Download presentation
Presentation is loading. Please wait.
1
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory A group in Active Directory is a collection of users, computers, contacts, and other group objects within a forest Users in a group are assigned rights and permissions, which allow them to access network resources such as files, folders, and applications (Skill 1) Introducing Groups
2
6.2 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Rights and permissions Rights give users the capability to perform certain actions such as changing the system time or shutting the system down Permissions grant users a particular level of control over specific resources Introducing Groups (2) (Skill 1)
3
6.3 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Group membership Multiple users can be part of a single group Conversely, one user can be a member of multiple groups Creating groups ensures that the administrator does not need to assign similar permissions to individual users separately Introducing Groups (3) (Skill 1)
4
6.4 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Figure 6-1 Granting individual permissions vs. group permissions (Skill 1)
5
6.5 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory When you are creating groups, there are two basic settings Group type Group scope There are two types of groups Distribution groups Security groups Introducing Groups (4) (Skill 1)
6
6.6 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Distribution groups Used exclusively for sending e-mail messages to a group of users Cannot be used to set security permissions Introducing Groups (5) (Skill 1)
7
6.7 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Security groups Used to define the rights and permissions users will have to access resources on a computer or a network When a user requests access to a network resource, the credentials of the user are validated against the group permissions to verify whether the user is allowed access Can be used to distribute e-mail to multiple users because security groups have all the same capabilities as distribution groups Introducing Groups (6) (Skill 1)
8
6.8 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Security groups Security groups are listed in Discretionary Access Control Lists (DACLs) A DACL is a list that defines the permissions that are allowed or denied to specific users and groups for resources and objects After you have selected the group type, you need to decide on the group scope Introducing Groups (7) (Skill 1)
9
6.9 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory There are three group scopes Domain local Global Universal Introducing Groups (8) (Skill 1)
10
6.10 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Domain local group scope Created in Active Directory on a domain controller Generally used to grant access rights to network resources such as printers and shared folders The scope of a domain local group is the domain in which the group was created The distinguishing feature of domain local groups is that they can include members from any domain Introducing Groups (9) (Skill 1)
11
6.11 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Global group scope Used to group users who share similar roles in the organization In most typical environments, a global group is created for each job function or title Can contain members only from its own domain Is visible in all domains in the forest, and permissions can be assigned to members for resources in any domain Introducing Groups (10) (Skill 1)
12
6.12 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Global group scope In Windows 2000 native mode and Windows Server 2003 mode, global groups can be nested in other global groups Universal groups and global groups from any domain can be nested in domain local groups In Windows 2000 mixed mode, global groups from any domain can be nested in domain local groups Introducing Groups (11) (Skill 1)
13
6.13 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Universal group scope Can contain members from any domain and are visible in all domains Are unique in that they are stored entirely on global catalog servers Used when there are multiple domains in a forest Are available only when Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode Introducing Groups (12) (Skill 1)
14
6.14 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Universal group scope Windows Server 2003 Active Directory has four modes Windows 2000 native mode Windows 2000 mixed mode Windows Server 2003 interim mode Windows Server 2003 mode Introducing Groups (13) (Skill 1)
15
6.15 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Windows 2000 native mode is available only when all domain controllers in the domain are running either Windows 2000 Server or Windows Server 2003 Domains are configured by default to run in Windows 2000 mixed mode This allows the coexistence of Windows NT, Windows 2000, and Windows Server 2003 domain controllers in the same domain Introducing Groups (14) (Skill 1)
16
6.16 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory If your domain consists of only Windows Server 2003 domain controllers, you can switch to Windows Server 2003 mode You cannot create universal groups in a domain on which Active Directory is running in Windows 2000 mixed mode Introducing Groups (15) (Skill 1)
17
6.17 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Since Windows 2000 mixed mode is the default setup, to create universal groups you must transfer to Windows 2000 native mode or Windows Server 2003 mode after all domain controllers have been upgraded In Windows 2000 native mode or Windows Server 2003 mode, domains, user accounts, computer accounts, other universal scope groups, and groups with global scope from any domain can join a group with universal scope In Windows 2000 mixed mode, only user accounts can be members of global groups Introducing Groups (16) (Skill 1)
18
6.18 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Nesting The process of adding a group to other groups or consolidating the groups in a network You can add user groups, as well as groups of other network resources, such as computers and contacts, to create a consolidated group It simplifies the management of your network Introducing Groups (17) (Skill 1)
19
6.19 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Nesting It is important to document the access permissions granted to users and their group membership Reduces group allocation mistakes Eliminates the redundant inclusion of user accounts in groups Having more than a single level of nesting is not advisable because troubleshooting a problem on a network that implements multiple levels of nesting can be complicated Introducing Groups (18) (Skill 1)
20
6.20 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory “The Microsoft rule” This strategy suggests that even if you have only a single domain, consider using the global and domain local group strategy to assign permissions to network resources Essentially, you build one global group for each position or job function Each time you create a share, you typically create four separate domain local groups for different levels of access to the share You would make the global group or groups members of the appropriate domain local group Planning Group Strategies (2) (Skill 2)
21
6.21 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Benefits of using the Microsoft rule Modularity Ease of modification A reduction in the size of the global group list Summarize the rule using the acronym A-G-DL-P: Accounts go into global groups, which go into domain local groups, which are assigned permissions Planning Group Strategies (3) (Skill 2)
22
6.22 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Figure 6-3 Strategy for creating global and domain local groups (Skill 2)
23
6.23 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Strategies for using the universal group scope Before creating universal groups, make sure that the memberships of those groups will not change frequently Never add a user account as a member of a universal group; instead, add global groups as members of universal groups Universal groups are designed to be used in one specific situation Planning Group Strategies (4) (Skill 2)
24
6.24 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Strategies for using the universal group scope When you use universal groups to organize global groups from multiple domains, the Microsoft rule is modified so that universal groups are nested in between global and domain local groups The acronym is now A-G-U-DL-P: Accounts go into global groups, which go into universal groups, which are placed in domain local groups, which are assigned permissions Planning Group Strategies (5) (Skill 2)
25
6.25 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Groups can be used to effectively manage large numbers of users and resources Even in small environments, it is advised that you follow the Microsoft rule for creating groups and assigning permissions Creating Groups (Skill 3)
26
6.26 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory As organizational changes are made, some groups may become redundant It is important to delete groups that are no longer required Maintains security Avoids accidentally assigning permissions to groups and resources that are no longer required Windows Server 2003 Active Directory uses the Security Identifier (SID) to identify a particular group and assign permissions to it Creating Groups (2) (Skill 3)
27
6.27 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Security Identifier (SID) A unique number that identifies each security object in Active Directory When a group is deleted, the SID for that group is also deleted and is never used by Windows Server 2003 again You cannot recreate and restore the settings for a deleted group Creating Groups (3) (Skill 3)
28
6.28 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Figure 6-4 Creating a group (Skill 3)
29
6.29 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory After you have created a group, you can open the Properties dialog box for the group to set its properties Tabs on the Properties dialog box for a group General: Describes the scope and type assigned to the group Members: Used to add members of the domain to the group; members of a group can include user accounts, contacts, other groups, or computers Setting Group Properties (Skill 4)
30
6.30 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Tabs on the Properties dialog box for a group Member Of: Used to add the group to other groups in the domain or universal groups in other domains in the forest Managed By: Used to specify the user or contact person managing the group Object: Specifies the path to the group within the domain Security: Used to set permissions for the members of the group Setting Group Properties (2) (Skill 4)
31
6.31 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Figure 6-6 Selecting a user for the group (Skill 4)
32
6.32 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Sometimes groups with a domain local scope are referred to as local groups However, there is a vast difference between a local group and a domain local group Unlike a domain local group, which is a collection of user accounts from a domain, a local group is used to manage local user accounts on a single server or a stand-alone computer In other words, groups with a local scope are called local groups Creating Local Groups (Skill 6)
33
6.33 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory The access level for local groups is limited to resources located on the computer on which the group is created Local groups are mainly used in peer-to-peer or workgroup networks, or on stand-alone computers that are not part of a domain You populate local groups with user accounts that are stored in the local security database of a single computer Creating Local Groups (2) (Skill 6)
34
6.34 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory On a domain network, you can create global groups that belong to a local group so that domain users can be assigned rights and permissions for the resources on a particular workstation To create local groups, you use the Local Users and Groups snap-in in the Computer Management console You can delete, rename, and add members to the local group from the context menu for the local group in the Computer Management console Creating Local Groups (3) (Skill 6)
35
6.35 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Figure 6-11 The Location dialog box (Skill 6)
36
6.36 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Figure 6-12 Searching for local resources (Skill 6)
37
6.37 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory You generally create local groups when the number of users is small and Active Directory is not installed on the network It is important to remember that local groups cannot be created on domain controllers because domain controllers use the Active Directory database, not the local user database Local groups can be used only on the computer where the local group was created Creating Local Groups (4) (Skill 6)
38
6.38 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Windows Server 2003 Active Directory provides four classes of default groups Built-in local Built-in domain local Built-in global Built-in system These groups have a predefined common set of user rights or group memberships, which determine the type of tasks that a user or a group member of each group can perform Introducing Default Groups (Skill 7)
39
6.39 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Built-in local groups Are created on all Windows Server 2003 computers Can be viewed in the Groups folder in the Computer Management snap-in on all non-domain controllers On domain controllers, they are stored in the Builtin container in the Active Directory Users and Computers console Introducing Default Groups (2) (Skill 7)
40
6.40 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Built-in local groups in the Builtin container Introducing Default Groups (3) (Skill 7) Account Operators Administrators Backup Operators Guests Incoming Forest Trust Builders Network Configuration Operators Performance Log Users Performance Monitor Users Pre-Windows 2000 Compatible Access Print Operators Remote Desktop Users Replicator Server Operators Users
41
6.41 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Built-in domain local groups Cannot be deleted Are automatically created only on domain controllers Are stored in the Users container in the Active Directory Users and Computers console The number of domain local groups will be different on each domain controller, depending on the type of services the domain controller is running Introducing Default Groups (4) (Skill 7)
42
6.42 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Built-in domain local groups Their names generally identify the function of the group Have a set of predefined rights and permissions to perform various actions in Active Directory and on domain controllers Introducing Default Groups (5) (Skill 7)
43
6.43 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Built-in global groups Are automatically created on domain controllers Are stored in the Users container in the Active Directory Users and Computers console These groups, also known as predefined global groups, consolidate common types of user accounts and have predefined group memberships Introducing Default Groups (6) (Skill 7)
44
6.44 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Built-in global groups Domain-wide rights and privileges must be assigned to members of these groups Rights can be assigned to built-in global groups either directly or by adding them to domain local groups Introducing Default Groups (7) (Skill 7)
45
6.45 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Some commonly used built-in global groups DnsUpdateProxy: DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers) Domain Admins: Members of this group have full control over the domain; this group is a member of the Administrators group by default Domain Computers: All workstations and servers joined to the domain Domain Controllers: All domain controllers in the domain Introducing Default Groups (8) (Skill 7)
46
6.46 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Some commonly used built-in global groups Enterprise Admins: This group, which is present only in the forest root domain, is used by network administrators to manage resources in an enterprise The Domain Admins group and the Administrators user account are default members of this built-in global group When Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode, this will be converted to a universal group Introducing Default Groups (10) (Skill 7)
47
6.47 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Some commonly used built-in global groups Schema Admins: Designated administrators of the schema The Administrator account is a default member of this group When Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode, this will be converted to a universal group Introducing Default Groups (11) (Skill 7)
48
6.48 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Built-in system groups Also referred to as special identities Are populated with users based on how they access a computer or a resource Network administrators cannot add, modify, or delete user accounts because the operating system does so automatically Since users cannot be added to built-in system groups, they are not shown when you are managing your user accounts, but they are available for selection when you are granting rights and permissions Introducing Default Groups (12) (Skill 7)
49
6.49 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory As a general rule, you should avoid running a computer using the Administrator account in order to protect your network from significant security risks You should log on as a member of the Users or Power Users group for routine tasks Starting a Program Using the Run as Command (Skill 8)
50
6.50 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory To perform an administrative task or to start a program while you are logged on as a user, you can use the Run as command The Run as command allows you to access programs and other Windows Server 2003 administrative tools temporarily without logging off as the current user Starting a Program Using the Run as Command (2) (Skill 8)
51
6.51 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory To start any program or any other Windows Server 2003 utility using the Run as command, you need An appropriate user account and password information to log on to the computer To ensure the program or Windows Server 2003 utility you want to run is installed on the system Starting a Program Using the Run as Command (3) (Skill 8)
52
6.52 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory The Run as command can also be invoked in a shortcut Go into Properties for the shortcut Check the Run as other user box Starting a Program Using the Run as Command (6) (Skill 8)
53
6.53 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 6: Implementing Groups in Active Directory Figure 6-18 Running the Run as command at the command prompt (Skill 8)
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.