g mac chapter04
DESCRIPTION
TRANSCRIPT
![Page 1: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/1.jpg)
1 / 58
Implementing and Managing Group and Computer Accounts
Chapter 4
![Page 2: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/2.jpg)
www.gmactechnologies.com2 / 58 Implementing and Managing Group and Computer Accounts
Objectives
Understand the purpose of using group accounts to simplify administration
Create group objects using both graphical and command-line tools
Manage security groups and distribution groups
Explain the purpose of the built-in groups created when Active Directory is installed
Create and manage computer accounts
![Page 3: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/3.jpg)
www.gmactechnologies.com3 / 58 Implementing and Managing Group and Computer Accounts
Introduction to Group Accounts
A group is a container object Used to organize collections of users, computers, contacts,
other groups Used to simplify administration
Similar to Organizational Units except OUs are not security principals, groups are OUs can only contain objects from their parent domain,
groups can contain objects from within forest
![Page 4: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/4.jpg)
www.gmactechnologies.com4 / 58 Implementing and Managing Group and Computer Accounts
Group Types
Security groups Defined by Security Identifier (SID) Can be assigned permissions for resources In discretionary access control lists (DACLs) Can be assigned rights to perform different tasks Can also be used as e-mail entities
Distribution groups Primarily used as e-mail entities Do not have associated SID
![Page 5: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/5.jpg)
www.gmactechnologies.com5 / 58 Implementing and Managing Group and Computer Accounts
Group Scopes
Scope refers to logical boundary of permissions to specific resources
Both Security and Distribution Groups have scopes
Three scopes Objects possible within each scope dependent on
configured functional level of a domain Scope types are global, domain local, and universal
![Page 6: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/6.jpg)
www.gmactechnologies.com6 / 58 Implementing and Managing Group and Computer Accounts
Group Scopes (continued)
Three domain functional levels: Windows 2000 mixed: default configuration,
supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers
Windows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers
Windows Server 2003: supports Windows Server 2003 domain controllers only
![Page 7: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/7.jpg)
www.gmactechnologies.com7 / 58 Implementing and Managing Group and Computer Accounts
Global Groups
Organize groups of users, computers, groups within the same domain
Usually represents a geographic location or job function group
Types of objects in group related to configured functional level of the domain Depends on the types of domain controllers in
environment
![Page 8: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/8.jpg)
www.gmactechnologies.com8 / 58 Implementing and Managing Group and Computer Accounts
Domain Local Groups
Created on domain controllers Can be assigned rights and permissions to any
resource within the same domain Can contain groups from other domains Specific objects allowed in group related to
configured functional level of the domain
![Page 9: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/9.jpg)
www.gmactechnologies.com9 / 58 Implementing and Managing Group and Computer Accounts
Universal Groups
Typically created to aggregate users or groups in different domains
Stored on domain controllers configured as global catalog servers
Can be assigned rights and permissions for any resource within a forest
Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level
![Page 10: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/10.jpg)
www.gmactechnologies.com10 / 58 Implementing and Managing Group and Computer Accounts
Universal Groups (continued)
![Page 11: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/11.jpg)
www.gmactechnologies.com11 / 58 Implementing and Managing Group and Computer Accounts
Creating Group Objects
Group objects are stored in Active Directory database
Variety of tools can be used for creation and management Active Directory Users and Computers Command-line utilities
DSADD, DSMOD, DSQUERY, etc.
![Page 12: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/12.jpg)
www.gmactechnologies.com12 / 58 Implementing and Managing Group and Computer Accounts
Active Directory Users and Computers
Primary tool To create group accounts Can also be used to configure properties of
group accounts Groups can be created in any built-in
containers, at root of the domain object, or in custom OU objects
Possible group scopes determined by the functional level the domain is configured to
![Page 13: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/13.jpg)
www.gmactechnologies.com13 / 58 Implementing and Managing Group and Computer Accounts
Active Directory Users and Computers…
![Page 14: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/14.jpg)
14 / 58
Activity 4-1
Creating and Adding Members to Global
Groups
![Page 15: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/15.jpg)
www.gmactechnologies.com15 / 58 Implementing and Managing Group and Computer Accounts
Creating and Adding Members to Global Groups
Objective: Use Active Directory Users and Computers to create global groups
Start Administrative Tools Active Directory Users and Computers Users container New Group
Follow directions to create several global groups and add user accounts to the groups
![Page 16: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/16.jpg)
www.gmactechnologies.com16 / 58 Implementing and Managing Group and Computer Accounts
Activity 4-1 (continued)
![Page 17: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/17.jpg)
17 / 58
Activity 4-2
Creating and Adding Members to Domain
Local Groups
![Page 18: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/18.jpg)
www.gmactechnologies.com18 / 58 Implementing and Managing Group and Computer Accounts
Creating and Adding Members to Domain Local Groups
Objective: Use Active Directory Users and Computers to create domain local groups
Active Directory Users New Group Follow directions to create new Domain
Local groups and add global groups to them
![Page 19: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/19.jpg)
19 / 58
Activity 4-3
Changing the Functional Level of a Domain and Creating and Adding
Members to Universal Groups
![Page 20: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/20.jpg)
www.gmactechnologies.com20 / 58 Implementing and Managing Group and Computer Accounts
Changing the Functional Level of a Domain and Creating and Adding Members to Universal Groups
Objective: Change the functional level of a domain to Windows Server 2003 and use Active Directory Users and Computers to create universal groups
Open your domain object in Active Directory Users and Computers
![Page 21: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/21.jpg)
www.gmactechnologies.com21 / 58 Implementing and Managing Group and Computer Accounts
Activity 4-3 (continued)
![Page 22: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/22.jpg)
www.gmactechnologies.com22 / 58 Implementing and Managing Group and Computer Accounts
Activity 4-3 (continued)
Follow directions to raise the functional level of your domain to Windows Server 2003
Continue the exercise to create a new universal group
Continue the exercise to add existing groups to the new group
![Page 23: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/23.jpg)
www.gmactechnologies.com23 / 58 Implementing and Managing Group and Computer Accounts
Activity 4-3 (continued)
![Page 24: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/24.jpg)
www.gmactechnologies.com24 / 58 Implementing and Managing Group and Computer Accounts
Converting Group Types
May need to change a security group to a distribution group or vice versa
Type of group can only be changed if domain functional level is Windows 2000 native or above
![Page 25: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/25.jpg)
25 / 58
Activity 4-4
Converting Group Types
![Page 26: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/26.jpg)
www.gmactechnologies.com26 / 58 Implementing and Managing Group and Computer Accounts
Converting Group Types
Objective: Use Active Directory Users and Computers to change group types
Follow directions to create a new global group with distribution type
Verify type of new group Continue exercise to change type to security
and to verify the change
![Page 27: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/27.jpg)
www.gmactechnologies.com27 / 58 Implementing and Managing Group and Computer Accounts
Activity 4-4 (continued)
![Page 28: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/28.jpg)
www.gmactechnologies.com28 / 58 Implementing and Managing Group and Computer Accounts
Activity 4-4 (continued)
![Page 29: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/29.jpg)
www.gmactechnologies.com29 / 58 Implementing and Managing Group and Computer Accounts
Converting Group Scopes
Scope of a group can be changed Domain functional level must be at least
Windows 2000 native Supported changes
Global to universal Domain local to universal Universal to global Universal to domain local
![Page 30: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/30.jpg)
30 / 58
Activity 4-5
Converting Group Scopes
![Page 31: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/31.jpg)
www.gmactechnologies.com31 / 58 Implementing and Managing Group and Computer Accounts
Converting Group Scopes
Objective: Use Active Directory Users and Computers to change group scopes
Follow directions to create a new global group Add a member group Note restrictions and warnings that follow from
group scope structure as described in exercise Change the scope of the group to universal
![Page 32: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/32.jpg)
www.gmactechnologies.com32 / 58 Implementing and Managing Group and Computer Accounts
Command Line Utilities
An alternative to Active Directory Users and Computers Some administrators have a preference for
command-line utilities Command-line utilities are more flexible for group
management and creation in some situations
![Page 33: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/33.jpg)
www.gmactechnologies.com33 / 58 Implementing and Managing Group and Computer Accounts
DSADD
Introduced in Windows Server 2003 Used to create new user and group accounts Syntax is
dsadd group distinguished-name switches Switches include: -secgrp, -scope, -memberof,
-members More help is available for switches and options
at Windows Server 2003 Help and Support Center or at command-line
![Page 34: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/34.jpg)
www.gmactechnologies.com34 / 58 Implementing and Managing Group and Computer Accounts
DSADD (continued)
![Page 35: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/35.jpg)
35 / 58
Activity 4-6
Creating Groups Using DSADD
![Page 36: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/36.jpg)
www.gmactechnologies.com36 / 58 Implementing and Managing Group and Computer Accounts
Creating Groups Using DSADD
Objective: Use the DSADD GROUP command to add groups of different types and scopes
Follow directions to execute dsadd group command to create a new global group
Verify group creation with Active Directory Users and Computers
Create a domain local group with members using dsadd group and verify that group was properly created
![Page 37: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/37.jpg)
www.gmactechnologies.com37 / 58 Implementing and Managing Group and Computer Accounts
DSMOD
Also introduced in Windows Server 2003 Allows various object types to be modified
from the command line Syntax is
dsmod group distinguished-name switches Switches include: -desc, -rmmbr, -addmbr More help is available for switches and options
at Windows Server 2003 Help and Support Center or command-line
![Page 38: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/38.jpg)
www.gmactechnologies.com38 / 58 Implementing and Managing Group and Computer Accounts
DSMOD (continued)
![Page 39: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/39.jpg)
39 / 58
Activity 4-7
Modifying Groups Using DSMOD
![Page 40: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/40.jpg)
www.gmactechnologies.com40 / 58 Implementing and Managing Group and Computer Accounts
Modifying Groups Using DSMOD
Objective: Use the DSMOD GROUP command to modify group accounts
Follow directions to execute dsmod group command to add a description to an existing group
Verify modification with Active Directory Users and Computers
Modify group by adding and removing members and verify changes
![Page 41: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/41.jpg)
www.gmactechnologies.com41 / 58 Implementing and Managing Group and Computer Accounts
DSQUERY
Also introduced in Windows Server 2003 Used to query various object types from the
command line, returns values Syntax for groups is
dsquery group query Supports wildcard character (*) Output can be piped as input to other
command-line tools More help is available for switches and options
at Windows Server 2003 Help and Support Center or command-line
![Page 42: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/42.jpg)
www.gmactechnologies.com42 / 58 Implementing and Managing Group and Computer Accounts
DSMOVE
Used to move or rename various object types from the command line
Syntax for groups is dsmove group distinguished-name switches
Switches include: -newparent, -newname Can only be used for groups within a single
domain More help is available for switches and options
at Windows Server 2003 Help and Support Center or at the command-line
![Page 43: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/43.jpg)
www.gmactechnologies.com43 / 58 Implementing and Managing Group and Computer Accounts
DSRM
Used to delete various object types from the command line
Syntax for groups is dsrm group distinguished-name switches
Switches include: -noprompt More help is available for switches and
options at Windows Server 2003 Help and Support Center or command-line
![Page 44: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/44.jpg)
www.gmactechnologies.com44 / 58 Implementing and Managing Group and Computer Accounts
Managing Security Groups
Strategy for managing security groups uses acronym A G U DL P:
1. Create user Accounts (A) and organize them within Global groups (G)
2. Optional: Create Universal groups (U) and place global groups from any domain in universal groups
3. Create Domain Local groups (DL) and add global and universal groups
4. Assign Permissions (P) to the domain local groups
![Page 45: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/45.jpg)
www.gmactechnologies.com45 / 58 Implementing and Managing Group and Computer Accounts
Determining Group Membership
Important task for administrators is to ensure that users are members of correct groups
One method is via Member Of tab in the properties of a user account Only shows first level of groups (not groups of
groups) Second method is to use DSGET Returns values to a query
![Page 46: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/46.jpg)
www.gmactechnologies.com46 / 58 Implementing and Managing Group and Computer Accounts
Determining Group Membership (continued)
Syntax is dsget group distinguished-name switches
Switches include: -members, -memberof Can also be used as dsget user to get
membership information about a specific user
Output can be saved to a file: dsget group distinguished-name switches >>
filename
![Page 47: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/47.jpg)
www.gmactechnologies.com47 / 58 Implementing and Managing Group and Computer Accounts
Built-In Groups
When Windows Server 2003 Active Directory is installed Built-in groups are created automatically Rights are pre-assigned Stored in Builtin container and Users container
Use built-in groups where possible Eases implementation of security rights
![Page 48: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/48.jpg)
www.gmactechnologies.com48 / 58 Implementing and Managing Group and Computer Accounts
The Builtin Container
Contains a number of domain local group accounts
Allocated different user rights based on common administrative or network-related tasks
![Page 49: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/49.jpg)
www.gmactechnologies.com49 / 58 Implementing and Managing Group and Computer Accounts
The Builtin Container (continued)
![Page 50: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/50.jpg)
www.gmactechnologies.com50 / 58 Implementing and Managing Group and Computer Accounts
The Users Container
Contains a number of domain local and global group accounts
Some groups only found in the root domain of an Active Directory forest rather than in individual domains
![Page 51: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/51.jpg)
www.gmactechnologies.com51 / 58 Implementing and Managing Group and Computer Accounts
The Users Container (continued)
![Page 52: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/52.jpg)
www.gmactechnologies.com52 / 58 Implementing and Managing Group and Computer Accounts
Creating and Managing Computer Accounts
Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003
Can be created during installation or added manually later
Creation and management tools Active Directory Users and Computers System applet in Control Panel Command-line utilities
![Page 53: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/53.jpg)
53 / 58
Activity 4-8
Creating and Managing Computer Accounts
![Page 54: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/54.jpg)
www.gmactechnologies.com54 / 58 Implementing and Managing Group and Computer Accounts
Creating and Managing Computer Accounts
Objective: Use Active Directory Users and Computers to create and manage computer accounts
Follow directions to create a new computer account from Active Directory Users and Computers
Configure and review the account as directed
![Page 55: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/55.jpg)
www.gmactechnologies.com55 / 58 Implementing and Managing Group and Computer Accounts
Activity 4-8 (continued)
![Page 56: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/56.jpg)
www.gmactechnologies.com56 / 58 Implementing and Managing Group and Computer Accounts
Resetting Computer Accounts
Secure channel Used by computers that are domain members to
communicate with domain controller Uses password that is changed every 30 days Automatically synchronized between domain
controller and workstation Occasional synchronization issues arise
Administrator must reset computer account Using Active Directory Users and Computers or
Netdom.exe command from Windows Support Tools
![Page 57: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/57.jpg)
www.gmactechnologies.com57 / 58 Implementing and Managing Group and Computer Accounts
Summary
Group accounts reduce administrative effort by enabling assignment of common rights and permissions to multiple users simultaneously
Two group security types: Security groups Distribution groups
Three types of scoping possible for groups Global groups Domain local groups Universal groups
![Page 58: G Mac Chapter04](https://reader033.vdocuments.mx/reader033/viewer/2022061120/546b25aeaf7959651f8b5374/html5/thumbnails/58.jpg)
www.gmactechnologies.com58 / 58 Implementing and Managing Group and Computer Accounts
Summary (continued)
Group and computer accounts can be created and managed From Active Directory Users and Computers From command-line utilities
Builtin and User groups and containers are automatically created at installation with specific pre-assigned rights and permissions
Windows NT 4.0, 2000, XP, and Server 2003 require computer accounts in Active Directory