Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 3: Managing Groups. Overview Creating Groups Managing Group Membership Strategies for Using Groups Using Default Groups.

Published byRolf Marshall Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 3: Managing Groups. Overview Creating Groups Managing Group Membership Strategies for Using Groups Using Default Groups."— Presentation transcript:

1 Module 3: Managing Groups

2 Overview Creating Groups Managing Group Membership Strategies for Using Groups Using Default Groups

3 Lesson: Creating Groups What Are Groups? What Are Domain Functional Levels? What Are Global Groups? What Are Universal Groups? What Are Domain Local Groups? What Are Local Groups? Guidelines for Creating and Naming Groups Who Can Create Groups? Practice: Creating Groups

4 What Are Groups? Groups simplify administration by enabling you to assign permissions for resources Group typeDescription Security Used to assign user rights and permissions Can be used as an e-mail distribution list Distribution Can be used only with e-mail applications Cannot be used to assign permissions Group Groups are characterized by scope and type

5 What Are Domain Functional Levels? Windows 2000 mixed (default) Windows 2000 native Windows Server 2003 Windows Server 2003 interim Domain controllers supported Windows NT Server 4.0, Windows 2000, Windows Server 2003 Windows 2000, Windows Server 2003 Windows Server 2003 Windows NT Server 4.0, Windows Server 2003 Group scopes supported Global, domain local Global, domain local, universal Global, domain local

6 What Are Global Groups? Global group rules Membership can include Mixed functional level: User and computer accounts from same domain Native functional level: User and computer accounts and global groups from same domain Can be a member of Mixed functional level: Domain local groups Native functional level: Universal and domain local groups in any trusting domain and global groups in the same domain Scope Visible in its own domain and all trusting domains Permissions All domains in the forest and trusting domains

7 What Are Universal Groups? Universal group rules Membership can include Mixed functional level: Not applicable Native functional level: User accounts, global groups, and universal groups from any domain in the forest Can be a member of Mixed functional level: Not applicable Native functional level: Domain local or universal groups in any domain Scope Visible in all domains in the forest and all trusting domains Permissions All domains in the forest and all trusting domains

8 What Are Domain Local Groups? Domain local group rules Membership can include Mixed functional level and Windows interim 2003: User and computer accounts and global groups from any trusted domain Native functional level: User and computer accounts, global and universal groups from any domain in the forest or trusted domains, plus domain local groups from the same domain Can be a member of Mixed functional level and Windows interim 2003: None Native functional level: Domain local groups in the same domain ScopeVisible only in its own domain PermissionsDomain to which the domain local group belongs

9 What Are Local Groups? Local group rules Membership can include Local user accounts, domain user and computer accounts, global and universal groups from the computer's domain and trusted domains Can be a member ofNot applicable

10 Guidelines for Creating and Naming Groups Create groups in organizational units by using the following naming considerations:  Naming conventions for security groups Incorporate the scope in the group name Should reflect the group ownership Use a descriptor to identify the assigned permissions  Naming conventions for distribution groups Use short alias names Do not include a user’s alias name in the display name Allow a maximum of five co-owners of a single distribution group

11 Who Can Create Groups? In the domain:  Account Operators group  Domain Admins group  Enterprise Admins group  Or users with appropriate delegated authority On the local computer:  Power Users group  Administrators group on the local computer  Or users with appropriate delegated authority

12 Practice: Creating Groups In this practice, you will: Create groups by using Active Directory Users and Computers Create groups by using the dsadd command-line tool

13 Lesson: Managing Group Membership Determining Group Membership Adding and Removing Members from a Group Practice: Managing Group Membership

14 Determining Group Membership Group or Team Global Group Domain Local Group Tom, Jo, and Kim Sam, Scott, and Amy MembersMember Of Tom, Jo, Kim Denver OU Admins Denver Admins MembersMember Of Tom, Jo, Kim DL OU Admins G Denver Admins MembersMember Of Sam, Scott, Amy DL OU Admins G Vancouver Admins DL OU Admins MembersMember Of G Denver Admins G Vancouver Admins N/A Member Of G Denver Admins Member Of G Vancouver Admins

15 Adding and Removing Members from a Group Group membership can be modified by using Active Directory Users and Computers or the dsmod command

16 Practice: Managing Group Membership In this practice, you will: Determine a user’s group membership Add users to global groups Add global groups to domain local groups

17 Lesson: Strategies for Using Groups Multimedia: Strategy for Using Groups in a Single Domain What Is Group Nesting? Group Strategies Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment Practice: Nesting Groups and Creating Universal Groups Modifying the Scope or Type of a Group? Why Assign a Manager to a Group? Practice: Changing the Scope and Assigning a Manager to a Group

18 Multimedia: Strategy for Using Groups in a Single Domain This presentation explains the A G DL P strategy for using groups

19 Group What Is Group Nesting? Group nesting means adding a group as a member of another group Nest groups to consolidate group management Nesting options depend on the domain functional level

20 Group Strategies A G P A A P P G G Global Groups Permissions User Accounts A DL P A A P P DL Domain Local Groups Permissions User Accounts A G DL P A A P P Domain Local Groups DL G G Permissions Global Groups User Accounts A G U DL P A A P P Domain Local Groups DL G G Permissions Global Groups User Accounts Universal Groups U U A A G G Global Groups User Accounts A G L P A A P P Local Groups L L G G Permissions Global Groups User Accounts A A Global Groups G G Universal Groups U U Domain Local Groups Domain Local Groups DL Group strategies: A G P A G DL P A G P A G DL P A G U DL P A G L P Permissions P P Local Groups L L

21 Northwind Traders has a single domain that is located in Paris, France. Northwind Traders managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database? Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment Place all of the managers in a global group Create a domain local group for Inventory database access Make the global group a member of the domain local group and grant permissions to the domain local group for accessing the Inventory database Place all of the managers in a global group Create a domain local group for Inventory database access Make the global group a member of the domain local group and grant permissions to the domain local group for accessing the Inventory database Northwind Traders wants to react more quickly to market demands. It is determined that the accounting data must be available to all Accounting personnel. Northwind Traders wants to create the group structure for the entire Accounting division, which includes the Accounts Payable and Accounts Receivable departments. What do you do to ensure that the managers have the required access and that there is a minimum of administration? Make sure that your network is running in native functional level. Create three global groups called Accounting Division, Accounts Payable, and Accounts Receivable. Place the Accounting Division global group into the domain local group so that users can access the accounting data. Create a domain local group called Accounting Data. Grant this group appropriate permission for the accounting data resources file. Make sure that your network is running in native functional level. Create three global groups called Accounting Division, Accounts Payable, and Accounts Receivable. Place the Accounting Division global group into the domain local group so that users can access the accounting data. Create a domain local group called Accounting Data. Grant this group appropriate permission for the accounting data resources file. Examples 1 and 2 Contoso, Ltd., has a single domain that is located in Paris, France. Contoso managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database? Example 3 Contoso, Ltd., has expanded to include operations in South America and Asia and now has three domains. You need to grant access to all IT managers from all domains to the IT_Admin tools shared folder in the Contoso domain. Examples 1 and 2 Contoso, Ltd., has a single domain that is located in Paris, France. Contoso managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database? Example 3 Contoso, Ltd., has expanded to include operations in South America and Asia and now has three domains. You need to grant access to all IT managers from all domains to the IT_Admin tools shared folder in the Contoso domain.

22 Practice: Nesting Groups and Creating Universal Groups In this practice, you will: Create the Contoso Managers global group Nest the departmental Managers global groups into G Contoso Managers Create an Enterprise Managers universal group Examine the Members and Member Of properties

23 Modifying the Scope or Type of a Group? Changing group scope  Global to universal  Domain local to universal  Universal to global  Universal to domain local Changing group type  Security to distribution  Distribution to security

24 Why Assign a Manager to a Group? Enables you to:  Track who is responsible for groups  Delegate to the manager of the group the authority to add and remove users  Distribute the administrative responsibility to the people who request the group Group Manager

25 Practice: Changing the Scope and Assigning a Manager to a Group In this practice, you will: Create a global group and change the scope to universal Assign a manager to the group Test the group manager properties

26 Lesson: Using Default Groups Default Groups on Member Servers Default Groups in Active Directory When to Use Default Groups Security Considerations for Default Groups System Groups Class Discussion: Using Default Groups vs. Creating New Groups Best Practices for Managing Groups

27 Default Groups on Member Servers

28 Default Groups in Active Directory

29 When to Use Default Groups Default groups are:  Created during the installation of the operating system or when services are added  Automatically assigned a set of user rights Use default groups to:  Control access to shared resources  Delegate specific domain-wide administration

30 Security Considerations for Default Groups Place a user in a default group when you are sure that you want to give the user all the user rights and permissions assigned to that group in Active Directory; otherwise, create a new security group As a security best practice, members of default groups should use Run as

31 System Groups System groups represent different users at different times You can grant user rights and permissions to system groups, but you cannot modify or view the memberships Group scopes do not apply to system groups Users are automatically assigned to system groups whenever they log on or access a particular resource

32 Class Discussion: Using Default Groups vs. Creating New Groups Contoso, Ltd., has over 100 servers across the world. The current tasks that administrators must perform and what minimum level of access users need to perform specific tasks Whether you can use default groups or must create groups and assign specific user rights or permissions to the groups You must determine:

33 Best Practices for Managing Groups Create groups based on administrative needs Add user accounts to the group that is most restrictive Use the Authenticated Users group instead of the Everyone group to grant most user rights and permissions Limit the number of users in the Administrators group Use the default group when possible instead of creating a new group

34 Lab: Creating and Managing Groups In this lab, you will: Create global and domain local groups Manage group membership Manage default groups

Download ppt "Module 3: Managing Groups. Overview Creating Groups Managing Group Membership Strategies for Using Groups Using Default Groups."

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
Windows Server 2003 使用者群組管理 林寶森

Windows Server 2003 使用者群組管理 林寶森
MOAC : Installing and Configuring Windows Server 2012

MOAC : Installing and Configuring Windows Server 2012
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Module 3: Configuring Active Directory Objects and Trusts.

Module 3: Configuring Active Directory Objects and Trusts.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
7.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

Similar presentations

Ads by Google