Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access.

Published byBarnard Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access."— Presentation transcript:

1 1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access

2 2 Using Group Objects You can use groups in Microsoft Windows 2000 to simplify network administration.

3 3 Understanding Groups A group is a collection of user or computer accounts. Groups simplify administration. When you assign permissions or rights to a group, all of the members of the group inherit the permissions or rights.

4 4 Using Groups to Simplify System and Network Administration

5 5 Groups and Permissions Permissions control access to resources. Rights enable users to perform tasks. Groups can contain user accounts, other groups, contacts, and computers. Groups can be local or in the Active Directory service.

6 6 Group Types Windows 2000 includes two types of groups: Security groups Distribution groups Both types of groups are stored in the Active Directory database.

7 7 Security Groups The only type of group used by Windows 2000 itself Used to assign permissions and rights Can be used by programs that use Active Directory for nonsecurity-related purposes Have all the capabilities of a distribution group

8 8 Distribution Groups Can be used by applications (if designed to work with Active Directory) for nonsecurity- related functions, such as sending e-mail to a group of users Cannot be used to assign rights and permissions

9 9 Group Scopes The scope of a group determines where in the network you can use the group. The three group scopes are Global group Domain local group Universal group

10 10 Group Scopes (Cont.)

11 11 Global Groups Are typically used to organize users who have similar network access requirements Characteristics Limited membership Access to resources in any domain

12 12 Domain Local Groups Are typically used to assign permissions to resources Characteristics Open membership Access to resources in one domain

13 13 Universal Groups Are typically used to assign permissions to related resources in multiple domains Characteristics Open membership Access to resources in any domain Available only in Native mode

14 14 Group Nesting Adding groups to other groups is called nesting. Nesting can reduce network traffic and simplify administration. Guidelines for nesting Minimize levels of nesting. Document group memberships to keep track of permissions assignments.

15 15 Rules for Group Membership The scope of a group determines the group's membership. Membership rules define the types of members that a group can contain.

16 16 Group Scope Membership Rules Group ScopeIn Native Mode, Scope Can Contain In Mixed Mode, Scope Can Contain GlobalUser accounts and global groups from the same domain User accounts from the same domain Domain localUser accounts, universal groups, and global groups from any domain; domain local groups from the same domain User accounts and global groups from any domain UniversalUser accounts, other universal groups, and global groups from any domain (Not applicable)

17 17 Understanding Local Groups A local group is a collection of user accounts on a computer. Local groups are used to assign permissions to resources on the computer you have created the local group on. Local groups are created and stored in the local security database.

18 18 Guidelines for Using Local Groups Local groups can be used only on the computer where the local group was created. Local group permissions provide access only to resources on the computer where the local group was created. Local groups can be used on all computers running Windows 2000 except domain controllers. Local groups can be used to limit the ability of local users and groups to access network resources.

19 19 Membership Rules for Local Groups Local groups can contain local user accounts only from the computer where the local group was created. Local groups cannot be members of any other group.

20 20 Planning Global and Domain Local Groups Have a group strategy in place before you create groups. The recommended method for deploying groups is to use global and domain local groups.

21 21 Strategy for Using Groups

22 22 Guidelines for Using Universal Groups Use universal groups to give users access to resources located in more than one domain. Use universal groups only when their membership is static. Add global groups from several domains to a universal group, and then assign to the universal group the permissions needed to access a resource.

23 23 Lesson Summary Groups enable administrators to assign rights and permissions to multiple users with a single procedure. There are three Windows 2000 group scopes: global groups, domain local groups, and universal groups. In general, use global groups to organize users and assign permissions to resources to domain local groups.

24 24 Understanding Default Groups Windows 2000 has four default groups: Predefined groups Built-in groups Built-in local groups Special identity groups

25 25 Predefined Groups Windows 2000 creates predefined groups with a global scope to group common types of user accounts. By default, Windows 2000 automatically adds members to some predefined global groups. You can add user objects to predefined groups.

26 26 Predefined Groups (Cont.) By default, predefined groups do not have any inherent rights or permissions. You can assign rights or permissions to predefined groups by either Adding the predefined global groups to domain local groups Explicitly assigning rights or permissions to the predefined global groups

27 27 Predefined Global Groups Contained in the \Users Folder

28 28 Built-In Groups Windows 2000 creates built-in groups with a domain local scope in the \Builtin folder of each Active Directory domain. These groups provide users with rights and permissions to perform tasks on domain controllers and in Active Directory. To extend these rights and permissions to others, you can add user objects or global groups to built-in groups.

29 29 Built-in Groups Contained in the \Builtin Folder in a Domain

30 30 Built-in Local Groups Found on Windows 2000 stand-alone servers, member servers, and computers running Microsoft Windows 2000 Professional Give users the rights to perform system tasks on a single computer Created by Windows 2000 in the \Groups folder in the Local Users And Groups snap-in

31 31 The Local Users And Groups Snap-in

32 32 Special Identity Groups Special identity groups exist on all computers running Windows 2000. These groups do not have specific memberships that you can modify, but they can represent different users at different times, depending on how a user accesses a computer or resource. These groups are not visible when you administer groups but are available when you assign rights and permissions.

33 33 The Most Commonly Used Special Identity Groups Anonymous Logon Authenticated Users Creator Owner Dialup Everyone Interactive Network

34 34 Lesson Summary There are four types of Windows 2000 default groups: Predefined groups: global groups, created in the \Users folder of every Active Directory domain Built-in groups: domain local groups, created in the \Builtin folder of every Active Directory domain Built-in local groups: created on every computer running Windows 2000 that is not a domain controller Special identity groups: used to assign rights and permissions based on how users access computers and their resources

35 35 Creating Group Objects After you assess user needs and have a strategy in place for your groups, you are ready to create group objects in Active Directory.

36 36 Creating and Deleting Groups Use Active Directory Users And Computers to create and manage groups. You can create groups in the Users container or in another container or organizational unit (OU) created specifically for groups. Delete groups when you no longer need them.

37 37 Creating a Group Object To create a group object: 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users And Computers. 2. Expand the console tree until the container or OU where you want to create the group is visible. 3. Right-click the container or OU, click New, and then click Group. 4. In the Group Name box, type the group's name. 5. Select a group scope option. 6. Select a group type option. 7. Click OK to close the dialog box.

38 38 The New Object – Group Dialog Box

39 39 Adding Members to a Group After you create a group object, you add members to it. Group members can include user objects, contacts, other groups, and computers. Use Active Directory Users And Computers to add members to a group.

40 40 Adding Members to a Group (Cont.) To add members to a group: 1. Open Active Directory Users And Computers. 2. Right-click the group that you want to add members to, and then click Properties. 3. Click the Members tab. 4. In the Members tab, click Add. 5. In the Name list, select the object you want to make a member of the group, and then click Add. Repeat until you have selected all objects you want to add. 6. Click OK to add the selected objects. 7. Click OK to close the Properties dialog box.

41 41 The Select Users, Contacts, Or Computers Dialog Box

42 42 Changing the Group Type You can convert a group object from one type to another. For example, you can convert a distribution group to a security group. You can change a group's type only when Windows 2000 is operating in Native mode.

43 43 Changing the Group Type (Cont.) To change the type of a group: 1. Open Active Directory Users And Computers. 2. Right-click the group object that you want to change the type for, and then click Properties. 3. In the General tab, change the group type by selecting a different Group Type option. 4. Click OK to change the group type and close the Properties dialog box.

44 44 The Properties Dialog Box of a Group Object

45 45 Changing the Group Scope to Universal You can change a global or domain local group scope to universal. You can make this change only when Windows 2000 is operating in Native mode. The following group scope changes are permitted: Global group to universal group: only if the global group is not a member of another global group Domain local group to universal group: only if the domain local group does not contain a domain local group

46 46 Changing the Scope of a Group To change the scope of a group: 1. Open Active Directory Users And Computers. 2. Right-click the group object, and then click Properties. 3. In the General tab, select the appropriate group scope option. 4. Click OK to close the Properties dialog box.

47 47 Deleting a Group Deleting a group only deletes the group object—it does not delete the objects that are members of the group. You cannot delete a group if one of the group's members has the group set as his or her primary group.

48 48 Deleting a Group (Cont.) To delete a group: 1. Open Active Directory Users And Computers. 2. Right-click the group object you want to delete, and then click Delete. 3. In the Active Directory message box, click Yes.

49 49 Creating Local Groups Use the Local Users And Groups snap-in (which is included in Computer Management) to create local groups. Create local groups in the \Groups folder.

50 50 Creating Local Groups (Cont.) To create a local group: 1. Open Computer Management, and expand the Local Users And Groups snap-in. 2. Right-click the Groups container, and then click New Group. 3. In the Group Name box, type a name for the group. 4. In the Description box, type a description for the group. 5.Click Add to display the Select Users Or Groups dialog box. 6.In the Name list, select a user to add to the group, and then click Add. (Repeat as necessary.) 7. Click OK to close the Select Users Or Groups dialog box. 8. Click Create to create the group and add the members. 9. Click Close to close the New Group dialog box.

51 51 The New Group Dialog Box

52 52 The Select Users Or Groups Dialog Box

53 53 Adding Members and Deleting Groups You can add members to a local group either when you create the local group or after you create the local group. You can use the Local Users And Groups snap-in (in Computer Management) to delete a group if you need to.

54 54 Lesson Summary Use Active Directory Users And Computers to create global, domain local, or universal groups. Use Local Users And Groups to create local groups. You can create local groups on any computer running Windows 2000 that is not a domain controller. Deleting a group only deletes the group object—it does not delete the objects that are members of the group.

55 55 Managing Administrative Access For optimum security, avoid logging on as Administrator to perform nonadministrative tasks.

56 56 Why You Should Not Run Your Computer as an Administrator Being logged on as Administrator (or as a member of an Administrators group) can expose your network to virus and Trojan horse attacks and other security risks. Administrators should perform administrative tasks only while logged on as Administrator; the rest of the time they should use a regular user account.

57 57 Administrators as Members of the Users and Power Users Groups Log on as a member of the Users group to perform routine tasks without exposing your computer to unnecessary risk. Log on as a member of the Power Users group to perform routine tasks and to install programs, add printers, and use most Control Panel tools.

58 58 Using Run As to Start a Program You can use the Run As program to run a program that requires you to be logged on as Administrator while you are logged on as a normal user. Use Run As when You can provide the appropriate user account and password information The user account has the ability to log on to the computer The program or tool is available on the system and to the user account Some applications cannot be started with the Run As program.

59 59 How to Use Run As to Start a Program To use Run As to start a program as Administrator: 1. In Windows Explorer, locate the program or its shortcut, the Microsoft Management Console (MMC), or the Control Panel tool you want to open. 2. Press the Shift key and right-click the program, and then click Run As to display the Run As Other User dialog box. 3. Select Run The Program As The Following User. 4. In the User Name and Password boxes, type the user name and password of the administrator account you want to use. 5. In the Domain box, type the name of your computer or domain. 6. Click OK.

60 60 The Run As Other User Dialog Box

61 61 The Runas Command Runas.exe is a command-line program that performs the same functions as the RunAs service. The syntax for Runas.exe is runas [/profile] [/env] [/netonly] /user:UserAccountName program

62 62 Runas Examples You can use Runas.exe to start The Windows 2000 command prompt, as an administrator on the local computer Computer Management, using a domain administrator account Microsoft Notepad, using a domain administrator account A command prompt window, MMC console, or other program that administers a server in another forest

63 63 Lesson Summary Users with administrative access to the network should not use administrative accounts for their everyday user activities. You can use the Run As program to run a program that requires you to be logged on as Administrator while you are logged on as a normal user. Runas.exe is a command-line program that performs the same functions as the RunAs service.

Download ppt "1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access."

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Server 2003 使用者群組管理 林寶森

Windows Server 2003 使用者群組管理 林寶森
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
MOAC : Installing and Configuring Windows Server 2012

MOAC : Installing and Configuring Windows Server 2012
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.

Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

Similar presentations

Ads by Google