users with appropriate delegated authority On the local computer:  Power Users group  Administrators group on the local computer  Or users with appropriate delegated authority

Practice: Creating Groups In this practice, you will: Create groups by using Active Directory Users and Computers Create groups by using the dsadd command-line tool

Lesson: Managing Group Membership Determining Group Membership Adding and Removing Members from a Group Practice: Managing Group Membership

Determining Group Membership Group or Team Global Group Domain Local Group Tom, Jo, and Kim Sam, Scott, and Amy MembersMember Of Tom, Jo, Kim Denver OU Admins Denver Admins MembersMember Of Tom, Jo, Kim DL OU Admins G Denver Admins MembersMember Of Sam, Scott, Amy DL OU Admins G Vancouver Admins DL OU Admins MembersMember Of G Denver Admins G Vancouver Admins N/A Member Of G Denver Admins Member Of G Vancouver Admins

Adding and Removing Members from a Group Group membership can be modified by using Active Directory Users and Computers or the dsmod command

Practice: Managing Group Membership In this practice, you will: Determine a user’s group membership Add users to global groups Add global groups to domain local groups

Lesson: Strategies for Using Groups Multimedia: Strategy for Using Groups in a Single Domain What Is Group Nesting? Group Strategies Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment Practice: Nesting Groups and Creating Universal Groups Modifying the Scope or Type of a Group? Why Assign a Manager to a Group? Practice: Changing the Scope and Assigning a Manager to a Group

Multimedia: Strategy for Using Groups in a Single Domain This presentation explains the A G DL P strategy for using groups

Group What Is Group Nesting? Group nesting means adding a group as a member of another group Nest groups to consolidate group management Nesting options depend on the domain functional level

Group Strategies A G P A A P P G G Global Groups Permissions User Accounts A DL P A A P P DL Domain Local Groups Permissions User Accounts A G DL P A A P P Domain Local Groups DL G G Permissions Global Groups User Accounts A G U DL P A A P P Domain Local Groups DL G G Permissions Global Groups User Accounts Universal Groups U U A A G G Global Groups User Accounts A G L P A A P P Local Groups L L G G Permissions Global Groups User Accounts A A Global Groups G G Universal Groups U U Domain Local Groups Domain Local Groups DL Group strategies: A G P A G DL P A G P A G DL P A G U DL P A G L P Permissions P P Local Groups L L

Northwind Traders has a single domain that is located in Paris, France. Northwind Traders managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database? Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment Place all of the managers in a global group Create a domain local group for Inventory database access Make the global group a member of the domain local group and grant permissions to the domain local group for accessing the Inventory database Place all of the managers in a global group Create a domain local group for Inventory database access Make the global group a member of the domain local group and grant permissions to the domain local group for accessing the Inventory database Northwind Traders wants to react more quickly to market demands. It is determined that the accounting data must be available to all Accounting personnel. Northwind Traders wants to create the group structure for the entire Accounting division, which includes the Accounts Payable and Accounts Receivable departments. What do you do to ensure that the managers have the required access and that there is a minimum of administration? Make sure that your network is running in native functional level. Create three global groups called Accounting Division, Accounts Payable, and Accounts Receivable. Place the Accounting Division global group into the domain local group so that users can access the accounting data. Create a domain local group called Accounting Data. Grant this group appropriate permission for the accounting data resources file. Make sure that your network is running in native functional level. Create three global groups called Accounting Division, Accounts Payable, and Accounts Receivable. Place the Accounting Division global group into the domain local group so that users can access the accounting data. Create a domain local group called Accounting Data. Grant this group appropriate permission for the accounting data resources file. Examples 1 and 2 Contoso, Ltd., has a single domain that is located in Paris, France. Contoso managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database? Example 3 Contoso, Ltd., has expanded to include operations in South America and Asia and now has three domains. You need to grant access to all IT managers from all domains to the IT_Admin tools shared folder in the Contoso domain. Examples 1 and 2 Contoso, Ltd., has a single domain that is located in Paris, France. Contoso managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database? Example 3 Contoso, Ltd., has expanded to include operations in South America and Asia and now has three domains. You need to grant access to all IT managers from all domains to the IT_Admin tools shared folder in the Contoso domain.

Practice: Nesting Groups and Creating Universal Groups In this practice, you will: Create the Contoso Managers global group Nest the departmental Managers global groups into G Contoso Managers Create an Enterprise Managers universal group Examine the Members and Member Of properties

Modifying the Scope or Type of a Group? Changing group scope  Global to universal  Domain local to universal  Universal to global  Universal to domain local Changing group type  Security to distribution  Distribution to security

Why Assign a Manager to a Group? Enables you to:  Track who is responsible for groups  Delegate to the manager of the group the authority to add and remove users  Distribute the administrative responsibility to the people who request the group Group Manager

Practice: Changing the Scope and Assigning a Manager to a Group In this practice, you will: Create a global group and change the scope to universal Assign a manager to the group Test the group manager properties

Lesson: Using Default Groups Default Groups on Member Servers Default Groups in Active Directory When to Use Default Groups Security Considerations for Default Groups System Groups Class Discussion: Using Default Groups vs. Creating New Groups Best Practices for Managing Groups

Default Groups on Member Servers

Default Groups in Active Directory

When to Use Default Groups Default groups are:  Created during the installation of the operating system or when services are added  Automatically assigned a set of user rights Use default groups to:  Control access to shared resources  Delegate specific domain-wide administration

Security Considerations for Default Groups Place a user in a default group when you are sure that you want to give the user all the user rights and permissions assigned to that group in Active Directory; otherwise, create a new security group As a security best practice, members of default groups should use Run as

System Groups System groups represent different users at different times You can grant user rights and permissions to system groups, but you cannot modify or view the memberships Group scopes do not apply to system groups Users are automatically assigned to system groups whenever they log on or access a particular resource

Class Discussion: Using Default Groups vs. Creating New Groups Contoso, Ltd., has over 100 servers across the world. The current tasks that administrators must perform and what minimum level of access users need to perform specific tasks Whether you can use default groups or must create groups and assign specific user rights or permissions to the groups You must determine:

Best Practices for Managing Groups Create groups based on administrative needs Add user accounts to the group that is most restrictive Use the Authenticated Users group instead of the Everyone group to grant most user rights and permissions Limit the number of users in the Administrators group Use the default group when possible instead of creating a new group

Lab: Creating and Managing Groups In this lab, you will: Create global and domain local groups Manage group membership Manage default groups