Upload
jeffery-mckinney
View
216
Download
0
Embed Size (px)
Citation preview
Administering Groups Chapter Eight
Exam Objectives In this Chapter: Plan a security group hierarchy based upon
delegation requirements Plan a security group strategy
In this Chapter: Understanding Groups Creating and Administering Groups Administration Strategies
To Complete this Chapter: Prepare your test environment according to the descriptions given in the
"Getting Started" section of "About This Book" Complete the practices for installing and configuring Active Directory as
discussed in Chapter 2, "Installing and Configuring Active Directory" Learn to use Active Directory administration tools as discussed in
Chapter 3, "Administering Active Directory" Complete the practices for configuring sites and replication as discussed
in Chapter 5, "Configuring Sites and Managing Replication" Complete the practices for implementing an organizational unit (OU)
structure as discussed in Chapter 6, "Implementing an OU Structure" Complete the practices for creating and maintaining user accounts as
discussed in Chapter 7, "Administering User Accounts"
Groups A group is a collection of user accounts. Groups simplify administration by allowing
you to assign permissions and rights to a group of users rather than having to assign permissions and rights to each individual user account
Groups and Permissions
Group Types Security Groups
Use to assign permissions to gain access to resources.
Distribution Groups Use distribution groups when the only function of
the group is nonsecurity related
Group Scopes
Group Scopes Global Groups
Global security groups are most often used to organize users who share similar network access requirements.
Limited membership. Only from the domain in which you create the global
group. Access to resources in any domain.
Assign permissions to gain access to resources that are located in any domain in the tree or forest.
Domain Local Groups Domain local security groups are most often
used to assign permissions to resources. Open membership.
Members from any domain.
Access to resources in one domain. Permissions to gain access to resources that are located
only in the same domain where you create the domain local group
Universal Groups Universal security groups are most often used to
assign permissions to related resources in multiple domains. Open membership.
Members from any domain in the forest. Access to resources in any domain.
Assign permissions to gain access to resources that are located in any domain in the forest.
Only available in native mode. Not available in domains with the domain functional level set to
Windows 2000 mixed.
Group Nesting Adding groups to other groups, or nesting,
creates a consolidated group and can reduce network traffic between domains and simplify administration in a domain tree. Minimize levels of nesting. Document group membership to keep track of
permissions assignments.
Rules for Group Membership The group scope determines the membership
of a group. Membership rules determine the members that
a group can contain. Group members can be user accounts and
other groups.
Local Groups A local group is a collection of user accounts
on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Guidelines on page 8-8
CAUTION Because Active Directory groups with a
“domain local” scope are sometimes referred to as “local groups,” it is important to distinguish between a local group and a group with a domain local scope.
Possible limitations Placing user accounts in domain local groups
and assigning permissions to the domain local groups.
Placing user accounts in global groups and assigning permissions to the global groups.
Using Universal Groups Use universal groups to give users access to
resources that are located in more than one domain.
Use universal groups only when their membership is static.
Add global groups from several domains to a universal group, and then assign permissions for access to a resource to the universal group.
Default Groups Windows 2003 has four categories of default
groups: Groups in the Builtin folder, Groups in the User Folder, Special identity, and Default local groups.
Groups in the Built-In folder These groups provide users with user rights
and permissions to perform tasks on domain controllers and in Active Directory.
Built-in domain local groups give predefined rights and permissions to user accounts when you add user accounts or global groups as members.
Table 8-2 describes the default groups in the built-in folder
Create a list of groups You can use the Net Localgroup and Net Group
commands. For example, you could open a command prompt
and type net localgroup > C:\localgroups.txt to create a list of local groups in a file named C:\localgroups.txt.
As another example of how the Net commands work, examine and run the batch file named Grouplistings.bat on the Supplemental CD-ROM in the \70-294\ Labs\Chapter08 folder.
Groups in the User Folder Windows Server 2003 creates default security
groups in the Users folder in the Active Directory Users And Computers console.
The groups in the Users folder are primarily used to assign default sets of permissions to users who have administrative responsibilities in the domain. Table 8-3 describes the default groups in the Users Folder
Special Identity Groups These groups do not have specific memberships that
you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource.
You do not see special identity groups when you administer groups, but they are available for use when you assign rights and permissions to resources. Table 8-4 describes Special Identity Groups
Anonymous Users In Windows Server 2003, the Anonymous Logon
group is no longer a member of the Everyone group. Therefore, anonymous users attempting to access
resources hosted on computers running Windows Server 2003 will be impacted.
Built-In Local Groups
All stand-alone servers, member servers, and computers running Windows 2003 Professional have built-in local groups.
Built-in local groups give users the rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Table 8-5 describes Built-in Local Groups
Exam Tip Be familiar with the groups in each category
Planning a Group Strategy1. Assign users with common job
responsibilities to global groups. 2. Create a domain local group for resources to
be shared. 3. Add global groups that need access to the
resources to the domain local group. 4. Assign resource permissions to the domain
local group.
Planning a Group Strategy
Practice: Planning New Group Accounts
Exercise 1 Page 8-17
Creating and Deleting Groups Use the Active Directory Users and Computers
console to create and delete groups. When you create groups, create them in the
Users container or in another container or an organizational unit (OU) that you have created specifically for groups.
Creating a Group In Active Directory Universal groups are
not available in Pre-2000 Mixed Mode
Deleting Groups As your organization grows and changes, you
may discover that there are groups that you no longer need.
Be sure that you delete groups when you no longer need them.
Adding Members to a Group Members of groups can include user accounts,
contacts, other groups, and computers. You can add a computer to a group to give one
computer access to a shared resource on another computer—for example, for remote backup.
Adding Members Choose:
Object type Location Select Advanced to
search Check Names to verify
the correct group name
Changing the Group Scope to Universal Group scopes may be changed to universal
only when operating in Windows 2000 or 2003 native modes.
Changing the Group Type Group types may be changed only when
operating in Windows 2000 native mode.
Practice: Creating and Administering Groups
Exercise 1: Creating a Global Group and Adding Members
Exercise 2: Creating a Domain Local Group and Adding Members
Page 8-27
Administration Strategies Running Windows Server 2003 as an administrator
makes the system vulnerable to Trojan horse attacks and other security risks.
The simple act of visiting an Internet site can be extremely damaging to the system.
An unfamiliar Internet site might contain Trojan horse code that can be downloaded to the system and executed.
Therefore you Should Not Run Your Computer as an Administrator
Using Run As to Start a Program To run a program that requires you to be
logged on as an administrator, you can use the Run As program.
This program allows you to run administrative tools with either local or domain administrator rights and permissions while logged on as a normal user.
NOTERun As is usually used to run programs
as an administrator, although it is not limited to administrator accounts. Any user with multiple accounts can use
Run As to run a program, MMC tool, or Control Panel item with alternate credentials.
Two ways to Run As By Right-Click on any
program and select the option to Run as…
RUNAS Command
runas [{/profile|/noprofile}] [/env] [/netonly] [/savedcreds] [/smartcard] [/showtrustlevels] [/trustlevel] /user:UserAccountName program program
Switches are defined on page 8-32 RUNAS Examples
On page 8-33
Practice: Using Run As to Start a Program as an
Administrator Exercise: Using Run As to Start a Program as an
Administrator Page 8-33
Summary Case Scenario Exercise
Pages 35 – 37. Troubleshooting Lab
Pages 37 - 38 Exam Highlights
Key points (p. 8-39) Key terms (p. 8-39)