1

Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access

2

Using Group Objects You can use groups in Microsoft

Windows 2000 to simplify network administration.

3

Understanding Groups A group is a collection of user or

computer accounts. Groups simplify administration. When you assign permissions or rights

to a group, all of the members of the group inherit the permissions or rights.

4

Using Groups to Simplify System and Network Administration

5

Groups and Permissions Permissions control access to resources. Rights enable users to perform tasks. Groups can contain user accounts, other

groups, contacts, and computers. Groups can be local or in the Active

Directory service.

6

Group Types Windows 2000 includes two types of

groups: Security groups Distribution groups

Both types of groups are stored in the Active Directory database.

7

Security Groups The only type of group used by

Windows 2000 itself Used to assign permissions and rights Can be used by programs that use

Active Directory for nonsecurity-related purposes

Have all the capabilities of a distribution group

8

Distribution Groups Can be used by applications (if designed

to work with Active Directory) for nonsecurity-related functions, such as sending e-mail to a group of users

Cannot be used to assign rights and permissions

9

Group Scopes The scope of a group determines where

in the network you can use the group. The three group scopes are

Global group Domain local group Universal group

10

Group Scopes (Cont.)

11

Global Groups Are typically used to organize users who

have similar network access requirements

Characteristics Limited membership Access to resources in any domain

12

Domain Local Groups Are typically used to assign permissions

to resources Characteristics

Open membership Access to resources in one domain

13

Universal Groups Are typically used to assign permissions

to related resources in multiple domains Characteristics

Open membership Access to resources in any domain Available only in Native mode

14

Group Nesting Adding groups to other groups is called

nesting. Nesting can reduce network traffic and

simplify administration. Guidelines for nesting

Minimize levels of nesting. Document group memberships to keep

track of permissions assignments.

15

Rules for Group Membership The scope of a group determines the

group's membership. Membership rules define the types of

members that a group can contain.

16

Group Scope Membership Rules Group Scope

In Native Mode, Scope Can Contain

In Mixed Mode, Scope Can Contain

Global User accounts and global groups from the same domain

User accounts from the same domain

Domain local

User accounts, universal groups, and global groups from any domain; domain local groups from the same domain

User accounts and global groups from any domain

Universal User accounts, other universal groups, and global groups from any domain

(Not applicable)

17

Understanding Local Groups A local group is a collection of user

accounts on a computer. Local groups are used to assign

permissions to resources on the computer you have created the local group on.

Local groups are created and stored in the local security database.

18

Guidelines for Using Local Groups Local groups can be used only on the

computer where the local group was created. Local group permissions provide access only

to resources on the computer where the local group was created.

Local groups can be used on all computers running Windows 2000 except domain controllers.

Local groups can be used to limit the ability of local users and groups to access network resources.

19

Membership Rules for Local Groups Local groups can contain local user

accounts only from the computer where the local group was created.

Local groups cannot be members of any other group.

20

Planning Global and Domain Local Groups Have a group strategy in place before

you create groups. The recommended method for

deploying groups is to use global and domain local groups.

21

Strategy for Using Groups

22

Guidelines for Using Universal Groups Use universal groups to give users

access to resources located in more than one domain.

Use universal groups only when their membership is static.

Add global groups from several domains to a universal group, and then assign to the universal group the permissions needed to access a resource.

23

Lesson Summary Groups enable administrators to assign

rights and permissions to multiple users with a single procedure.

There are three Windows 2000 group scopes: global groups, domain local groups, and universal groups.

In general, use global groups to organize users and assign permissions to resources to domain local groups.

24

Understanding Default Groups Windows 2000 has four default groups:

Predefined groups Built-in groups Built-in local groups Special identity groups

25

Predefined Groups Windows 2000 creates predefined

groups with a global scope to group common types of user accounts.

By default, Windows 2000 automatically adds members to some predefined global groups.

You can add user objects to predefined groups.

26

Predefined Groups (Cont.) By default, predefined groups do not

have any inherent rights or permissions. You can assign rights or permissions to

predefined groups by either Adding the predefined global groups to

domain local groups Explicitly assigning rights or permissions to

the predefined global groups

27

Predefined Global Groups Contained in the \Users Folder

28

Built-In Groups Windows 2000 creates built-in groups with

a domain local scope in the \Builtin folder of each Active Directory domain.

These groups provide users with rights and permissions to perform tasks on domain controllers and in Active Directory.

To extend these rights and permissions to others, you can add user objects or global groups to built-in groups.

29

Built-in Groups Contained in the \Builtin Folder in a Domain

30

Built-in Local Groups Found on Windows 2000 stand-alone

servers, member servers, and computers running Microsoft Windows 2000 Professional

Give users the rights to perform system tasks on a single computer

Created by Windows 2000 in the \Groups folder in the Local Users And Groups snap-in

31

The Local Users And Groups Snap-in

32

Special Identity Groups Special identity groups exist on all

computers running Windows 2000. These groups do not have specific

memberships that you can modify, but they can represent different users at different times, depending on how a user accesses a computer or resource.

These groups are not visible when you administer groups but are available when you assign rights and permissions.

33

The Most Commonly Used Special Identity Groups Anonymous Logon Authenticated Users Creator Owner Dialup Everyone Interactive Network

34

Lesson Summary There are four types of Windows 2000 default

groups: Predefined groups: global groups, created in the \

Users folder of every Active Directory domain Built-in groups: domain local groups, created in

the \Builtin folder of every Active Directory domain Built-in local groups: created on every computer

running Windows 2000 that is not a domain controller

Special identity groups: used to assign rights and permissions based on how users access computers and their resources

35

Creating Group Objects After you assess user needs and have a

strategy in place for your groups, you are ready to create group objects in Active Directory.

36

Creating and Deleting Groups Use Active Directory Users And

Computers to create and manage groups.

You can create groups in the Users container or in another container or organizational unit (OU) created specifically for groups.

Delete groups when you no longer need them.

37

Creating a Group Object To create a group object:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users And Computers.2. Expand the console tree until the container or OU where you want to create the group is visible.3. Right-click the container or OU, click New, and then click Group.4. In the Group Name box, type the group's name.5. Select a group scope option.6. Select a group type option.7. Click OK to close the dialog box.

38

The New Object – Group Dialog Box

39

Adding Members to a Group After you create a group object, you add

members to it. Group members can include user

objects, contacts, other groups, and computers.

Use Active Directory Users And Computers to add members to a group.

40

Adding Members to a Group (Cont.) To add members to a group:

1. Open Active Directory Users And Computers.2. Right-click the group that you want to add members to, and then click Properties.3. Click the Members tab.4. In the Members tab, click Add.5. In the Name list, select the object you want to make a member of the group, and then click Add. Repeat until you have selected all objects you want to add.6. Click OK to add the selected objects.7. Click OK to close the Properties dialog box.

41

The Select Users, Contacts, Or Computers Dialog Box

42

Changing the Group Type You can convert a group object from

one type to another. For example, you can convert a distribution

group to a security group. You can change a group's type only

when Windows 2000 is operating in Native mode.

43

Changing the Group Type (Cont.) To change the type of a group:

1. Open Active Directory Users And Computers. 2. Right-click the group object that you want to

change the type for, and then click Properties.3. In the General tab, change the group type by selecting a different Group Type option.4. Click OK to change the group type and close the Properties dialog box.

44

The Properties Dialog Box of a Group Object

45

Changing the Group Scope to Universal You can change a global or domain local

group scope to universal. You can make this change only when

Windows 2000 is operating in Native mode. The following group scope changes are

permitted: Global group to universal group: only if the global

group is not a member of another global group Domain local group to universal group: only if the

domain local group does not contain a domain local group

46

Changing the Scope of a Group To change the scope of a group:

1. Open Active Directory Users And Computers.

2. Right-click the group object, and then click Properties.

3. In the General tab, select the appropriate group scope option.

4. Click OK to close the Properties dialog box.

47

Deleting a Group Deleting a group only deletes the group

object—it does not delete the objects that are members of the group.

You cannot delete a group if one of the group's members has the group set as his or her primary group.

48

Deleting a Group (Cont.) To delete a group:

1. Open Active Directory Users And Computers.

2. Right-click the group object you want to delete, and then click Delete.

3. In the Active Directory message box, click Yes.

49

Creating Local Groups Use the Local Users And Groups snap-in

(which is included in Computer Management) to create local groups.

Create local groups in the \Groups folder.

50

Creating Local Groups (Cont.) To create a local group:

1. Open Computer Management, and expand the Local Users And Groups snap-in.2. Right-click the Groups container, and then click New Group.3. In the Group Name box, type a name for the group.4. In the Description box, type a description for the group. 5. Click Add to display the Select Users Or Groups dialog box.6. In the Name list, select a user to add to the group, and then click Add. (Repeat as necessary.)7. Click OK to close the Select Users Or Groups dialog box.8. Click Create to create the group and add the members.9. Click Close to close the New Group dialog box.

51

The New Group Dialog Box

52

The Select Users Or Groups Dialog Box

53

Adding Members and Deleting Groups You can add members to a local group

either when you create the local group or after you create the local group.

You can use the Local Users And Groups snap-in (in Computer Management) to delete a group if you need to.

54

Lesson Summary Use Active Directory Users And Computers to

create global, domain local, or universal groups.

Use Local Users And Groups to create local groups.

You can create local groups on any computer running Windows 2000 that is not a domain controller.

Deleting a group only deletes the group object—it does not delete the objects that are members of the group.

55

Managing Administrative Access For optimum security, avoid logging on

as Administrator to perform nonadministrative tasks.

56

Why You Should Not Run Your Computer as an Administrator Being logged on as Administrator (or as

a member of an Administrators group) can expose your network to virus and Trojan horse attacks and other security risks.

Administrators should perform administrative tasks only while logged on as Administrator; the rest of the time they should use a regular user account.

57

Administrators as Members of the Users and Power Users Groups Log on as a member of the Users group

to perform routine tasks without exposing your computer to unnecessary risk.

Log on as a member of the Power Users group to perform routine tasks and to install programs, add printers, and use most Control Panel tools.

58

Using Run As to Start a Program You can use the Run As program to run a program

that requires you to be logged on as Administrator while you are logged on as a normal user.

Use Run As when You can provide the appropriate user account and

password information The user account has the ability to log on to the

computer The program or tool is available on the system and to the

user account Some applications cannot be started with the Run

As program.

59

How to Use Run As to Start a Program To use Run As to start a program as Administrator:

1. In Windows Explorer, locate the program or its shortcut, the Microsoft Management Console (MMC), or the Control Panel tool you want to open.2. Press the Shift key and right-click the program, and then click Run As to display the Run As Other User dialog box.3. Select Run The Program As The Following User.4. In the User Name and Password boxes, type the user name and password of the administrator account you want to use.5. In the Domain box, type the name of your computer or domain.6. Click OK.

60

The Run As Other User Dialog Box

61

The Runas Command Runas.exe is a command-line program

that performs the same functions as the RunAs service.

The syntax for Runas.exe is runas [/profile] [/env] [/netonly] /user:UserAccountName program

62

Runas Examples You can use Runas.exe to start

The Windows 2000 command prompt, as an administrator on the local computer

Computer Management, using a domain administrator account

Microsoft Notepad, using a domain administrator account

A command prompt window, MMC console, or other program that administers a server in another forest

63

Lesson Summary Users with administrative access to the

network should not use administrative accounts for their everyday user activities.

You can use the Run As program to run a program that requires you to be logged on as Administrator while you are logged on as a normal user.

Runas.exe is a command-line program that performs the same functions as the RunAs service.