Managing Groups
0
Lab 4
Mar. /2010
:D
Prepared By: Eng.Ola M. Abd El-Latif
Islamic University of Gaza
College of Engineering
Computer Department
Computer Networks Lab Lab Lab Lab Lab 4444
Managing GroupsManaging GroupsManaging GroupsManaging Groups
Managing Groups
1
Lab 4
Objectives
• Learn about groups and where to create it.
• Explain the purpose of groups, group types, and group scopes.
• Identify the domain functional levels.
• Apply strategies for using groups.
Introduction:
A group is a collection of user accounts. Groups are used to efficiently manage access to
domain resources, which helps simplify network maintenance and administration.
Groups are used to organize user accounts, computer accounts, and other group accounts
into manageable units.
It can be used separately, or you can place one group within another to further simplify
administration.
Managing Groups
2
Lab 4
Domain Functional Levels
The characteristics of groups in Active Directory depend on the domain functional level.
Domain functionality enables features that will affect the entire domain and that domain
only.
The domain functional levels can be either mixed or native.
Any domain controller by default is in the mixed mode, and you can raise the domain
functional level from mixed to native.
Managing Groups
3
Lab 4
Group types
Groups are used to organize user accounts, computer accounts, and other group accounts
into manageable units. Working with groups instead of individual users helps simplify
network maintenance and administration. There are the following types of groups in
Active Directory:
Security groups
Security groups are used to assign user rights and permissions to groups of users and
computers. Rights determine what members of a security group can do in a domain or
forest, and permissions determine what resources a member of a group can access on the
network. It also can be used to send e-mail messages to multiple users.
Sending an e-mail message to the group sends the message to all members of the group.
Therefore, security groups have the capabilities of distribution groups.
Distribution groups
Distribution groups are used with e-mail applications, such as Microsoft® Exchange, to
send e-mail messages to collections of users. The primary purpose of this type of group is to
gather related objects, not to grant permissions.
Distribution groups are not security-enabled, meaning that they cannot be used to assign
permissions. If you need a group for controlling access to shared resources, create a security
group.
Even though security groups have all the capabilities of distribution groups, distribution
groups are still required, because some applications can use only distribution groups.
Group scope
The group scope determines whether the group spans multiple domains or is limited to a
single domain. Group scopes enable you to use groups to grant permissions. The group
scope determines:
The domains from which you can add members to the group.The domains from which you can add members to the group.The domains from which you can add members to the group.The domains from which you can add members to the group.
The domains in which you can use the group to grant permissions.The domains in which you can use the group to grant permissions.The domains in which you can use the group to grant permissions.The domains in which you can use the group to grant permissions.
The domains in which you can nest the group within other groups.The domains in which you can nest the group within other groups.The domains in which you can nest the group within other groups.The domains in which you can nest the group within other groups.
The group scope determines who the members of the group are. Membership rules govern
the members that a group can contain and the groups of which a group can be a member.
Group members consist of user accounts and other groups, to assign the correct members to
groups and to use nesting, it is important to understand the characteristics of the group
scope. There are the following group scopes:
Managing Groups
4
Lab 4
GlobalGlobalGlobalGlobal
Domain localDomain localDomain localDomain local
UniversalUniversalUniversalUniversal
In MixedIn MixedIn MixedIn Mixed In NativeIn NativeIn NativeIn Native
Domain LocalDomain LocalDomain LocalDomain Local
Can contain user &
computer account, global
group from any domain
+ universal group from any
domain , Dl from the same
domain
GlobalGlobalGlobalGlobal
Can contain user &
computer account from the
same domain
+ global group from the
same domain
UniversalUniversalUniversalUniversal
Not available
Can contain user &
computer account, global ,
universal group from any
domain
Creating Groups
To create a group in an Active Directory domain:
� Creating Group using Active Directory Users and Computers…
1. In Active Directory Users and Computers, in the console tree, right-click the folder
to which you want to add the group, point to New, and then click Group.
2. In the New Object. Group dialog box, in the Group name box, type the name of the
new group.
3. Under Group scope, click the group scope for the new group.
4. Under Group type, click the group type for the new group.
� Creating Group using a command line
Another way to create a group is to use the dsadd command.
Ex:
dsadd group "cn=G Marketing Funds ,ou=MArketing,dc=NetworkLab,dc=com"
-samid GMarketingFund -secgrp yes
Note/
• -secgrp yes: determine this group as security group.
• For the complete syntax of the dsadd group command, at a command prompt, type
dsadd group /?.
Managing Groups
5
Lab 4
Managing Group MembershipManaging Group MembershipManaging Group MembershipManaging Group Membership
Determining Group Membership
Adding and Removing Members from a Group
Managing Groups
6
Lab 4
Group Nesting
Using nesting, you can add a group as a member of another group. You can nest groups to
consolidate group management. Nesting increases the member accounts that are affected by
a single action and reduces replication traffic caused by the replication of changes in group
membership.
Nesting options:
Your nesting options depend on whether the domain functional level of your Windows
Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed. In domains
where the domain functional level is set to Windows 2000 native, group membership is
determined as follows:
Universal groups can have as their members: user accounts, computer accounts,
universal groups, and global groups from any domain.
Global groups can have as their members: user accounts from the same domain
and global groups from the same domain.
Domain local groups can have as their members: user accounts, universal groups,
and global groups, all from any domain. They can also have as member’s domain
local groups from within the same domain.
Managing Groups
7
Lab 4
Group Strategies
To use groups effectively, you need strategies for applying the different group scopes. The
strategy you choose depends on the Windows network environment of your organization.
In a single domain, the common practice is to use global and domain local groups to grant
permissions for network resources. In a network with multiple domains, you can incorporate
global and universal groups into your strategy.
The following are the types of group strategies:
A DL P With A DL P, you place user accounts (A) in domain local groups (DL), and you grant
permissions (P) to the domain local groups.
Managing Groups
8
Lab 4
A G P With A G P, you place user accounts (A) in global groups (G), and you grant permissions
(P) to the global groups. The limitation of this strategy is that it complicates
administration when you use multiple domains. If global groups from multiple domains
require the same permissions, you must grant permissions to each global group
individually.
When to use the A G P strategy?
Use A G P for forests with one domain and very few users and to which you will
never add other domains.
A G P has the following advantages:
� Groups are not nested and therefore troubleshooting may be easier.
� Accounts belong to a single group scope.
A G DL P
With A G DL P, you place user accounts (A) in global groups (G), place the global
groups in domain local groups (DL), and then grant permissions (P) to the domain local
groups. This strategy creates flexibility for network growth and reduces the number of
times you must set permissions.
Managing Groups
9
Lab 4
When to use the A G DL P strategy? Use A G DL P for a forest consisting of one or more domains and to which you
might have to add future domains.
A G DL P has the following advantages:
� Domains are flexible.
� Resource owners require less access to Active Directory to flexibly secure their
resources.
A G DL P has the following disadvantage:
� A tiered management structure is more complex to set up initially, but easier to
manage over time.
A G U DL P
With A G U DL P, you place user accounts (A) in global groups (G), place the global
groups in universal groups (U), place the universal groups in domain local groups (DL),
and then grant permissions (P) to the domain local groups.
A G G DL P With A G U DL P, you place user accounts (A) in global groups (G), place the global
groups in another global group (G), place the global group in domain local groups (DL),
and then grant permissions (P) to the domain local groups.
A G L P
Use the A G L P strategy to place user accounts in a global group and grant permissions
to the local group. One limitation of this strategy is that you cannot grant permissions for
resources outside the local computer. Therefore, place user accounts in a global group,
add the global group to the local group, and then grant permissions to the local group.
With this strategy, you can use the same global group on multiple local computers.
Managing Groups
10
Lab 4
Using Groups in a Single-Domain or
Multiple-Domain Environment
Example 1
Contoso, Ltd., has a single domain that is located in Paris, France.
Contoso managers need access to the Inventory database to perform their jobs.
What do you do to ensure that the managers have access to the Inventory database?
Sol:
Place all of the managers in a global group.
Create a domain local group for Inventory database access.
Make the global group a member of the domain local group.
Grant permissions to the domain local group for accessing the Inventory database.
Managing Groups
11
Lab 4
Example 2
Contoso, Ltd., has determined that all Accounting division personnel must have full access to
the accounting data. Also, Contoso, Ltd., executives must be able to view the data.
Contoso, Ltd., wants to create the group structure for the entire Accounting division, which
includes the Accounts Payable and Accounts Receivable departments.
What do you do to ensure that the managers have the required access and that there is
a minimum of administration?
Sol:
Create four global groups. One group, named Accounting Division, will represent all the accountants in the
division.
Name the other two groups Accounts Payable and Accounts Receivable to represent
the organizational structure of the Accounting division.
Nest the Accounts Receivable and Accounts Payable groups in the Accounting
Division global group.
Place the Accounting Division global group into the domain local group that has
permission to access the accounting data.
Create a fourth global group for the Contoso, Ltd., Executives, named Contoso
Execs.
Create two domain local groups One named Accounting Data Full Control and the other named Accounting Data
Read.
Place the Accounting Division global group into the Accounting Data Full Control
domain local group,
And place the Contoso Execs global group into the Accounting Data Read domain
local group.
Grant the appropriate permissions to the domain local groups.
Managing Groups
12
Lab 4
Example 3
Contoso, Ltd., has expanded to include operations in South America and Asia and now has
three domains, the Contoso.msft domain, the Asia.contoso.msft domain, and the
SA.contoso.msft domain. You need to grant access to all IT managers from all domains to the
IT_Admin tools shared folder in the Contoso domain.You will also need to grant those users
access to other resources in the future.
How can you achieve the desired result with the least amount of administrative effort?
Sol:
Make sure that your network is running in native functional level. If not, you first
must raise the domain to Windows 2000 native functional level or higher.
Create a global group named IT Managers in each of the three domains, and place the
user accounts of the appropriate users into it.
Create a universal group in Contoso named Enterprise IT Managers, and place the
three global IT Managers groups into it.
Place the universal group into the domain local group in Contoso that has the
appropriate permissions to the Admin_tools shared folder.
Now that the universal group exists, it can easily be used in the future to grant access
to all IT Managers to any resource in any domain.
Managing Groups
13
Lab 4
Default GroupsDefault GroupsDefault GroupsDefault Groups
Default Groups on Member Servers The Groups folder is located on a member server in the Local Users and Groups console,
which displays all built-in default local groups and any local groups you create. The default
local groups are created automatically when you install Windows Server 2003. The local
groups can contain local user accounts, domain user accounts, computer accounts, and
global groups.
Default Groups in Active Directory
Managing Groups
14
Lab 4
When to Use Default Groups??
Default groups are:
� Created during the installation of the operating system or when services are added.
� Automatically assigned a set of user rights.
Use default groups to:
� Control access to shared resources.
� Delegate specific domain-wide administration.
Default Groups Examples
1. Administrators:
Members have full control of the server and can assign user rights and access control
permissions to users as necessary.
Administrators are a default member account and have full control of the server.
When joined to a domain, the Domain Admins group is automatically added to this
group.
2. Server Operators
Members can log on interactively, create and delete shared resources, start and stop
some services, backup and restore files, format the hard disk, and shut down the
computer.
This group has no default members.
3. Everyone The everyone system group represents all current network users, including guests and
users from other domains.
Whenever a user logs on to the network, the user is automatically added to the everyone
group.
If security is not a concern for a specific group in your domain, you can grant
permissions to the everyone group.