1. Administering Groups Chapter Eight

2. Exam Objectives In this Chapter:  Plan a security group hierarchy based upon delegation requirements  Plan a security group strategy

3. In this Chapter:  Understanding Groups  Creating and Administering Groups  Administration Strategies

4. To Complete this Chapter: Prepare your test environment according to the descriptions given in the "Getting Started" section of "About This Book" Complete the practices for installing and configuring Active Directory as discussed in Chapter 2, "Installing and Configuring Active Directory" Learn to use Active Directory administration tools as discussed in Chapter 3, "Administering Active Directory" Complete the practices for configuring sites and replication as discussed in Chapter 5, "Configuring Sites and Managing Replication" Complete the practices for implementing an organizational unit (OU) structure as discussed in Chapter 6, "Implementing an OU Structure" Complete the practices for creating and maintaining user accounts as discussed in Chapter 7, "Administering User Accounts"

5. Groups  A group is a collection of user accounts.  Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than having to assign permissions and rights to each individual user account

6. Groups and Permissions

7. Group Types  Security Groups Use to assign permissions to gain access to resources.  Distribution Groups Use distribution groups when the only function of the group is nonsecurity related

8. Group Scopes

9.  Global Groups Global security groups are most often used to organize users who share similar network access requirements. Limited membership.  Only from the domain in which you create the global group. Access to resources in any domain.  Assign permissions to gain access to resources that are located in any domain in the tree or forest.

10. Domain Local Groups  Domain local security groups are most often used to assign permissions to resources. Open membership.  Members from any domain. Access to resources in one domain.  Permissions to gain access to resources that are located only in the same domain where you create the domain local group

11. Universal Groups  Universal security groups are most often used to assign permissions to related resources in multiple domains. Open membership.  Members from any domain in the forest. Access to resources in any domain.  Assign permissions to gain access to resources that are located in any domain in the forest. Only available in native mode.  Not available in domains with the domain functional level set to Windows 2000 mixed.

12. Group Nesting  Adding groups to other groups, or nesting, creates a consolidated group and can reduce network traffic between domains and simplify administration in a domain tree. Minimize levels of nesting. Document group membership to keep track of permissions assignments.

13. Rules for Group Membership  The group scope determines the membership of a group.  Membership rules determine the members that a group can contain.  Group members can be user accounts and other groups.

14. Local Groups  A local group is a collection of user accounts on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Guidelines on page 8-8

15. CAUTION  Because Active Directory groups with a “domain local” scope are sometimes referred to as “local groups,” it is important to distinguish between a local group and a group with a domain local scope.

16. Possible limitations  Placing user accounts in domain local groups and assigning permissions to the domain local groups.  Placing user accounts in global groups and assigning permissions to the global groups.

17. Using Universal Groups  Use universal groups to give users access to resources that are located in more than one domain.  Use universal groups only when their membership is static.  Add global groups from several domains to a universal group, and then assign permissions for access to a resource to the universal group.

18. Default Groups  Windows 2003 has four categories of default groups: Groups in the Builtin folder, Groups in the User Folder, Special identity, and Default local groups.

19. Groups in the Built-In folder  These groups provide users with user rights and permissions to perform tasks on domain controllers and in Active Directory.  Built-in domain local groups give predefined rights and permissions to user accounts when you add user accounts or global groups as members.  Table 8-2 describes the default groups in the built-in folder

20. Create a list of groups  You can use the Net Localgroup and Net Group commands.  For example, you could open a command prompt and type net localgroup > C:\localgroups.txt to create a list of local groups in a file named C:\localgroups.txt.  As another example of how the Net commands work, examine and run the batch file named Grouplistings.bat on the Supplemental CD-ROM in the \70-294\ Labs\Chapter08 folder.

21. Groups in the User Folder  Windows Server 2003 creates default security groups in the Users folder in the Active Directory Users And Computers console.  The groups in the Users folder are primarily used to assign default sets of permissions to users who have administrative responsibilities in the domain. Table 8-3 describes the default groups in the Users Folder

22. Special Identity Groups  These groups do not have specific memberships that you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource.  You do not see special identity groups when you administer groups, but they are available for use when you assign rights and permissions to resources. Table 8-4 describes Special Identity Groups

23. Anonymous Users  In Windows Server 2003, the Anonymous Logon group is no longer a member of the Everyone group.  Therefore, anonymous users attempting to access resources hosted on computers running Windows Server 2003 will be impacted.

24. Built-In Local Groups  All stand-alone servers, member servers, and computers running Windows 2003 Professional have built-in local groups.  Built-in local groups give users the rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Table 8-5 describes Built-in Local Groups

25. Exam Tip  Be familiar with the groups in each category

26. Planning a Group Strategy 1. Assign users with common job responsibilities to global groups. 2. Create a domain local group for resources to be shared. 3. Add global groups that need access to the resources to the domain local group. 4. Assign resource permissions to the domain local group.

27. Planning a Group Strategy

28. Practice:  Planning New Group Accounts Exercise 1  Page 8-17

29. Creating and Deleting Groups  Use the Active Directory Users and Computers console to create and delete groups.  When you create groups, create them in the Users container or in another container or an organizational unit (OU) that you have created specifically for groups.

30. Creating a Group  In Active Directory  Universal groups are not available in Pre- 2000 Mixed Mode

31. Deleting Groups  As your organization grows and changes, you may discover that there are groups that you no longer need.  Be sure that you delete groups when you no longer need them.

32. Adding Members to a Group  Members of groups can include user accounts, contacts, other groups, and computers.  You can add a computer to a group to give one computer access to a shared resource on another computer—for example, for remote backup.

33. Adding Members  Choose: Object type Location Select Advanced to search Check Names to verify the correct group name

34. Changing the Group Scope to Universal  Group scopes may be changed to universal only when operating in Windows 2000 or 2003 native modes.

35. Changing the Group Type  Group types may be changed only when operating in Windows 2000 native mode.

36. Practice:  Creating and Administering Groups Exercise 1: Creating a Global Group and Adding Members Exercise 2: Creating a Domain Local Group and Adding Members  Page 8-27

37. Administration Strategies  Running Windows Server 2003 as an administrator makes the system vulnerable to Trojan horse attacks and other security risks.  The simple act of visiting an Internet site can be extremely damaging to the system.  An unfamiliar Internet site might contain Trojan horse code that can be downloaded to the system and executed.  Therefore you Should Not Run Your Computer as an Administrator

38. Using Run As to Start a Program  To run a program that requires you to be logged on as an administrator, you can use the Run As program.  This program allows you to run administrative tools with either local or domain administrator rights and permissions while logged on as a normal user.

39. NOTE  Run As is usually used to run programs as an administrator, although it is not limited to administrator accounts. Any user with multiple accounts can use Run As to run a program, MMC tool, or Control Panel item with alternate credentials.

40. Two ways to Run As  By Right-Click on any program and select the option to Run as…

41. RUNAS Command runas [{/profile|/noprofile}] [/env] [/netonly] [/savedcreds] [/smartcard] [/showtrustlevels] [/trustlevel] /user:UserAccountName program program  Switches are defined on page 8-32  RUNAS Examples On page 8-33

42. Practice:  Using Run As to Start a Program as an Administrator Exercise: Using Run As to Start a Program as an Administrator  Page 8-33

43. Summary  Case Scenario Exercise Pages 35 – 37.  Troubleshooting Lab Pages 37 - 38  Exam Highlights Key points (p. 8-39) Key terms (p. 8-39)