groups
TRANSCRIPT
Module 3: Managing Groups
Overview
Creating Groups
Managing Group Membership
Strategies for Using Groups
Using Default Groups
Lesson: Creating Groups
What Are Groups?
What Are Domain Functional Levels?
What Are Global Groups?
What Are Universal Groups?
What Are Domain Local Groups?
What Are Local Groups?
Guidelines for Creating and Naming Groups
Who Can Create Groups?
Practice: Creating Groups
What Are Groups?
Groups simplify administration by enabling you to assign permissions for resources
Group type Description
SecurityUsed to assign user rights and permissions
Can be used as an e-mail distribution list
DistributionCan be used only with e-mail applications
Cannot be used to assign permissions
GroupGroup
Groups are characterized by scope and type
What Are Domain Functional Levels?
Windows 2000 mixed (default)
Windows 2000 native
Windows Server 2003
Windows Server 2003
interim
Domain controllers supported
Windows NT Server 4.0, Windows 2000, Windows Server 2003
Windows 2000, Windows Server 2003
Windows Server 2003
Windows NT Server 4.0, Windows Server 2003
Group scopes supported
Global, domain local
Global, domain local, universal
Global, domain local, universal
Global, domain local
What Are Global Groups?
Global group rules
Membership can include
Mixed functional level: User and computer accounts from same domain
Native functional level: User and computer accounts and global groups from same domain
Can be a member of
Mixed functional level: Domain local groups
Native functional level: Universal and domain local groups in any trusting domain and global groups in the same domain
Scope Visible in its own domain and all trusting domains
Permissions All domains in the forest and trusting domains
What Are Universal Groups?
Universal group rules
Membership can include
Mixed functional level: Not applicable
Native functional level: User accounts, global groups, and universal groups from any domain in the forest
Can be a member of
Mixed functional level: Not applicable
Native functional level: Domain local or universal groups in any domain
Scope Visible in all domains in the forest and all trusting domains
Permissions All domains in the forest and all trusting domains
What Are Domain Local Groups?
Domain local group rules
Membership can include
Mixed functional level and Windows interim 2003: User and computer accounts and global groups from any trusted domain
Native functional level: User and computer accounts, global and universal groups from any domain in the forest or trusted domains, plus domain local groups from the same domain
Can be a member of
Mixed functional level and Windows interim 2003: None
Native functional level: Domain local groups in the same domain
Scope Visible only in its own domain
Permissions Domain to which the domain local group belongs
What Are Local Groups?
Local group rules
Membership can include
Local user accounts, domain user and computer accounts, global and universal groups from the computer's domain and trusted domains
Can be a member of Not applicable
Guidelines for Creating and Naming Groups
Create groups in organizational units by using the following naming considerations:
Naming conventions for security groups• Incorporate the scope in the group name• Should reflect the group ownership • Use a descriptor to identify the assigned permissions
Naming conventions for distribution groups• Use short alias names• Do not include a user’s alias name in the display name• Allow a maximum of five co-owners of a single distribution group
Who Can Create Groups?
In the domain:
Account Operators group
Domain Admins group
Enterprise Admins group
Or users with appropriate delegated authority
On the local computer:
Power Users group
Administrators group on the local computer
Or users with appropriate delegated authority
Practice: Creating Groups
In this practice, you will:
Create groups by using Active Directory Users and Computers
Create groups by using the dsadd command-line tool
Lesson: Managing Group Membership
Determining Group Membership
Adding and Removing Members from a Group
Practice: Managing Group Membership
Determining Group Membership
Group or TeamGroup or Team Global GroupGlobal Group Domain Local GroupDomain Local Group
Tom, Jo, and KimTom, Jo, and Kim
Sam, Scott, and AmySam, Scott, and Amy
Members Member Of
Tom, Jo, Kim
Denver OU Admins
Denver AdminsDenver Admins
Members Member Of
Tom, Jo, Kim
DL OU Admins
G Denver AdminsG Denver Admins
Members Member Of
Sam, Scott, Amy
DL OU Admins
G Vancouver AdminsG Vancouver Admins
DL OU AdminsDL OU Admins
Members Member Of
G Denver AdminsG Vancouver Admins
N/A
Member Of
G Denver Admins
Member Of
G Vancouver Admins
Adding and Removing Members from a Group
Group membership can be modified by using Active Directory Users and Computers or the dsmod commandGroup membership can be modified by using Active Directory Users and Computers or the dsmod command
Practice: Managing Group Membership
In this practice, you will:
Determine a user’s group membership
Add users to global groups
Add global groups to domain local groups
Lesson: Strategies for Using Groups
Multimedia: Strategy for Using Groups in a Single Domain
What Is Group Nesting?
Group Strategies
Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment
Practice: Nesting Groups and Creating Universal Groups
Modifying the Scope or Type of a Group?
Why Assign a Manager to a Group?
Practice: Changing the Scope and Assigning a Manager to a Group
Multimedia: Strategy for Using Groups in a Single Domain
This presentation explains the A G DL P strategy for using groups
Group
GroupGroupGroupGroup
GroupGroupGroupGroup
What Is Group Nesting?
Group nesting means adding a group as a member of another group
Nest groups to consolidate group management
Nesting options depend on the domain functional level
Group Strategies
A G P
AA PPGG
Global GroupsGlobal Groups PermissionsPermissionsUser
AccountsUser
Accounts
A DL P
AA PPDLDL
Domain Local Groups
Domain Local Groups PermissionsPermissionsUser
AccountsUser
Accounts
A G DL P
AA PP
Domain Local Groups
Domain Local Groups
DLDLGG
PermissionsPermissionsGlobal GroupsGlobal Groups
User Accounts
User Accounts
A G U DL P
AA PP
Domain Local Groups
Domain Local Groups
DLDLGG
PermissionsPermissionsGlobal GroupsGlobal Groups
User Accounts
User Accounts
Universal Groups
Universal Groups
UU
AA GG
Global GroupsGlobal Groups
User Accounts
User Accounts
A G L P
AA PP
Local GroupsLocal Groups
LLGG
PermissionsPermissionsGlobal GroupsGlobal Groups
User Accounts
User Accounts
User AccountsUser Accounts
AA
Global GroupsGlobal Groups
GG
Universal GroupsUniversal Groups
UU
Domain Local Groups
Domain Local Groups
DLDL
Group strategies:Group strategies:
A G PA G DL PA G PA G DL P
A G U DL PA G L P
PermissionsPermissions
PP
Local GroupsLocal Groups
LL
Northwind Traders has a single domain that is located in Paris, France. Northwind Traders managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database?
Northwind Traders has a single domain that is located in Paris, France. Northwind Traders managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database?
Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment
Place all of the managers in a global group
Create a domain local group for Inventory database access
Make the global group a member of the domain local group and grant permissions to the domain local group for accessing the Inventory database
Place all of the managers in a global group
Create a domain local group for Inventory database access
Make the global group a member of the domain local group and grant permissions to the domain local group for accessing the Inventory database
Northwind Traders wants to react more quickly to market demands. It is determined that the accounting data must be available to all Accounting personnel. Northwind Traders wants to create the group structure for the entire Accounting division, which includes the Accounts Payable and Accounts Receivable departments. What do you do to ensure that the managers have the required access and that there is a minimum of administration?
Northwind Traders wants to react more quickly to market demands. It is determined that the accounting data must be available to all Accounting personnel. Northwind Traders wants to create the group structure for the entire Accounting division, which includes the Accounts Payable and Accounts Receivable departments. What do you do to ensure that the managers have the required access and that there is a minimum of administration?
Make sure that your network is running in native functional level.
Create three global groups called Accounting Division, Accounts Payable, and Accounts Receivable.
Place the Accounting Division global group into the domain local group so that users can access the accounting data.
Create a domain local group called Accounting Data. Grant this group appropriate permission for the accounting data resources file.
Make sure that your network is running in native functional level.
Create three global groups called Accounting Division, Accounts Payable, and Accounts Receivable.
Place the Accounting Division global group into the domain local group so that users can access the accounting data.
Create a domain local group called Accounting Data. Grant this group appropriate permission for the accounting data resources file.
Examples 1 and 2Contoso, Ltd., has a single domain that is located in Paris, France. Contoso managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database?
Example 3Contoso, Ltd., has expanded to include operations in South America and Asia and now has three domains. You need to grant access to all IT managers from all domains to the IT_Admin tools shared folder in the Contoso domain.
Examples 1 and 2Contoso, Ltd., has a single domain that is located in Paris, France. Contoso managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database?
Example 3Contoso, Ltd., has expanded to include operations in South America and Asia and now has three domains. You need to grant access to all IT managers from all domains to the IT_Admin tools shared folder in the Contoso domain.
Practice: Nesting Groups and Creating Universal Groups
In this practice, you will:
Create the Contoso Managers global group
Nest the departmental Managers global groups into G Contoso Managers
Create an Enterprise Managers universal group
Examine the Members and Member Of properties
Modifying the Scope or Type of a Group?
Changing group scope
Global to universal
Domain local to universal
Universal to global
Universal to domain local
Changing group type
Security to distribution
Distribution to security
Why Assign a Manager to a Group?
Enables you to:
Track who is responsible for groups
Delegate to the manager of the group the authority to add and remove users
Distribute the administrative responsibility to the people who request the group
GroupGroupManagerManager
Practice: Changing the Scope and Assigning a Manager to a Group
In this practice, you will:
Create a global group and change the scope to universal
Assign a manager to the group
Test the group manager properties
Lesson: Using Default Groups
Default Groups on Member Servers
Default Groups in Active Directory
When to Use Default Groups
Security Considerations for Default Groups
System Groups
Class Discussion: Using Default Groups vs. Creating New Groups
Best Practices for Managing Groups
Default Groups on Member Servers
Default Groups in Active Directory
When to Use Default Groups
Default groups are:
Created during the installation of the operating system or when services are added
Automatically assigned a set of user rights
Use default groups to:
Control access to shared resources Delegate specific domain-wide administration
Security Considerations for Default Groups
Place a user in a default group when you are sure that you want to give the user all the user rights and permissions assigned to that group in Active Directory; otherwise, create a new security group
As a security best practice, members of default groups should use Run as
System Groups
System groups represent different users at different times
You can grant user rights and permissions to system groups, but you cannot modify or view the memberships
Group scopes do not apply to system groups
Users are automatically assigned to system groups whenever they log on or access a particular resource
Class Discussion: Using Default Groups vs. Creating New Groups
Contoso, Ltd., has over 100 servers across the world.
The current tasks that administrators must perform and what minimum level of access users need to perform specific tasks
Whether you can use default groups or must create groups and assign specific user rights or permissions to the groups
You must determine:
Best Practices for Managing Groups
Create groups based on administrative needs Create groups based on administrative needs
Add user accounts to the group that is most restrictiveAdd user accounts to the group that is most restrictive
Use the Authenticated Users group instead of the Everyone group to grant most user rights and permissionsUse the Authenticated Users group instead of the Everyone group to grant most user rights and permissions
Limit the number of users in the Administrators groupLimit the number of users in the Administrators group
Use the default group when possible instead of creating a new groupUse the default group when possible instead of creating a new group
Lab: Creating and Managing Groups
In this lab, you will:
Create global and domain local groups
Manage group membership
Manage default groups