Date post: | 18-Jan-2018 |
Category: |
Documents |
Upload: | rolf-marshall |
View: | 230 times |
Download: | 0 times |
Module 3: Managing Groups
Overview
Creating GroupsManaging Group MembershipStrategies for Using GroupsUsing Default Groups
Lesson: Creating Groups
What Are Groups?What Are Domain Functional Levels?What Are Global Groups?What Are Universal Groups?What Are Domain Local Groups?What Are Local Groups?Guidelines for Creating and Naming GroupsWho Can Create Groups?Practice: Creating Groups
What Are Groups?
Groups simplify administration by enabling you to assign permissions for resources
Group type Description
SecurityUsed to assign user rights and permissions
Can be used as an e-mail distribution list
DistributionCan be used only with e-mail applications
Cannot be used to assign permissions
Group
Groups are characterized by scope and type
What Are Domain Functional Levels?
Windows 2000 mixed (default)
Windows 2000 native
Windows Server 2003
Windows Server 2003
interim
Domain controllers supported
Windows NT Server 4.0, Windows 2000, Windows Server 2003
Windows 2000, Windows Server 2003
Windows Server 2003
Windows NT Server 4.0, Windows Server 2003
Group scopes supported
Global, domain local
Global, domain local, universal
Global, domain local, universal
Global, domain local
What Are Global Groups?
Global group rules
Membership can include
Mixed functional level: User and computer accounts from same domainNative functional level: User and computer accounts and global groups from same domain
Can be a member of
Mixed functional level: Domain local groupsNative functional level: Universal and domain local groups in any trusting domain and global groups in the same domain
Scope Visible in its own domain and all trusting domains
Permissions All domains in the forest and trusting domains
What Are Universal Groups?
Universal group rules
Membership can include
Mixed functional level: Not applicableNative functional level: User accounts, global groups, and universal groups from any domain in the forest
Can be a member of
Mixed functional level: Not applicableNative functional level: Domain local or universal groups in any domain
Scope Visible in all domains in the forest and all trusting domains
Permissions All domains in the forest and all trusting domains
What Are Domain Local Groups?
Domain local group rules
Membership can include
Mixed functional level and Windows interim 2003: User and computer accounts and global groups from any trusted domainNative functional level: User and computer accounts, global and universal groups from any domain in the forest or trusted domains, plus domain local groups from the same domain
Can be a member of
Mixed functional level and Windows interim 2003: None
Native functional level: Domain local groups in the same domain
Scope Visible only in its own domain
Permissions Domain to which the domain local group belongs
What Are Local Groups?
Local group rules
Membership can include
Local user accounts, domain user and computer accounts, global and universal groups from the computer's domain and trusted domains
Can be a member of Not applicable
Guidelines for Creating and Naming Groups
Create groups in organizational units by using the following naming considerations:
Naming conventions for security groups• Incorporate the scope in the group name• Should reflect the group ownership • Use a descriptor to identify the assigned permissions
Naming conventions for distribution groups• Use short alias names• Do not include a user’s alias name in the display name• Allow a maximum of five co-owners of a single distribution group
Who Can Create Groups?
In the domain: Account Operators group
Domain Admins group
Enterprise Admins group
Or users with appropriate delegated authority
On the local computer: Power Users group
Administrators group on the local computer
Or users with appropriate delegated authority
Practice: Creating Groups
In this practice, you will: Create groups by using Active Directory Users and ComputersCreate groups by using the dsadd command-line tool
Lesson: Managing Group Membership
Determining Group MembershipAdding and Removing Members from a GroupPractice: Managing Group Membership
Determining Group Membership
Group or Team Global Group Domain Local Group
Tom, Jo, and Kim
Sam, Scott, and Amy
Members Member Of
Tom, Jo, Kim
Denver OU Admins
Denver Admins
Members Member Of
Tom, Jo, Kim
DL OU Admins
G Denver Admins
Members Member Of
Sam, Scott, Amy
DL OU Admins
G Vancouver Admins
DL OU Admins
Members Member Of
G Denver AdminsG Vancouver Admins
N/A
Member Of
G Denver Admins
Member Of
G Vancouver Admins
Adding and Removing Members from a Group
Group membership can be modified by using Active Directory Users and Computers or the dsmod command
Practice: Managing Group Membership
In this practice, you will:Determine a user’s group membershipAdd users to global groups Add global groups to domain local groups
Lesson: Strategies for Using Groups
Multimedia: Strategy for Using Groups in a Single DomainWhat Is Group Nesting?Group StrategiesClass Discussion: Using Groups in a Single-Domain or Multiple-Domain EnvironmentPractice: Nesting Groups and Creating Universal GroupsModifying the Scope or Type of a Group?Why Assign a Manager to a Group?Practice: Changing the Scope and Assigning a Manager to a Group
Multimedia: Strategy for Using Groups in a Single Domain
This presentation explains the A G DL P strategy for using groups
Group
GroupGroup
GroupGroup
What Is Group Nesting?
Group nesting means adding a group as a member of another group
Nest groups to consolidate group management Nesting options depend on the domain functional level
Group Strategies
A G P
A PG
Global Groups PermissionsUser
Accounts
A DL P
A PDL
Domain Local Groups PermissionsUser
Accounts
A G DL P
A P
Domain Local Groups
DLG
PermissionsGlobal Groups
User Accounts
A G U DL P
A P
Domain Local Groups
DLG
PermissionsGlobal Groups
User Accounts
Universal Groups
U
A G
Global Groups
User Accounts
A G L P
A P
Local Groups
LG
PermissionsGlobal Groups
User Accounts
User Accounts
A
Global Groups
G
Universal Groups
U
Domain Local Groups
DL
Group strategies:
A G PA G DL P
A G U DL PA G L P
Permissions
P
Local Groups
L
Northwind Traders has a single domain that is located in Paris, France. Northwind Traders managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database?
Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment
Place all of the managers in a global group
Create a domain local group for Inventory database access
Make the global group a member of the domain local group and grant permissions to the domain local group for accessing the Inventory database
Northwind Traders wants to react more quickly to market demands. It is determined that the accounting data must be available to all Accounting personnel. Northwind Traders wants to create the group structure for the entire Accounting division, which includes the Accounts Payable and Accounts Receivable departments. What do you do to ensure that the managers have the required access and that there is a minimum of administration?
Make sure that your network is running in native functional level. Create three global groups called Accounting Division, Accounts Payable, and Accounts Receivable.Place the Accounting Division global group into the domain local group so that users can access the accounting data.Create a domain local group called Accounting Data. Grant this group appropriate permission for the accounting data resources file.
Examples 1 and 2Contoso, Ltd., has a single domain that is located in Paris, France. Contoso managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database?
Example 3Contoso, Ltd., has expanded to include operations in South America and Asia and now has three domains. You need to grant access to all IT managers from all domains to the IT_Admin tools shared folder in the Contoso domain.
Practice: Nesting Groups and Creating Universal Groups
In this practice, you will: Create the Contoso Managers global group
Nest the departmental Managers global groups into G Contoso Managers
Create an Enterprise Managers universal group
Examine the Members and Member Of properties
Modifying the Scope or Type of a Group?
Changing group scope Global to universal
Domain local to universal
Universal to global
Universal to domain local
Changing group type Security to distribution
Distribution to security
Why Assign a Manager to a Group?
Enables you to: Track who is responsible for groups
Delegate to the manager of the group the authority to add and remove users
Distribute the administrative responsibility to the people who request the group
GroupManager
Practice: Changing the Scope and Assigning a Manager to a Group
In this practice, you will:Create a global group and change the scope to universalAssign a manager to the groupTest the group manager properties
Lesson: Using Default Groups
Default Groups on Member Servers Default Groups in Active DirectoryWhen to Use Default GroupsSecurity Considerations for Default GroupsSystem GroupsClass Discussion: Using Default Groups vs. Creating New GroupsBest Practices for Managing Groups
Default Groups on Member Servers
Default Groups in Active Directory
When to Use Default Groups
Default groups are: Created during the installation of the operating system
or when services are added Automatically assigned a set of user rights
Use default groups to: Control access to shared resources Delegate specific domain-wide administration
Security Considerations for Default Groups
Place a user in a default group when you are sure that you want to give the user all the user rights and permissions assigned to that group in Active Directory; otherwise, create a new security group As a security best practice, members of default groups should use Run as
System Groups
System groups represent different users at different timesYou can grant user rights and permissions to system groups, but you cannot modify or view the membershipsGroup scopes do not apply to system groupsUsers are automatically assigned to system groups whenever they log on or access a particular resource
Class Discussion: Using Default Groups vs. Creating New Groups
Contoso, Ltd., has over 100 servers across the world. The current tasks that administrators must perform and what minimum level of access users need to perform specific tasksWhether you can use default groups or must create groups and assign specific user rights or permissions to the groups
You must determine:
Best Practices for Managing Groups
Create groups based on administrative needs
Add user accounts to the group that is most restrictive
Use the Authenticated Users group instead of the Everyone group to grant most user rights and permissions
Limit the number of users in the Administrators group
Use the default group when possible instead of creating a new group
Lab: Creating and Managing Groups
In this lab, you will: Create global and domain local groupsManage group membershipManage default groups