Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Server 2003 使用者群組管理

Published byÁbel Barta Modified over 5 years ago

Similar presentations

Presentation on theme: "Windows Server 2003 使用者群組管理"— Presentation transcript:

1 Windows Server 2003 使用者群組管理
林寶森

2 Permissions Assigned Once for Each User Account
How Groups Work Permissions Assigned Once for Each User Account Permissions Assigned Once for a Group Instead of Permissions User Group Permissions User Permissions Permissions User Group Members Have the Rights and Permissions Granted to the Group Users Can Be Members of Multiple Groups Groups and Computers Can Also Be Members of a Group

3 Groups in Workgroups and Domains
Client Computer Member Server SAM Created on Computers That Are Not Domain Controllers Reside in SAM Used to Control Access to Resources for the Computer Domain Domain Controller Created on Domain Controllers Reside in Active Directory Used to Control Resources in the Domain

4 Managing Local Groups Computer Management (Local) Event Viewer
Tree Computer Management (Local) Event Viewer System Information Performance Logs and Alerts System Tools Shared Folders Device Manager Local Users and Groups Users Name Description Groups Storage Services and Applications New Group… Refresh Export List… Action View Arrange Icons Line Up Icons Help Administrators Backup Operators Guests Power Users Replicator Administrators have full access to th… Backup Operators can only use a ba… Guests can operate the computer an… Power Users can modify the comput… Supports file replication in a domain Users can operate the computer and… New Group Group name: Description: Members: Add… Remove Close Create

5 Group Types Purpose of Group Types Selecting a Group Type
Security groups Use to assign or deny rights and permissions Distribution groups Use to send messages Selecting a Group Type Use distribution groups unless you need security capabilities Distribution groups improve logon performance

6 Group Scopes Use for access to resources in one domain
Universal Group Members from any domain in forest Use for access to resources in any domain Domain Local Group Use for access to resources in one domain Global Group Members from own domain only

7 Groups and Domain Functional Levels
Windows 2000 mixed (default) Windows 2000 native Windows Server 2003 Domain controllers Supported Windows NT® Server 4.0, Windows 2000, Windows Server 2003 Windows 2000, Windows Server 2003 Windows Server 2003 Group scopes supported Global, domain local Global, domain local, universal

8 What Is Group Nesting? It means adding a group as a member of another group that is the same kind of group scope Group Group Group Group Group Nest groups to consolidate group management Nesting options depend on whether the domain functional level of your Windows Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed

9 What Are Global Groups? Global group rules Members
Mixed mode: User accounts from same domain Native mode: User accounts and global groups from same domain Can be a member of Mixed mode: Domain local groups Native mode: Universal and domain local groups in any domain and global groups in the same domain Scope Visible in its own domain and all trusted domains Permissions All domains in the forest

10 What Are Universal Groups?
Universal group rules Members Mixed mode: Not applicable Native mode: User accounts, global groups, and other universal groups from any domain in the forest Can be a member of Native mode: Domain local and universal groups in any domain Scope Visible in all domains in a forest Permissions All domains in a forest

11 What Are Domain Local Groups?
Domain local group rules Members Mixed mode: User accounts and global groups from any domain Native mode: User accounts, global groups, and universal groups from any domain in the forest, and domain local groups from the same domain Can be a member of Mixed mode: None Native mode: Domain local groups in the same domain Scope Visible only in its own domain Permissions Domain to which the domain local group belongs

12 Creating and Deleting Domain Groups
Use Active Directory Users and Computers to Create and Delete Groups When You Delete a Group Its: Rights and permissions are removed Members are not deleted SID is never used again New Object - Group Create in: nwtraders.msft/Users Group name: Group name (pre-Windows 2000): Group scope: Domain local Global Universal Group type: Security Distribution OK Cancel Public Group Name

13 Adding Members to Domain Groups
Group 01 Properties General Members Member Of Managed By Members: Name Active Directory Folder Add... Remove OK Cancel Apply Select Users, Contacts, Computers, or Groups In Folder Look in: nwtraders.msft Casablanca Portland Seattle Denver Administrator Guest TsInternet User Add Casablanca; Portland Check Names nwtraders.msft/Casablanca nwtraders.msft/Portland nwtraders.msft/Seattle nwtraders.msft/Denver OU nwtraders.msft/Users Select

14 Why Assign a Manager to a Group?
To enable you to: Track who is responsible for groups Delegate to the manager of the group the authority to add users to and remove users from the group To distribute the administrative responsibility of adding users to groups to the people who request the group

15 Modifying Groups Changing Group Scope Changing Group Type
Global to universal Domain local to universal Universal to global Universal to domain local Available in native mode Changing Group Type Security to distribution Distribution to security Available in native mode Deleting a Group Deletes the group but not the objects that are members Cannot restore a group and its permissions

16 The Strategy for Using Local Groups in a Workgroup
Add L Assign A P L P A Add Assign L P A Add Assign Windows Server 2003 Workgroup Windows XP Professional L P A Add Assign Windows 2000 Server Windows 2000 Professional A = L = P = User Accounts Local Group Permissions

17 Group Strategies (1) A P G Global Groups Permissions User Accounts

18 Group Strategies (2) A P DL Domain Local Groups Permissions
User Accounts

19 Group Strategies (3) A P DL G Domain Local Groups Permissions
Global Groups User Accounts

20 Group Strategies (4) A P L G Local Groups Permissions Global Groups
User Accounts

21 Group Strategies (5) A P DL G U Domain Local Groups Permissions
Global Groups User Accounts Universal Groups U

22 The Strategy for Using Groups in a Single Domain
User Accounts Global Groups Global Group Domain Local Group Permissions A G DL P DLG Add Domain User Accounts into Global Groups (Optional) Add Global Groups into Another Global Group Add Global Group into Domain Local Group Assign Resource Permissions to the Domain Local Group

23 Why Use Group Strategies
DL or L P Managing User Managing Resource Domain Controller Member Server

24 Guidelines for Planning a Group Strategy
Assign users with common job responsibilities to global groups Create a domain local group for sharing resources Add global groups that require access to resources to domain local groups Use universal groups to grant access to resources in multiple domains Use universal groups when membership is static

25 Default Groups on Member Servers

26 Default Groups in Active Directory

27 When to Use Default Groups
Default groups are: Created during the installation of the operating system or when services are added such as Active Directory or DHCP Automatically assigned a set of user rights Use Default groups to: Control access to shared resources Delegate specific domain-wide administration

28 Examples of User Rights
What Are User Rights? Examples of User Rights

29 User Rights vs. Permissions
Actions on System Permissions: Actions on Object

30 System Groups System groups represent different users at different times You can grant user rights and permissions to system groups, but you cannot modify or view the memberships Group scopes do not apply to system groups Users are automatically assigned to system groups whenever they log on or access a particular resource

Download ppt "Windows Server 2003 使用者群組管理"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Windows Server 2003 AD 安裝設定與管理維護 林寶森

Windows Server 2003 AD 安裝設定與管理維護 林寶森
Windows Server 2003 使用者群組管理 林寶森

Windows Server 2003 使用者群組管理 林寶森
 Overview User Accounts Groups User Rights Permissions.

 Overview User Accounts Groups User Rights Permissions.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Administering Active Directory

Administering Active Directory
Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.

Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.

Similar presentations

Ads by Google