Administering Groups Chapter Eight

Exam Objectives In this Chapter: Plan a security group hierarchy based upon

delegation requirements Plan a security group strategy

In this Chapter: Understanding Groups Creating and Administering Groups Administration Strategies

To Complete this Chapter: Prepare your test environment according to the descriptions given in the

"Getting Started" section of "About This Book" Complete the practices for installing and configuring Active Directory as

discussed in Chapter 2, "Installing and Configuring Active Directory" Learn to use Active Directory administration tools as discussed in

Chapter 3, "Administering Active Directory" Complete the practices for configuring sites and replication as discussed

in Chapter 5, "Configuring Sites and Managing Replication" Complete the practices for implementing an organizational unit (OU)

structure as discussed in Chapter 6, "Implementing an OU Structure" Complete the practices for creating and maintaining user accounts as

discussed in Chapter 7, "Administering User Accounts"

Groups A group is a collection of user accounts. Groups simplify administration by allowing

you to assign permissions and rights to a group of users rather than having to assign permissions and rights to each individual user account

Groups and Permissions

Group Types Security Groups

Use to assign permissions to gain access to resources.

Distribution Groups Use distribution groups when the only function of

the group is nonsecurity related

Group Scopes

Group Scopes Global Groups

Global security groups are most often used to organize users who share similar network access requirements.

Limited membership. Only from the domain in which you create the global

group. Access to resources in any domain.

Assign permissions to gain access to resources that are located in any domain in the tree or forest.

Domain Local Groups Domain local security groups are most often

used to assign permissions to resources. Open membership.

Members from any domain.

Access to resources in one domain. Permissions to gain access to resources that are located

only in the same domain where you create the domain local group

Universal Groups Universal security groups are most often used to

assign permissions to related resources in multiple domains. Open membership.

Members from any domain in the forest. Access to resources in any domain.

Assign permissions to gain access to resources that are located in any domain in the forest.

Only available in native mode. Not available in domains with the domain functional level set to

Windows 2000 mixed.

Group Nesting Adding groups to other groups, or nesting,

creates a consolidated group and can reduce network traffic between domains and simplify administration in a domain tree. Minimize levels of nesting. Document group membership to keep track of

permissions assignments.

Rules for Group Membership The group scope determines the membership

of a group. Membership rules determine the members that

a group can contain. Group members can be user accounts and

other groups.

Local Groups A local group is a collection of user accounts

on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Guidelines on page 8-8

CAUTION Because Active Directory groups with a

“domain local” scope are sometimes referred to as “local groups,” it is important to distinguish between a local group and a group with a domain local scope.

Possible limitations Placing user accounts in domain local groups

and assigning permissions to the domain local groups.

Placing user accounts in global groups and assigning permissions to the global groups.

Using Universal Groups Use universal groups to give users access to

resources that are located in more than one domain.

Use universal groups only when their membership is static.

Add global groups from several domains to a universal group, and then assign permissions for access to a resource to the universal group.

Default Groups Windows 2003 has four categories of default

groups: Groups in the Builtin folder, Groups in the User Folder, Special identity, and Default local groups.

Groups in the Built-In folder These groups provide users with user rights

and permissions to perform tasks on domain controllers and in Active Directory.

Built-in domain local groups give predefined rights and permissions to user accounts when you add user accounts or global groups as members.

Table 8-2 describes the default groups in the built-in folder

Create a list of groups You can use the Net Localgroup and Net Group

commands. For example, you could open a command prompt

and type net localgroup > C:\localgroups.txt to create a list of local groups in a file named C:\localgroups.txt.

As another example of how the Net commands work, examine and run the batch file named Grouplistings.bat on the Supplemental CD-ROM in the \70-294\ Labs\Chapter08 folder.

Groups in the User Folder Windows Server 2003 creates default security

groups in the Users folder in the Active Directory Users And Computers console.

The groups in the Users folder are primarily used to assign default sets of permissions to users who have administrative responsibilities in the domain. Table 8-3 describes the default groups in the Users Folder

Special Identity Groups These groups do not have specific memberships that

you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource.

You do not see special identity groups when you administer groups, but they are available for use when you assign rights and permissions to resources. Table 8-4 describes Special Identity Groups

Anonymous Users In Windows Server 2003, the Anonymous Logon

group is no longer a member of the Everyone group. Therefore, anonymous users attempting to access

resources hosted on computers running Windows Server 2003 will be impacted.

Built-In Local Groups

All stand-alone servers, member servers, and computers running Windows 2003 Professional have built-in local groups.

Built-in local groups give users the rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Table 8-5 describes Built-in Local Groups

Exam Tip Be familiar with the groups in each category

Planning a Group Strategy1. Assign users with common job

responsibilities to global groups. 2. Create a domain local group for resources to

be shared. 3. Add global groups that need access to the

resources to the domain local group. 4. Assign resource permissions to the domain

local group.

Planning a Group Strategy

Practice: Planning New Group Accounts

Exercise 1 Page 8-17

Creating and Deleting Groups Use the Active Directory Users and Computers

console to create and delete groups. When you create groups, create them in the

Users container or in another container or an organizational unit (OU) that you have created specifically for groups.

Creating a Group In Active Directory Universal groups are

not available in Pre-2000 Mixed Mode

Deleting Groups As your organization grows and changes, you

may discover that there are groups that you no longer need.

Be sure that you delete groups when you no longer need them.

Adding Members to a Group Members of groups can include user accounts,

contacts, other groups, and computers. You can add a computer to a group to give one

computer access to a shared resource on another computer—for example, for remote backup.

Adding Members Choose:

Object type Location Select Advanced to

search Check Names to verify

the correct group name

Changing the Group Scope to Universal Group scopes may be changed to universal

only when operating in Windows 2000 or 2003 native modes.

Changing the Group Type Group types may be changed only when

operating in Windows 2000 native mode.

Practice: Creating and Administering Groups

Exercise 1: Creating a Global Group and Adding Members

Exercise 2: Creating a Domain Local Group and Adding Members

Page 8-27

Administration Strategies Running Windows Server 2003 as an administrator

makes the system vulnerable to Trojan horse attacks and other security risks.

The simple act of visiting an Internet site can be extremely damaging to the system.

An unfamiliar Internet site might contain Trojan horse code that can be downloaded to the system and executed.

Therefore you Should Not Run Your Computer as an Administrator

Using Run As to Start a Program To run a program that requires you to be

logged on as an administrator, you can use the Run As program.

This program allows you to run administrative tools with either local or domain administrator rights and permissions while logged on as a normal user.

NOTERun As is usually used to run programs

as an administrator, although it is not limited to administrator accounts. Any user with multiple accounts can use

Run As to run a program, MMC tool, or Control Panel item with alternate credentials.

Two ways to Run As By Right-Click on any

program and select the option to Run as…

RUNAS Command

runas [{/profile|/noprofile}] [/env] [/netonly] [/savedcreds] [/smartcard] [/showtrustlevels] [/trustlevel] /user:UserAccountName program program

Switches are defined on page 8-32 RUNAS Examples

On page 8-33

Practice: Using Run As to Start a Program as an

Administrator Exercise: Using Run As to Start a Program as an

Administrator Page 8-33

Summary Case Scenario Exercise

Pages 35 – 37. Troubleshooting Lab

Pages 37 - 38 Exam Highlights

Key points (p. 8-39) Key terms (p. 8-39)