Module 3: Managing Groups

Overview

Creating GroupsManaging Group MembershipStrategies for Using GroupsUsing Default Groups

Lesson: Creating Groups

What Are Groups?What Are Domain Functional Levels?What Are Global Groups?What Are Universal Groups?What Are Domain Local Groups?What Are Local Groups?Guidelines for Creating and Naming GroupsWho Can Create Groups?Practice: Creating Groups

What Are Groups?

Groups simplify administration by enabling you to assign permissions for resources

Group type Description

SecurityUsed to assign user rights and permissions

Can be used as an e-mail distribution list

DistributionCan be used only with e-mail applications

Cannot be used to assign permissions

Group

Groups are characterized by scope and type

What Are Domain Functional Levels?

Windows 2000 mixed (default)

Windows 2000 native

Windows Server 2003

Windows Server 2003

interim

Domain controllers supported

Windows NT Server 4.0, Windows 2000, Windows Server 2003

Windows 2000, Windows Server 2003

Windows Server 2003

Windows NT Server 4.0, Windows Server 2003

Group scopes supported

Global, domain local

Global, domain local, universal

Global, domain local, universal

Global, domain local

What Are Global Groups?

Global group rules

Membership can include

Mixed functional level: User and computer accounts from same domainNative functional level: User and computer accounts and global groups from same domain

Can be a member of

Mixed functional level: Domain local groupsNative functional level: Universal and domain local groups in any trusting domain and global groups in the same domain

Scope Visible in its own domain and all trusting domains

Permissions All domains in the forest and trusting domains

What Are Universal Groups?

Universal group rules

Membership can include

Mixed functional level: Not applicableNative functional level: User accounts, global groups, and universal groups from any domain in the forest

Can be a member of

Mixed functional level: Not applicableNative functional level: Domain local or universal groups in any domain

Scope Visible in all domains in the forest and all trusting domains

Permissions All domains in the forest and all trusting domains

What Are Domain Local Groups?

Domain local group rules

Membership can include

Mixed functional level and Windows interim 2003: User and computer accounts and global groups from any trusted domainNative functional level: User and computer accounts, global and universal groups from any domain in the forest or trusted domains, plus domain local groups from the same domain

Can be a member of

Mixed functional level and Windows interim 2003: None

Native functional level: Domain local groups in the same domain

Scope Visible only in its own domain

Permissions Domain to which the domain local group belongs

What Are Local Groups?

Local group rules

Membership can include

Local user accounts, domain user and computer accounts, global and universal groups from the computer's domain and trusted domains

Can be a member of Not applicable

Guidelines for Creating and Naming Groups

Create groups in organizational units by using the following naming considerations:

Naming conventions for security groups• Incorporate the scope in the group name• Should reflect the group ownership • Use a descriptor to identify the assigned permissions

Naming conventions for distribution groups• Use short alias names• Do not include a user’s alias name in the display name• Allow a maximum of five co-owners of a single distribution group

Who Can Create Groups?

In the domain: Account Operators group

Domain Admins group

Enterprise Admins group

Or users with appropriate delegated authority

On the local computer: Power Users group

Administrators group on the local computer

Or users with appropriate delegated authority

Practice: Creating Groups

In this practice, you will: Create groups by using Active Directory Users and ComputersCreate groups by using the dsadd command-line tool

Lesson: Managing Group Membership

Determining Group MembershipAdding and Removing Members from a GroupPractice: Managing Group Membership

Determining Group Membership

Group or Team Global Group Domain Local Group

Tom, Jo, and Kim

Sam, Scott, and Amy

Members Member Of

Tom, Jo, Kim

Denver OU Admins

Denver Admins

Members Member Of

Tom, Jo, Kim

DL OU Admins

G Denver Admins

Members Member Of

Sam, Scott, Amy

DL OU Admins

G Vancouver Admins

DL OU Admins

Members Member Of

G Denver AdminsG Vancouver Admins

N/A

Member Of

G Denver Admins

Member Of

G Vancouver Admins

Adding and Removing Members from a Group

Group membership can be modified by using Active Directory Users and Computers or the dsmod command

Practice: Managing Group Membership

In this practice, you will:Determine a user’s group membershipAdd users to global groups Add global groups to domain local groups

Lesson: Strategies for Using Groups

Multimedia: Strategy for Using Groups in a Single DomainWhat Is Group Nesting?Group StrategiesClass Discussion: Using Groups in a Single-Domain or Multiple-Domain EnvironmentPractice: Nesting Groups and Creating Universal GroupsModifying the Scope or Type of a Group?Why Assign a Manager to a Group?Practice: Changing the Scope and Assigning a Manager to a Group

Multimedia: Strategy for Using Groups in a Single Domain

This presentation explains the A G DL P strategy for using groups

Group

GroupGroup

GroupGroup

What Is Group Nesting?

Group nesting means adding a group as a member of another group

Nest groups to consolidate group management Nesting options depend on the domain functional level

Group Strategies

A G P

A PG

Global Groups PermissionsUser

Accounts

A DL P

A PDL

Domain Local Groups PermissionsUser

Accounts

A G DL P

A P

Domain Local Groups

DLG

PermissionsGlobal Groups

User Accounts

A G U DL P

A P

Domain Local Groups

DLG

PermissionsGlobal Groups

User Accounts

Universal Groups

U

A G

Global Groups

User Accounts

A G L P

A P

Local Groups

LG

PermissionsGlobal Groups

User Accounts

User Accounts

A

Global Groups

G

Universal Groups

U

Domain Local Groups

DL

Group strategies:

A G PA G DL P

A G U DL PA G L P

Permissions

P

Local Groups

L

Northwind Traders has a single domain that is located in Paris, France. Northwind Traders managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database?

Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment

Place all of the managers in a global group

Create a domain local group for Inventory database access

Make the global group a member of the domain local group and grant permissions to the domain local group for accessing the Inventory database

Northwind Traders wants to react more quickly to market demands. It is determined that the accounting data must be available to all Accounting personnel. Northwind Traders wants to create the group structure for the entire Accounting division, which includes the Accounts Payable and Accounts Receivable departments. What do you do to ensure that the managers have the required access and that there is a minimum of administration?

Make sure that your network is running in native functional level. Create three global groups called Accounting Division, Accounts Payable, and Accounts Receivable.Place the Accounting Division global group into the domain local group so that users can access the accounting data.Create a domain local group called Accounting Data. Grant this group appropriate permission for the accounting data resources file.

Examples 1 and 2Contoso, Ltd., has a single domain that is located in Paris, France. Contoso managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database?

Example 3Contoso, Ltd., has expanded to include operations in South America and Asia and now has three domains. You need to grant access to all IT managers from all domains to the IT_Admin tools shared folder in the Contoso domain.

Practice: Nesting Groups and Creating Universal Groups

In this practice, you will: Create the Contoso Managers global group

Nest the departmental Managers global groups into G Contoso Managers

Create an Enterprise Managers universal group

Examine the Members and Member Of properties

Modifying the Scope or Type of a Group?

Changing group scope Global to universal

Domain local to universal

Universal to global

Universal to domain local

Changing group type Security to distribution

Distribution to security

Why Assign a Manager to a Group?

Enables you to: Track who is responsible for groups

Delegate to the manager of the group the authority to add and remove users

Distribute the administrative responsibility to the people who request the group

GroupManager

Practice: Changing the Scope and Assigning a Manager to a Group

In this practice, you will:Create a global group and change the scope to universalAssign a manager to the groupTest the group manager properties

Lesson: Using Default Groups

Default Groups on Member Servers Default Groups in Active DirectoryWhen to Use Default GroupsSecurity Considerations for Default GroupsSystem GroupsClass Discussion: Using Default Groups vs. Creating New GroupsBest Practices for Managing Groups

Default Groups on Member Servers

Default Groups in Active Directory

When to Use Default Groups

Default groups are: Created during the installation of the operating system

or when services are added Automatically assigned a set of user rights

Use default groups to: Control access to shared resources Delegate specific domain-wide administration

Security Considerations for Default Groups

Place a user in a default group when you are sure that you want to give the user all the user rights and permissions assigned to that group in Active Directory; otherwise, create a new security group As a security best practice, members of default groups should use Run as

System Groups

System groups represent different users at different timesYou can grant user rights and permissions to system groups, but you cannot modify or view the membershipsGroup scopes do not apply to system groupsUsers are automatically assigned to system groups whenever they log on or access a particular resource

Class Discussion: Using Default Groups vs. Creating New Groups

Contoso, Ltd., has over 100 servers across the world. The current tasks that administrators must perform and what minimum level of access users need to perform specific tasksWhether you can use default groups or must create groups and assign specific user rights or permissions to the groups

You must determine:

Best Practices for Managing Groups

Create groups based on administrative needs

Add user accounts to the group that is most restrictive

Use the Authenticated Users group instead of the Everyone group to grant most user rights and permissions

Limit the number of users in the Administrators group

Use the default group when possible instead of creating a new group

Lab: Creating and Managing Groups

In this lab, you will: Create global and domain local groupsManage group membershipManage default groups