mcse self-paced training kit (exam 70-294): planning, implementing…€¦ · microsoft windows...

8-1

8 Administering GroupsExam Objectives in this Chapter:

■ Plan a security group hierarchy based on delegation requirements.

■ Plan a security group strategy.

Why This Chapter MattersAs an administrator, you’ll have to work with groups. Groups reduce administra-tive effort by allowing you to assign permissions and rights to a group of usersrather than having to assign permissions to each individual user account. As aMicrosoft Windows Server 2003 domain administrator, you must understand thedifferent types of groups and which ones you can use with each domain func-tional level. You must certainly understand how to create and delete groups, addmembers to groups, and change the group scope, as these tasks are commonlyperformed by network administrators. You should also understand why loggingon to Windows Server 2003 using an administrator account makes your systemmore vulnerable to Trojan horse attacks and other security risks. To address thisproblem, you will learn about the Run As program, which allows you to run spe-cific tools and programs with permissions other than those provided by theaccount with which you are currently logged on to perform routine tasks withoutexposing your computer to unnecessary risk.

Lessons in this Chapter:

■ Lesson 1: Understanding Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-3

■ Lesson 2: Creating and Administering Groups . . . . . . . . . . . . . . . . . . . . . . 8-22

■ Lesson 3: Administration Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-29

Before You BeginTo complete the lessons in this chapter, you must

■ Prepare your test environment according to the descriptions given in the “GettingStarted” section of “About This Book”

■ Complete the practices for installing and configuring Active Directory as discussedin Chapter 2, “Installing and Configuring Active Directory”

■ Learn to use Active Directory administration tools as discussed in Chapter 3,“Administering Active Directory”

70-294eBook.book Tuesday, March 14, 2006 4:47 PM

Microsoft Press

Note

MCSE Self-Paced Training Kit (Exam 70-294): Planning, Implementing, and Maintaining a Microsoft® Windows Server™ 2003 Active Directory® Infrastructure (ISBN 0-7356-2286-8) by Jill Spealman, Kurt Hudson, Melissa Craft, and Content Master. Published by Microsoft Press. Copyright © 2006 by Microsoft Corporation.

8-2 Chapter 8 Administering Groups

■ Complete the practices for configuring sites and replication as discussed in Chap-ter 5, “Configuring Sites and Managing Replication”

■ Complete the practices for implementing an organizational unit (OU) structure asdiscussed in Chapter 6, “Implementing an OU Structure”

■ Complete the practices for creating and maintaining user accounts as discussed inChapter 7, “Administering User Accounts”


Lesson 1 Understanding Groups 8-3

Lesson 1: Understanding GroupsBefore you can create groups, you must understand the purpose of groups and howthey are used to simplify administration tasks. This lesson introduces you to the grouptypes and scopes you can create in Windows Server 2003 and the rules for group mem-bership. You also learn about the various categories of default groups. At the end of thelesson, you learn how to plan a group strategy.

After this lesson, you will be able to

■ Explain the purpose of groups

■ Explain the purpose of security and distribution group types

■ Explain the characteristics of domain local, global, and universal group scopes

■ Explain the purpose of local groups

■ Describe the types of default groups

■ Plan a group strategy

Estimated lesson time: 30 minutes

Introduction to Groups

A group is a collection of user accounts. Groups simplify administration by allowingyou to assign permissions and rights to a group of users rather than having to assignpermissions to each individual user account, as shown in Figure 8-1. Users can bemembers of more than one group. Permissions control what users can do with aresource, such as a folder, file, or printer. When you assign permissions, you give usersthe capability to gain access to a resource and you define the type of access that theyhave. For example, if several users need to read the same file, you would add their useraccounts to a group. Then you would give the group permission to read the file.

f08ad01

Figure 8-1 Groups simplify administration

Permissions

Group Resources

Permissions

Permissions

Permissions

User

User

User

Assign permissions once for a group Assign permissions foreach user account

- instead of -



In addition to user accounts, you can add other groups, contacts, and computers togroups. You add groups to other groups to create a consolidated group and reduce thenumber of times that you need to assign permissions. However, you should use cau-tion to add only those groups that are absolutely necessary. You add computers togroups to simplify giving a system task on one computer access to a resource onanother computer.

Group Types

You can create groups for security-related purposes, such as assigning permissions, orfor nonsecurity purposes, such as sending e-mail messages. To facilitate this, ActiveDirectory directory service provides for the use of two group types: security and distri−bution. The group type determines how you use the group. Both types of groups arestored in the database component of Active Directory, which allows you to use themanywhere in your network.

Security Groups

Windows Server 2003 uses only security groups, which you use to assign permissionsto gain access to resources. Programs that are designed to search Active Directory canalso use security groups for nonsecurity purposes, such as retrieving user informationfor use in a Web application. Thus, a security group has all the capabilities of a distri-bution group.

Distribution Groups

Applications use distribution groups as lists for nonsecurity-related functions. Use dis-tribution groups when the only function of the group is nonsecurity related, such assending e-mail messages to a group of users at the same time. You cannot use distri-bution groups to assign permissions. Only programs that are designed to work withActive Directory can use distribution groups. For example, Microsoft Exchange Serveris able to use distribution groups as distribution lists for sending e-mail messages.

Note Because Windows Server 2003 uses only security groups, this chapter focuses on security groups.

Group Scopes

When you create a group, you must select a group type and a group scope. Groupscopes allow you to use groups in different ways to assign permissions. The scope of agroup determines where in the network you are able to use the group to assign per-missions to the group. The three group scopes are global, domain local, and universal,as shown in Figure 8-2.



f08ad02

Figure 8-2 Group scopes

Global Groups

Global security groups are most often used to organize users who share similar networkaccess requirements. A global group has the following characteristics:

■ Limited membership You can add members only from the domain in whichyou create the global group.

■ Access to resources in any domain You can use a global group to assign permis-sions to gain access to resources that are located in any domain in the tree or forest.

Domain Local Groups

Domain local security groups are most often used to assign permissions to resources.A domain local group has the following characteristics:

■ Open membership You can add members from any domain.

■ Access to resources in one domain You can use a domain local group toassign permissions to gain access to resources that are located only in the samedomain where you create the domain local group.

Universal Groups

The universal group is a new feature beginning in Microsoft Windows 2000. Universalsecurity groups are most often used to assign permissions to related resources in mul-tiple domains. A universal security group has the following characteristics:

■ Open membership You can add members from any domain in the forest.

Global group

Members can come only from local domain. Members can access resources in any domain.

Domain local group

Members can come from any domain.Members access resources only in local domain.

Universal group

Members can come from any domain. Members can access resources in any domain.



■ Access to resources in any domain You can use a universal group to assignpermissions to gain access to resources that are located in any domain in the forest.

■ Available only in domains with a domain functional level set to Windows2000 native or Windows Server 2003 Universal security groups are not avail-able in domains with the domain functional level set to Windows 2000 mixed.

How Universal Groups Affect Replication Universal security groups and their mem-bers are listed in the global catalog. When you create a universal group, it temporarilyresides in the domain directory partition in which the group was created until the glo-bal catalog queries the domain for changes. Once the global catalog acquires the newobject, changes are replicated to other global catalogs in the forest.

In Windows 2000, when one member of a group with universal scope changes, theentire group membership is replicated to all global catalogs in the domain tree or for-est, consuming a large amount of network bandwidth and processor load. Further, ifgroup membership is updated simultaneously on two or more domain controllers,some of the membership updates could potentially be lost during replication conflictresolution. In Windows Server 2003, when the forest functional level is set to WindowsServer 2003, only the member that is modified is replicated to all global catalogs, whichsignificantly reduces global catalog replication traffic and eliminates the possibility oflost updates. For more information about Active Directory forest and domain functionallevels, refer to Chapter 3, “Administering Active Directory.”

Group Membership

The group scope determines the membership of a group. Membership rules definewhich members a group can contain. Group members include user accounts, othergroups, contacts, and computers. Table 8-1 describes group membership rules.

Table 8-1 Group Scope Membership Rules

Group scope

In domains with the domain functional level set to Windows 2000 mixed, scope can contain

In domains with the domain functional level set to Windows 2000 native or Windows Server 2003, scope can contain

Global User accounts and computer accounts from the same domain

User accounts, computer accounts, and global groups from the same domain

Domain local User accounts, computer accounts, and global groups from any domain

User accounts, computer accounts, glo-bal groups, and universal groups from any domain; domain local groups from the same domain

Universal Not available in domains with a domain functional level set to Windows 2000 mixed

User accounts, computer accounts, glo-bal groups, and other universal groups from any domain in the forest



Group Nesting

Adding groups to other groups, or nesting, helps reduce the number of times permis-sions need to be assigned. Create a hierarchy of groups based on the needs of themembers. Windows Server 2003 allows unlimited levels of nesting in domains with adomain functional level set to Windows 2000 native or Windows Server 2003.

For example, you can create a group for each region in your organization and addmanagers from each region into their own group, called Regional Managers. You canthen add each Regional Managers group to another group called Worldwide Managers.When all managers in the network need access to a resource, you assign permissionsonly to the Worldwide Managers group. Because the Worldwide Managers group con-tains all members of the Regional Managers groups through nesting, all managers inthe network can reach the resource. This strategy allows for easy assignment of per-missions and decentralized tracking of group membership.

Guidelines for group nesting include the following:

■ Minimize levels of nesting Tracking permissions and troubleshooting becomesmore complex with multiple levels of nesting. One level of nesting is the mosteffective to use.

■ Document group membership to keep track of permissions assignmentsProviding documentation of group membership can eliminate the redundantassignment of user accounts to groups and reduce the likelihood of accidentalgroup assignments.

To use nesting efficiently, you must recall the group scope membership rules:

■ In domains with a domain functional level set to Windows 2000 mixed, only onetype of nesting is available: global groups from any domain can be members ofdomain local groups. Universal groups do not exist in domains with a domainfunctional level set to Windows 2000 mixed.

■ In domains with a domain functional level set to Windows 2000 native or Win-dows Server 2003, all group membership rules apply and multiple levels of nestingare allowed.

Local Groups

A local group is a collection of user accounts on a computer. Use local groups to assignpermissions to resources residing on the computer on which the local group is created.Windows Server 2003 creates local groups in the local security database.



Note Because Active Directory groups with a “domain local” scope are sometimes referred to as “local groups,” it is important to distinguish between a local group and a group with a domain local scope.

Guidelines for using local groups follow:

■ Use local groups only on the computer where you create the local groups. Localgroup permissions provide access to only the resources on the computer whereyou created the local group.

■ Use local groups on computers running Microsoft Windows XP Professional andmember servers running Windows Server 2003. Local groups cannot be created ondomain controllers because domain controllers cannot have a security databasethat is independent of the database in Active Directory.

■ Use local groups only on computers that do not belong to a domain. Using localgroups on domain computers prevents you from centralizing group administra-tion. Local groups do not appear in Active Directory, and you must administerlocal groups separately for each computer.

Membership rules for local groups include the following:

■ Local groups can contain local user accounts from the computer where you createthe local group.

■ Local groups cannot be members of any other group.

Default Groups

Windows Server 2003 has four categories of default groups: groups in the Builtinfolder, groups in the Users folder, special identity groups, and default local groups. Allof the default groups are security groups and have been assigned common sets ofrights and permissions that you might want to assign to the users and groups that youplace into the default groups.

Groups in the Builtin Folder

Windows Server 2003 creates default security groups with a domain local scope in theBuiltin folder in the Active Directory Users And Computers console. The groups in theBuiltin folder are primarily used to assign default sets of permissions to users who haveadministrative responsibilities in the domain. Table 8-2 describes the default groups inthe Builtin folder.



Table 8-2 Default Groups in the Builtin Folder

Group Name Description

Account Operators This group exists only on domain controllers. By default, the group has no members. By default, members can create, modify, and delete accounts for users, groups, and computers in all containers and OUs of Active Directory except the Builtin folder and the Domain Control-lers OU. Members do not have permission to modify the Administra-tors and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.

Administrators Members have complete and unrestricted access to the computer or domain controller, including the right to change their own permis-sions. If the Administrator account resides on the first domain con-troller configured for the domain, the Administrator account is automatically added to the Domain Admins group and complete access to the domain is granted.

Backup Operators By default, this group has no members. Members can back up and restore all files on a computer, regardless of the permissions that pro-tect those files. Members can also log on to the computer and shut it down.

Guests Members have the same privileges as members of the Users group.

Incoming Forest Trust Builders

Members can create incoming, one-way trusts to this forest.

Network Configuration Operators

Members have the same default rights as members of the Users group. Members can perform all tasks related to the client side of network configuration except for installing and removing drivers and services. Members cannot configure network server services such as the Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) server services.

Performance Log Users Members have remote access to schedule logging of performance counters on this computer.

Performance Monitor Users

Members have remote access to monitor this computer.

Pre–Windows 2000 Compatible Access

Members have read access on all users and groups in the domain. This group is provided for backward compatibility for computers running Microsoft Windows NT 4 and earlier.

Print Operators This group exists only on domain controllers. Members can manage printers and document queues.

Remote Desktop Users

Members can log on to a computer from a remote location.



Off the Record If you need to create a list of groups, you can use the Net Localgroup and Net Group commands. For example, you could open a command prompt and type net localgroup > C:\localgroups.txt to create a list of local groups in a file named C:\localgroups.txt. As another example of how the Net commands work, examine and run the batch file named Grouplistings.bat on the Supplemental CD-ROM in the \70-294\Labs\Chapter08 folder.

Groups in the Users Folder

Windows Server 2003 creates default security groups in the Users folder in the ActiveDirectory Users And Computers console. The groups in the Users folder are primarilyused to assign default sets of permissions to users who have administrative responsi-bilities in the domain. Table 8-3 describes the default groups in the Users folder.

Replicator This group supports directory replication functions and is used by the file replication service on domain controllers. By default, the group has no members. The only member should be a domain user account used to log on to the Replicator services of the domain con-troller. Do not add users to this group.

Server Operators This group exists only on domain controllers. By default, the group has no members. Members can log on to a server interactively, create and delete network shares, start and stop services, back up and restore files, format the hard disk of the computer, and shut down the computer.

Terminal Service License Users

Terminal Server License Servers

Users Members are prevented from making accidental or intentional sys-tem-wide changes. Members can run certified applications, use print-ers, shut down and start the computer, and use network shares for which they are assigned permissions. Members cannot share folders or install printers on the local computer. By default, the Domain Users group is a member.

Windows Authorization Access

Members have access to the computed tokenGroupsGlobalAndUni-versal attribute on User objects.

Table 8-2 Default Groups in the Builtin Folder


Table 8-3 Default Groups in the Users Folder


Domain Local Groups

Cert Publishers Members of this group are permitted to publish certificates to Active Directory.



DnsAdmins Members of this group are permitted administrative access to the DNS server service.

HelpServicesGroup This group allows administrators to set rights common to all support applications. By default, the group has only one member, the account associated with Microsoft support applications, such as Microsoft Remote Assistance. Do not add users to this group, which is managed automatically by the Help And Support service.

RAS and IAS Servers Servers in this group—for the Remote Access Service (RAS) and Internet Authentication Service (IAS)—are permitted access to the remote access properties of users.

TelnetClients Members of this group have access to Telnet Server on this system.

Global Groups

DnsUpdateProxy Members of this group are DNS clients who are permitted to per-form dynamic updates on behalf of some other clients (such as DHCP servers).

Domain Admins Members of this group can perform administrative tasks on any computer anywhere in the domain.

Domain Computers Members include all workstations and servers joined to the domain. By default, any computer account created in a domain is automati-cally added to this group.

Domain Controllers Members include all domain controllers in the domain.

Domain Guests Members include all domain guests.

Domain Users Members include all domain users. By default, any user account cre-ated in a domain is automatically added to this group.

Group Policy CreatorOwners

Members can modify group policy for the domain.

Universal Groups

Enterprise Admins (appears only on forest root domain controllers

Members include users designated as administrators of the entire network.

Schema Admins (appears only on forest root domain controllers)

Members include users designated as administrators of the schema.

Table 8-3 Default Groups in the Users Folder




Special Identity Groups

Special identity groups, known as special groups in Microsoft Windows NT, exist on allcomputers running Windows Server 2003. Membership in these groups is controlled bythe operating system. Although the special identity groups can be assigned rights andpermission to resources, you cannot modify or view the memberships of these groups.You do not see special identity groups when you administer groups, and you cannotplace them into other groups. Group scopes do not apply to special identity groups.Windows Server 2003 bases special identity group membership on how the computeris accessed, not on who uses the computer. Table 8-4 describes the most commonlyused special identity groups.

Anonymous User Security Enhancement In Windows NT and Windows 2000, theoperating system makes every user authenticated by the domain and all potential

Table 8-4 Commonly Used Special Identity Groups

Special Identity Group Description

Anonymous Logon Members include all users who log on without supplying a user name and password.

Authenticated Users Members include all users whose identities were authenticated when they logged on. This group does not include the Guest account even if the account has a password.

Dialup Members include all users who are logged on to the system through a dial-up connection.

Enterprise Domain Controllers

Members include all domain controllers in a forest of domains.

Everyone On computers running Windows Server 2003, members include Authen-ticated Users and Domain Guests. On computers running earlier ver-sions of the operating system, members include Authenticated Users and Domain Guests, plus Anonymous Logon.

Interactive Members include all users who have logged on locally or through a Remote Desktop connection.

Network Members include all users who are logged on through a network con-nection.

Service Members include all security principals (users, groups, or computers) that have logged on as a service.

Terminal Server User

When Terminal Services are installed in application serving mode, this group contains any users who are currently logged on to the system using a terminal server. When Terminal Services are installed in remote administration mode, users logged on using a terminal server are not members of this group.



anonymous users members of the Everyone group because the Authenticated Users,the Anonymous Logon, and the Domain Guests groups are automatically made mem-bers of the Everyone group. This membership is provided to allow anonymous usersaccess to Active Directory objects. To provide stricter control of access to resources,you must remember to remove the Everyone group from the access control list for theresource. Because administrators often do not realize that anonymous users are mem-bers of the Everyone group, these users might inadvertently be granted access toresources intended only for authenticated users.

In Windows Server 2003, the Anonymous Logon group is no longer a member of theEveryone group. Therefore, anonymous users attempting to access resources hostedon computers running Windows Server 2003 will be impacted. If anonymous usersmust be granted access to resources, you must explicitly add the Anonymous Logonsecurity group to the access control list for the resource and provide the required per-missions. If anonymous users must always be granted access to resources, you canchange the new Windows Server 2003 default security setting for the Everyone groupby enabling the group policy Network Access: Let Everyone Permissions Apply ToAnonymous Users, located at Computer Configuration\Windows Settings\Security Set-tings\Local Policies\Security Options. For more information about using Group Policy,refer to Chapter 11, “Administering Group Policy.”

Built-In Local Groups

All stand-alone servers, member servers, and computers running Windows XP Profes-sional have built-in local groups. Built-in local groups give users the rights to performsystem tasks on a single computer, such as backing up and restoring files, changing thesystem time, and administering system resources. Windows Server 2003 places thebuilt-in local groups into the Groups folder in the Local Users and Groups snap-in inthe Computer Management console. Table 8-5 describes the capabilities that membersof the most commonly used built-in local groups have. Except where noted, there areno initial members in these groups.

Table 8-5 Commonly Used Built-In Local Groups

Built-in Local Group Description

Administrators Members can perform all administrative tasks on the computer. By default, the built-in Administrator user account for the com-puter is a member. When a member server or computer running Windows XP Professional joins a domain, Windows Server 2003 adds the Domain Admins predefined global group to this group.

Backup Operators Members can use Windows Backup to back up and restore the computer.



Exam Tip Be familiar with the groups in each category.

Guests Members can perform only tasks for which you have specifically granted rights and can gain access only to resources for which you have assigned permissions; members cannot make perma-nent changes to their desktop environment. By default, the built-in Guest account for the computer is a member.

HelpServicesGroup Members can set rights common to all support applications. By default, the only member is the account associated with Microsoft support applications. Do not add users to this group.

Network Configuration Operators

Members can make changes to TCP/IP settings and renew and release TCP/IP addresses. This group has no default members.

Performance Monitor Users

Members can monitor performance counters on the server locally and from remote clients without being a member of the Adminis-trators or Performance Log Users groups.

Performance Log Users Members can manage performance counters, logs, and alerts on the server locally and from remote clients without being a mem-ber of the Administrators or Performance Monitor Users groups.

Power Users Members can create and modify local user accounts on the com-puter and share resources.

Print Operators Members can administer domain printers.

Remote Desktop Users Members can remotely log on to a server.

Replicator Supports directory replication functions. The only member should be a domain user account used to log on to the Replica-tor services of the domain controller. Do not add the accounts of actual users to this group.

Terminal Server Users Contains users who are currently logged on using Terminal Server.

Users Members can perform only tasks for which you have specifically granted rights and can gain access only to resources for which you have assigned permissions. By default, Windows Server 2003 adds local user accounts that you create on the computer to the Users group. When a member server or a computer running Windows XP Professional joins a domain, Windows Server 2003 adds the Domain Users predefined global group to this group.

Table 8-5 Commonly Used Built-In Local Groups

Built-in Local Group Description

!



Planning Groups

To use groups effectively, you must determine how you will use the groups and whichtypes of groups you will use. It is important to have a group strategy in place beforeyou begin creating groups.

Planning Global and Domain Local Groups

Global and domain local groups are listed in the global catalog, but their members arenot. This reduces the size of the global catalog and the replication traffic associatedwith keeping the global catalog up to date. You can improve network performance byusing groups with global or domain local scope for directory objects that change fre-quently. Global and domain local group implementation guidelines are identical to thegroup strategy recommendations for a Windows NT 4 or earlier domain. Use the fol-lowing procedure, as portrayed in Figure 8-3, to plan your global and domain localgroup strategy:

1. Assign users with common job responsibilities to global groups. Identify userswith common job responsibilities and add the user accounts to a global group. Forexample, in an accounting department, add user accounts for all accountants to aglobal group called Accounting.

2. Create a domain local group for resources to be shared. Identify the resources orgroup of resources, such as related files or printers, to which users need access,and then create a domain local group for that resource. For example, if you havea number of color printers in your company, create a domain local group calledColor Printers.

3. Add global groups that need access to the resources to the domain local group.Identify all global groups that share the same access needs for resources and makethem members of the appropriate domain local group. For example, add the glo-bal groups Accounting and Sales to the domain local group Color Printers.

4. Assign resource permissions to the domain local group. Assign the required per-missions for the resource to the domain local group. For example, assign the nec-essary permissions to use color printers to the Color Printers group. Users in theAccounting and Sales global groups receive the required permissions becausetheir global group is a member of the domain local group Color Printers.

This strategy gives you the most flexibility for growth and reduces permissionsassignments.



f08ad03

Figure 8-3 Planning a global and domain local group strategy

Some of the possible limitations of other strategies include the following:

■ Placing user accounts in domain local groups and assigning permissionsto the domain local groups This strategy does not allow you to assign permis-sions for resources outside of the domain. This strategy reduces the flexibilitywhen your network grows.

■ Placing user accounts in global groups and assigning permissions to theglobal groups This strategy can complicate administration when you are usingmultiple domains. If global groups from multiple domains require the same per-missions, you have to assign permissions for each global group.

Planning Universal Groups

Use universal groups to grant or deny access to resources that are located in more thanone domain. As discussed earlier in this lesson, when membership of any universalgroup changes, the changes must be replicated to every global catalog in the forestunless the Windows Server 2003 forest functional level is used. This action can causeexcessive network traffic. Therefore, you should define universal groups with caution.Follow these guidelines to ensure minimal impact on replication traffic:

■ Add global groups, not users, to universal groups The global groups are themembers of the universal group. Keep the number of group members in universalgroups as low as possible and minimize the number of individual users.

■ Change the membership of universal groups as infrequently as possibleBy requiring all members of universal groups to be global groups and makingindividual membership changes in the global groups, the membership changesyou make to the global groups do not affect the universal groups or replicationtraffic.

Salesperson1

Domain1

Domain2

Salesperson2 1Salesglobal group 3

Permission to use colorprinters in domain 1

4

Accountant1Accountant2 1

Accountingglobal group 3

2

Color Printersdomain localgroup

1 Assign users with common job responsibilities to global groups.

Create a domain local group for resources to be shared. 2

Add global groups who need access to the resources to the domain local group.3

4 Assign resource permissions to the domain local group.



Practice: Planning New Group Accounts

In this practice, you plan the groups that are required for a business scenario.

Exercise 1

You are an administrator for the customer service division of a manufacturing com-pany. You administer a domain that is part of your company’s domain tree. You do notadminister other domains, but you might have to give selected user accounts fromother domains access to resources in your domain. Users at the company use severalshared network resources. The company is also planning to implement an e-mail pro-gram that uses Active Directory.

As the administrator, you must determine

■ Which groups are needed.

■ The membership of each group. This can be user accounts or other groups.

■ The type and scope for each group.

Use the procedure provided earlier in this lesson to plan your global and domain localgroup strategy. Record your planning strategy on the Group Accounts Planning Work-sheet provided on pages 8-18 and 8-19. Follow these instructions to complete theworksheet:

1. On the worksheet, provide a name for each group. Record each name in thegroup name column.

2. Specify the type and scope of each group in the type and scope column.

3. List the members of each group in the members column.

After completing the exercise, compare your worksheet with the sample provided. Thesample presents only one set of possible answers. You might have planned yourgroups differently.

Table 8-6 provides the job function and number of employees in each job function inthe customer service division.

Table 8-6 Customer Service Division Employee Information

Job Function Number of Employees

Product tester 20

Customer service representative 250

Maintenance worker 5

Manager 5

Sales representative 5

Network administrator 2



Table 8-7 lists the information access requirements for various employees.

Group Accounts Planning Worksheet

Table 8-7 Employee Information Access Requirements

Employee Access Needed

Customer service representatives and managers

Customer database, full access

Sales representatives Customer database, read-only access

All employees Company policies, read-only access

All employees Receive company announcements through e-mail

Any employees in any domain who are interested in these topics

Receive periodic announcements through e-mail about important topics

All employees, except maintenance workers

Shared installation of Microsoft Office

Network administrators Full access to all resources in the company

Sales representatives from your domain and all other domains

Sales reports

Group Name Type and Scope Members



Group Accounts Planning Worksheet (Answers)

Now that you’ve completed the worksheet, answer the following questions.

1. Does your network require local groups?

No. The scenario presents no need to create local groups, which you can use only on a singlecomputer.

2. Does your network require universal groups?

No. The scenario presents no need to create universal groups. Your domain has no groups thatneed to have access to resources in multiple domains and also need to have members frommultiple domains.


Testers Security, global All product testers

CSRs Security, global All customer service representatives

Maint Security, global All maintenance workers

Mgrs Security, global All managers

Sales Security, global All sales reps

NetAdmin Security, global All network administrators

AllEmployees Security, global All employees

Topics Security, global Employees interested in manufacturing topics

CustomerDB Security, domain local CSRs, Mgrs, Sales, NetAdmin global groups

Policies Security, domain local AllEmployees global group

MSOffice Security, domain local Testers, CSRs, Mgrs, Sales, NetAdmin global groups

SalesReports Security, domain local Sales and NetAdmin global groups

EmailAnn Distribution, domain local AllEmployees global group

EmailManuf Distribution, domain local Topics and NetAdmin global groups




3. Sales representatives at the company frequently visit the company headquartersand other divisions. Therefore, you need to give sales representatives with useraccounts in other domains the same permissions for resources that sales represen-tatives in your domain have. You also want to make it easy for administrators inother domains to assign permissions to sales representatives in your domain. Howcan you accomplish this?

Create global groups for sales representatives in all other domains. Add these global groups tothe appropriate domain local groups in your domain. Tell administrators in other domains aboutthe global group that represents sales representatives in your domain. Have the administratorsadd the sales representatives group from your domain to the appropriate domain local groupsin their domains.

Lesson Review

The following questions are intended to reinforce key information presented in thislesson. If you are unable to answer a question, review the lesson and then try the ques-tion again. Answers to the questions can be found in the “Questions and Answers” sec-tion at the end of this chapter.

1. What is the purpose of using groups?

2. When should you use security groups rather than distribution groups?

3. What strategy should you apply when you use domain and local groups?

4. Why is replication an issue with universal groups?

5. Which of the following statements about group scope membership are incorrect?(Choose all that apply.)

a. In domains with a domain functional level set to Windows 2000 mixed, globalgroups can contain user accounts and computer accounts from the samedomain.

b. In domains with a domain functional level set to Windows 2000 mixed, globalgroups can contain user accounts and computer accounts from any domain.



c. In domains with a domain functional level set to Windows 2000 mixed,domain local groups can contain user accounts, computer accounts, and glo-bal groups from the same domain.

d. In domains with a domain functional level set to Windows 2000 mixed,domain local groups can contain user accounts, computer accounts, and glo-bal groups from any domain.

e. In domains with a domain functional level set to Windows 2000 mixed, uni-versal groups can contain user accounts, computer accounts, global groups,and other universal groups from any domain.

f. In domains with a domain functional level set to Windows 2000 mixed, uni-versal groups do not exist.

Lesson Summary

■ A group is a collection of users, computers, contacts, and other groups. Distribu-tion groups are used only for e-mail. Security groups are used to grant access toresources.

■ Group scopes allow you to use groups in different ways to assign permissions.The three group scopes are global, domain local, and universal. Global securitygroups are most often used to organize users who share similar network accessrequirements. Domain local security groups are most often used to assign permis-sions to resources. Universal security groups are most often used to assign permis-sions to related resources in multiple domains.

■ Windows Server 2003 has four categories of default groups: groups in the Builtinfolder, groups in the Users folder, special identity groups, and default local groups.

■ In Windows Server 2003, the Anonymous Logon group is no longer a member ofthe Everyone group. If anonymous users must be granted access to resources, youmust explicitly add the Anonymous Logon security group to the access control listfor the resource and provide the required permissions. If anonymous users mustalways be granted access to resources, you can change the new Windows Server2003 default security setting for the Everyone group by enabling the group policyNetwork Access: Let Everyone permissions apply to anonymous users.

■ Use the following strategy for planning groups: place user accounts into globalgroups, create a domain local groups for a group of resources to be shared incommon, place the global groups into the domain local group, and then assignpermissions to the domain local group.



Lesson 2: Creating and Administering GroupsAfter you assess user needs and have a group plan in place, you are ready to createyour groups. Once you have created groups, you might find it necessary to carry outvarious administrative tasks to maintain them. This lesson shows you how to creategroups, delete groups, add members to groups, and change the group scope.


■ Create groups

■ Delete groups

■ Add members to groups

■ Change the group scope


Note If you are using Windows Server 2003 with Service Pack 1 (SP1), the Windows Firewall might prevent you from creating and administering groups using the Active Directory Users and Computers console. For example, you will get errors if the Windows Firewall is enabled on a domain controller and you are using the console from a workstation or other server.

For more information, see “Windows Firewall Settings: Remote Administration Tools” at http:

//technet2.microsoft.com/WindowsServer/en/Library/e0bb5886-478e-4408-bb52-

544d0ab0f4461033.mspx.

Creating a Group

You use the Active Directory Users And Computers console to create groups. With thenecessary permissions, you can create groups in any domain in the forest, in an OU, orin a container you have created specifically for groups. The name you select for agroup must be unique in the domain where you create the group.

To create a group, complete the following steps:

1. Click Start, point to Administrative Tools, and then click Active Directory UsersAnd Computers.

2. Right-click the appropriate domain, OU, or container, point to New, and click Group.

3. In the New Object–Group dialog box, shown in Figure 8-4, type the name of thegroup in the Group Name box. Note that an entry automatically appears in theGroup Name (Pre–Windows 2000) box, based on the group name you typed.Select the group scope in the Group Scope box. Select the group type in theGroup Type box. Click OK.


Lesson 2 Creating and Administering Groups 8-23

f08ad04

Figure 8-4 New Object–Group dialog box

Deleting a Group

As your organization grows and changes, you might discover groups that you nolonger need. Be sure to delete these groups. Deleting unnecessary groups ensures youmaintain security so you do not accidentally assign permissions for accessing resourcesto groups you no longer need. Each group you create has a unique, nonreusable iden-tifier called the security identifier (SID). Windows Server 2003 uses the SID to identifythe group and the permissions assigned to it. When you delete a group, WindowsServer 2003 does not use the SID for that group again, even if you create a new groupwith the same name as the group you deleted. Therefore, you cannot restore access toresources by recreating the group.

When you delete a group, you delete only the group and the permissions and rightsassociated with it. Deleting a group does not delete the user accounts that are membersof the group.

To delete a group, complete the following steps:

1. Right-click the group, and then click Delete.

2. Click Yes in the Active Directory dialog box.

Off the Record You can use a script to determine a user’s group memberships. This is helpful if you’d like to make a logon script dependent upon a user’s group membership. The script Chkgrps.vbs on the companion CD-ROM in the \70-294\Labs\Chapter08 folder illus-trates how you can use Microsoft Visual Basic Scripting Edition (VBScript) to list a user’s group memberships. In the Troubleshooting Lab, you’ll learn how to use the Ifmember execut-able to list group membership.



Adding Members to a Group

After you create a group, you add members. Members of groups can include useraccounts, contacts, other groups, and computers. You can add a computer to a groupto give one computer access to a shared resource on another computer, for example,for remote backup. To add members, use the Active Directory Users And Computersconsole.

To add members to a group, complete the following steps:

1. Start the Active Directory Users And Computers console and expand the domain,OU, or container in which the group is contained.

2. Right-click the appropriate group, and then click Properties.

3. In the Properties dialog box for the group, click the Members tab, and then click Add.

4. In the Select Users, Contacts, Computers, Or Groups dialog box, shown in Figure8-5, click Advanced.

f08ad05

Figure 8-5 The Select Users, Contacts, Computers, Or Groups dialog box

Note If you are adding members to a global group in a domain with a domain functional level set to Windows 2000 mixed, the Select Users, Contacts, Or Computers dialog box appears because you cannot add global groups to global groups in a domain with a domain functional level set to Windows 2000 mixed.

5. In the extended Select Users, Contacts, Computers, Or Groups dialog box,shown in Figure 8-6, click Find Now. Scroll through the list at the bottom of thedialog box and select the user, contact, computer, or group that you want to addto the group. Hold down the SHIFT or CTRL key to select multiple users, contacts,computers, or groups at a time. Click OK.



f08ad06

Figure 8-6 Extended Select Users, Contacts, Computers, Or Groups dialog box

6. The accounts you have selected are listed in the Enter The Object Names To Selectbox at the bottom of the Select Users, Contacts, Computers, Or Groups dialog box.Review the accounts to make sure that they are the accounts you wish to add tothe group, and click OK to add the members.

7. In the Properties dialog box for the group, click OK.

Note You can also add a user, contact, computer, or group by using the Member Of tab in the Properties dialog box for the user, contact, computer, or group. Use this method to quickly add the same user, contact, computer, or group to multiple groups.

Changing the Group Scope

When creating a new group, by default, the new group is configured as a securitygroup with global scope regardless of the current domain functional level. Althoughchanging a group scope is not allowed in domains with a domain functional level setto Windows 2000 mixed, the following scope changes are allowed in domains with adomain functional level set to Windows 2000 native or Windows Server 2003.

■ Global to universal, as long as the group is not a member of another group havingglobal scope

■ Domain local to universal, as long as the group being converted does not haveanother group with a domain local scope as its member



■ Universal to global, as long as the group being converted does not have anotheruniversal group as its member

■ Universal to domain local

To change the scope of a group, complete the following steps:

1. Start the Active Directory Users And Computers console and expand the domain,OU, or container in which the group is contained.

2. Right-click the appropriate group, and then click Properties.

3. Change the group scope in the General tab of the Properties dialog box for thegroup. Click OK.

Practice: Creating and Administering Groups

In this practice, you create and administer a global security group.

Note To complete this practice, you must have successfully completed the practices in Chapter 6, “Implementing an OU Structure,” and Chapter 7, “Administering User Accounts.”

Exercise 1: Creating a Global Group and Adding Members

In this exercise, you create a global security group and add members to the group.

� To create a global group and add members

1. Log on to Server1 as Administrator.

2. On Server1, use the procedure provided earlier in this lesson to create a globalsecurity group in the Chicago OU. Name the global group Sales.

3. Use the procedure provided earlier in this lesson to add User One and User Fiveas members of the Sales global group.

Exercise 2: Creating a Domain Local Group and Adding Members

In this exercise, you create a domain local group that you use to assign permissions togain access to sales reports. Because you use the group to assign permissions, youmake it a domain local group. You then add members to the group by adding the secu-rity global group you created in Exercise 1.

� To create a domain local group and add members

1. On Server1, use the procedure provided earlier in this lesson to create a domainlocal group in the Chicago OU. Name the domain local group Reports.

2. Use the procedure provided earlier in this lesson to add the Sales global group asa member of the Reports domain local group.



Lesson Review


1. Where can you create groups?

2. What is deleted when you delete a group?

3. What Active Directory components can be members of groups?

4. In what domain functional level is changing the group scope allowed? What scopechanges are permitted in this domain functional level?

5. The name you select for a group must be unique to which of the following ActiveDirectory components?

a. forest

b. tree

c. domain

d. site

e. OU

Lesson Summary

■ You use the Active Directory Users And Computers console to create groups,delete groups, add members to groups, and change the group scope.

■ With the necessary permissions, you can create groups in any domain in the for-est, in an OU, or in a container you have created specifically for groups. The nameyou select for a group must be unique in the domain where you create the group.



■ When you delete a group, you delete only the group and remove the permissionsand rights that are associated with it. Deleting a group does not delete the useraccounts that are members of the group.

■ You cannot change the group scope for domains with a domain functional levelset to Windows 2000 mixed.

■ The following scope changes are allowed in domains with the domain functionallevel set to Windows 2000 native or Windows Server 2003: global to universal, aslong as the group is not a member of another group having global scope; domainlocal to universal, as long as the group being converted does not have anothergroup with a domain local scope as its member; universal to global, as long as thegroup being converted does not have another universal group as its member; anduniversal to domain local.


Lesson 3 Administration Strategies 8-29

Lesson 3: Administration StrategiesFor optimum security, Microsoft recommends that you do not assign administrators to theAdministrators group and that you avoid running your computer while logged on as anadministrator. This lesson examines reasons why you should not run your computer asan administrator and the actions you should take to ensure security for administrators.


■ Explain why you should not run your computer as an administrator

■ Explain the groups administrators should use to log on

■ Explain how to use the Run As program to start a program as an administrator


Why You Should Not Run Your Computer as an Administrator

Running Windows Server 2003 as an administrator makes the system vulnerable to Tro-jan horse attacks and other security risks. The simple act of visiting an Internet site canbe extremely damaging to the system. An unfamiliar Internet site might contain Trojanhorse code that can be downloaded to the system and executed. If you are logged onwith administrator privileges, a Trojan horse could possibly reformat your hard drive,delete all files, create a new user account with administrative access, and so on.

Therefore, you should not assign yourself to the Administrators group and you shouldavoid running your computer while logged on as an administrator. For most computeractivity, you should assign yourself to the Users or Power Users group. When you logon as a member of the Users group, you can perform routine tasks, including runningprograms and visiting Internet sites, without exposing your computer to unnecessaryrisks. As a member of the Power Users group, you can perform routine tasks and alsoinstall programs, add printers, and use most Control Panel items. If you need to per-form an administrator-only task, such as upgrading the operating system or configuringsystem parameters, you should log on as an administrator, perform the task, and thenlog off. If you frequently need to log on as an administrator, you can use the Run Asprogram to start programs as an administrator.

Using the Run As Program

The Run As program allows a user to run specific tools and programs with permissionsother than those provided by the account with which the user is currently logged on.Therefore, you can use the Run As program to run administrative tools with either localor domain administrator rights and permissions while logged on as a normal user. The



Run As program can be used to start any program, Microsoft Management Console(MMC) tool, or Control Panel item, as long as

■ You provide the appropriate user account and password information

■ The user account has the ability to log on to the computer

■ The program, MMC tool, or Control Panel item is available on the system and tothe user account

The Run As program is usually used to run programs as an administrator, although it isnot limited to administrator accounts. Any user with multiple accounts can use Run Asto run a program, MMC tool, or Control Panel item with alternate credentials. The RunAs program can be invoked on the desktop or by using the Runas command.

To invoke the Run As program from the desktop, complete the following steps:

1. In Windows Explorer, or on the Start menu, right-click the program, MMC tool, orControl Panel item you want to open, and then click Run As.

2. In the Run As dialog box, shown in Figure 8-7, click The Following User.

f08ad07

Figure 8-7 Run As dialog box

3. Type the user name and password of the account you want to use in the UserName and Password boxes, respectively. Click OK.

If you attempt to start a program, MMC tool, or Control Panel item from a network loca-tion using the Run As program, it might fail if the credentials used to connect to thenetwork share are different from the credentials used to start the program. The creden-tials used to run the program might not be able to gain access to the same networkshare. If the Run As program fails, the Secondary Logon service might not be running.You can set the Secondary Logon service to start automatically when the system startsusing the Secondary Logon Service option in the Services console.



You can also set a property on shortcuts to programs and MMC tools so that you arealways prompted for alternate credentials when you use the shortcut. To set the prop-erty, right-click the shortcut, click Properties, click Advanced in the Shortcut tab, andthen select the Run With Different Credentials check box in the Advanced Propertiesdialog box. When you start the shortcut, the Run As dialog box appears, promptingyou for the alternate user name, password, and domain as described previously.

Using the Runas Command

The Runas command performs the same functions as invoking Run As from the desk-top. The syntax for the Runas command is

runas [{/profile|/noprofile}] [/env] [/ netonly] [/savedcreds] [/smartcard][/showtrustlevels] [/trustlevel] / user:UserAccountName program

■ /profile Loads the user’s profile. This is the default setting.

■ /noprofile Specifies that the user’s profile is not to be loaded. This allows theapplication to load more quickly, but it can also cause a malfunction in someapplications.

■ /env Specifies that the current network environment be used instead of theuser’s local environment.

■ /netonly Indicates that the user information specified is for remote access only.

■ /savedcreds Indicates whether the credentials have been previously saved bythis user.

■ /smartcard Indicates whether the credentials are to be supplied from a smart-card.

■ /showtrustlevels Lists the /trustlevel options.

■ /trustlevel Specifies the level of authorization at which the application is to run.

■ /user:UserAccountName Specifies the name of the user account under whichto run the program. The user account format should be user@domain ordomain\user.

■ program Specifies the program or command to run using the account specifiedin /user.

If you want to use the Administrator account on your computer, for the /user: param-eter, type:

/user:AdministratorAccountName@ComputerName

or

/user:ComputerName\AdministratorAccountName



If you want to use this command as a domain administrator, type:

/user:AdministratorAccountName@DomainName

or

/user:DomainName\AdministratorAccountName

Runas Examples

■ To start an instance of the Windows Server 2003 command prompt as an adminis-trator on the local computer, type:

runas /user:localmachinename\administrator cmd

When prompted, type the administrator password.

■ To start an instance of the Computer Management snap-in using a domain admin-istrator account called companydomain\domainadmin, type:

runas /user:companydomain\domainadmin“mmc %windir%\system32\compmgmt.msc”

When prompted, type the account password.

■ To start an instance of Microsoft Notepad using a domain administrator accountcalled user in a domain called domain.microsoft.com, type:

runas / user:[email protected] “notepad my_file.txt”

When prompted, type the account password.

■ To start an instance of a command prompt window, saved MMC console, ControlPanel item, or program that administers a server in another forest, type:

runas /netonly / user:domain\username “command”

where domain\username must be a user with sufficient permissions to administerthe server. When prompted, type the account password.

Practice: Using Run As to Start a Program as an Administrator

In this practice, use the Run As program to start a program as a domain administrator.

Exercise: Using Run As to Start a Program as an Administrator

In this exercise, you use the Run As program to start the Active Directory Users AndComputers console while logged on as User9.

Note To complete this practice, you must have successfully completed the practices in Chapter 6, “Implementing an OU Structure,” and Chapter 7, “Administering User Accounts.”



� To use Run As to start a program as an Administrator

1. Log on to Server1 as User9.

2. On Server1, use the procedure provided earlier in this lesson to use Run As to startActive Directory Users And Computers as the Administrator for the contoso.comdomain. Use the Administrator password. (Hint: You can access Active DirectoryUsers And Computers from Control Panel.)

3. Verify that you can now use Active Directory Users And Computers as a domainadministrator by attempting to add a new user to the Chicago OU. If you can adda new user, you are successfully running Active Directory Users And Computers asAdministrator while logged on as User9.

Lesson Review


1. Why shouldn’t administrators be assigned to the Administrators group?

2. What is the purpose of the Run As program?

3. What are the two ways of invoking the Run As Program?

Lesson Summary

■ Running Windows Server 2003 as an administrator makes the system vulnerable toTrojan horse attacks and other security risks. Therefore, you should not assignyourself to the Administrators group and you should avoid running your computerwhile logged on as an administrator.

■ For most computer activity, you should assign yourself to the Users or PowerUsers group. If you need to perform an administrator-only task, such as upgradingthe operating system or configuring system parameters, you should log on as anadministrator, perform the task, and then log off.



■ If you frequently need to log on as an administrator, you can use the Run As pro-gram to start programs as an administrator. The Run As program allows you to runspecific tools and programs with permissions other than those provided by theaccount with which you are currently logged on. The Run As program can beinvoked on the desktop or by using the Runas command.

Case Scenario Exercise

You are a network administrator for Humongous Insurance. Humongous Insurance hasa multi-domain forest. The forest root is humongousinsurance.com. There are also twochild domains named west.humongousinsurance.com and east.humongousinsur−ance.com. The company has approximately 7,000 users, 7,000 client workstations, and100 servers. The company’s network configuration is shown in Figure 8-8.

f08ad08

Figure 8-8 Humongous Insurance’s forest structure

All domains are Windows Server 2003 domains. The forest root domain has 10 domaincontrollers. Five of those domain controllers are configured as DNS servers and two areconfigured as global catalog servers. The West domain has three domain controllers. Twoof those domain controllers are configured as DNS servers. One of those domain control-lers is configured as a global catalog server. The East domain has two Windows Server2003 domain controllers and three Windows NT 4.0 backup domain controllers (BDCs).

west.humongous.com east.humongous.com

humongous.com

3 Windows Server 2003domain controllers1,000 users1,000 Windows XP computers

2 Windows Server 2003domain controllers3 Windows NT 4.0 BDCs1,000 users1,000 computers

10 Windows Server 2003domain controllers5,000 users5,000 client computers



The forest root domain is located in College Station, Texas. The East domain is locatedin Gainesville, Florida. The West domain is located in San Diego, California. There isalso an Active Directory site configured for each of these locations. The site for CollegeStation is named Main_Site. The Gainesville site is named East_Site. The San Diego siteis named West_Site.

You are one of several network administrators assigned to handle the forest rootdomain and College Station site. Your manager, Jean Trenary, has called a meeting ofall network and desktop administrators. She wants to address several issues.

Given this information, answer the following questions:

1. Jean says that there are four internal auditors in the forest root domain. There aretwo internal auditors in each of the child domains. Each set of internal auditorshas been placed in a global group within each domain. These groups are namedIA_Main, IA_East, and IA_West after their respective locations. Jean wants all ofthe members of these groups to be able to access the same resources in everydomain. What is the recommended way to configure this?

2. The network administrators from the East domain want to know why the option tocreate a universal group is not available in their domain. What can you tell them?

3. The network administrators from the West domain want to know why everyonealways recommends placing global groups into universal groups, instead of justplacing the users directly into the universal groups. What should you tell them?

4. Jean approves a plan to hire assistants for each domain to create and manage useraccounts. How can you give the assistants the immediate ability to help in this waywithout making them domain administrators?

5. Two employees have been hired to back up data, maintain the Windows Server2003 domain controllers, and manage printers for the Main_Site. Which Builtin



groups will give these users the permissions they require to manage the domaincontrollers? How should you set up their accounts and group memberships?

6. Two security specialists have been contracted to create group policy for theHumongous.com domain. They have no need to perform most administrativetasks. How should you assign their group memberships?

Troubleshooting Lab

You are a network administrator for Contoso Pharmaceuticals. A new assistant namedAmy Rusko joins your network administration team. You assign Amy to the domainServer Operators group so she can help with server management tasks. Three dayslater, Amy tells you that she no longer has the right to shut down the server. Your man-ager, Andy Ruth, thinks that he told another administrator to set up Amy’s account asthe new VP of Finance. Andy asks you to e-mail him a list of his group membershipsas well as Amy’s group memberships.

1. Log on using the Administrator name and password.

2. Insert the Supplemental CD-ROM and run the \70-294\Labs\Chapter08\Lab8.batbatch file. This batch file creates several groups and makes Amy a member ofthose groups. When the batch file runs, it will leave the commands it runs on-screen for you to review. Press the spacebar when you are finished reviewingwhat happened.

3. Open a command prompt.

4. In the command prompt window, type net user amy > userstat.txt and pressENTER. This command creates the file userstat.txt and sends information, includinga list of group memberships of which Amy is a member to that file.

5. In the command prompt window, type net user andy >> userstat.txt and pressENTER. This command appends Andy’s user information to the userstat.txt file.

6. Type notepad c:\userstat.txt. Notepad displays Amy’s user information. Fromhere you could attach the file to an e-mail and send it to Andy.



Real World Batch Files and Group MembershipThe Ifmember utility is commonly used in batch files and logon scripts to deter-mine group membership before running a command. You can see how theIfmember utility works by performing the following steps:

1. Insert the Supplemental CD-ROM and run the \70-294\Labs\Chapter08\Lab8.bat batch file if you have not already. This batch file creates severalgroups and makes Amy a member of those groups. When the batch file runs,it will leave the commands it runs on-screen for you to review. Press the spa-cebar when you are finished reviewing what happened.

2. Run the IfMember_Setup.exe program from the \70-294\Labs\Chapter08folder on the Supplemental CD-ROM. The Microsoft Web Installation Wizardappears.

3. Click Next to proceed.

4. Read the license agreement. If you do not agree, you cannot continue. If youagree, click the I Agree option button. Then, click Next to proceed. The Des-tination Directory opens.

5. Adjust the installation location if necessary, and click Install Now.

6. Click Finish.

7. In the new command prompt window, type ifmember /v /l > c:\member-ship.txt and press ENTER.

8. Type notepad c:\membership.txt and press ENTER. You’ll see a list of yourcurrent group memberships displayed in Notepad.

Chapter Summary■ A group is a collection of users, computers, contacts, and other groups. Distribu-

tion groups are used only for e-mail. Security groups are used to grant access toresources.

■ Group scopes allow you to use groups in different ways to assign permissions.The three group scopes are global, domain local, and universal. Global securitygroups are most often used to organize users who share similar network accessrequirements. Domain local security groups are most often used to assign permis-sions to resources. Universal security groups are most often used to assign permis-sions to related resources in multiple domains.

■ Use the following strategy for planning groups: place user accounts into globalgroups, create a domain local group for a group of resources to be shared in com-mon, place the global groups into the domain local group, and then assign per-missions to the domain local group.



■ You use the Active Directory Users And Computers console to create groups,delete groups, add members to groups, and change the group scope.

■ You cannot change the group scope for domains with a domain functional levelset to Windows 2000 mixed.

■ The following scope changes are allowed in domains with the domain functionallevel set to Windows 2000 native or Windows Server 2003: global to universal, aslong as the group is not a member of another group having global scope; domainlocal to universal, as long as the group being converted does not have anothergroup with a domain local scope as its member; universal to global, as long as thegroup being converted does not have another universal group as its member; anduniversal to domain local.

■ You should avoid running your computer while logged on as an administratorbecause running Windows Server 2003 as an administrator makes the system vul-nerable to Trojan horse attacks and other security risks. If you frequently need tolog on as an administrator, use the Run As program, which allows you to run spe-cific tools and programs with permissions other than those provided by theaccount with which you are currently logged on.

Exam HighlightsBefore taking the exam, review the key points and terms that are presented in thischapter. You need to know this information.

Key Points

■ Global security groups are most often used to organize users who share similarnetwork access requirements. Domain local security groups are most often used toassign permissions to resources. Universal security groups are most often used toassign permissions to related resources in multiple domains.

■ You should place user accounts into global groups, create a domain local groupfor a group of resources to be shared in common, place the global groups into thedomain local group, and then assign permissions to the domain local group.

■ For global security groups, members come from only the local domain, but theycan access resources in any domain.

■ For domain local security groups, members can come from any domain, but theycan access resources only in the local domain.

■ For universal security groups, members can come from any domain in the forestand they can access resources in any domain in the forest.


Chapter 8 Administering Groups 8-39

Key Terms

domain local group A security or distribution group often used to assign permis-sions to resources. You can use a domain local group to assign permissions to gainaccess to resources that are located only in the same domain where you create thedomain local group. In domains with the domain functional level set to Windows2000 mixed, domain local groups can contain user accounts, computer accounts,and global groups from any domain. In domains with the domain functional levelset to Windows 2000 native or Windows Server 2003, domain local groups cancontain user accounts, computer accounts, global groups, and universal groupsfrom any domain, and domain local groups from the same domain.

global group A security or distribution group often used to organize users whoshare similar network access requirements. You can use a global group to assignpermissions to gain access to resources that are located in any domain in the treeor forest. In domains with the domain functional level set to Windows 2000 mixed,global groups can contain user accounts and computer accounts from the samedomain. In domains with the domain functional level set to Windows 2000 nativeor Windows Server 2003, global groups can contain user accounts, computeraccounts, and global groups from the same domain.

Run As program A program that allows you to run administrative tools with eitherlocal or domain administrator rights and permissions while logged on as a normaluser.

universal group A security or distribution group often used to assign permissions torelated resources in multiple domains. You can use a universal group to assignpermissions to gain access to resources that are located in any domain in the for-est. In domains with the domain functional level set to Windows 2000 mixed, uni-versal groups are not available. In domains with the domain functional level set toWindows 2000 native or Windows Server 2003, universal groups can contain useraccounts, computer accounts, global groups, and other universal groups from anydomain in the forest.



Questions and Answers

Page 8-20

Lesson 1 Review

1. What is the purpose of using groups?

Use groups to simplify administration by granting rights and assigning permissions once to thegroup rather than multiple times to each individual member.

2. When should you use security groups rather than distribution groups?

Use security groups to assign permissions. Use distribution groups when the only function ofthe group is not security related, such as an e-mail distribution list. You cannot use distributiongroups to assign permissions.

3. What strategy should you apply when you use domain and local groups?

Place user accounts into global groups, place global groups into domain local groups, and thenassign permissions to the domain local group.

4. Why is replication an issue with universal groups?

Universal groups and their members are listed in the global catalog. Therefore, when member-ship of any universal group changes, the entire group membership must be replicated to everyglobal catalog in the forest, unless the forest functional level is set to Windows Server 2003.

5. Which of the following statements about group scope membership are incorrect?(Choose all that apply.)

a. In domains with a domain functional level set to Windows 2000 mixed, globalgroups can contain user accounts and computer accounts from the samedomain.

b. In domains with a domain functional level set to Windows 2000 mixed, globalgroups can contain user accounts and computer accounts from any domain.

c. In domains with a domain functional level set to Windows 2000 mixed,domain local groups can contain user accounts, computer accounts, and glo-bal groups from the same domain.

d. In domains with a domain functional level set to Windows 2000 mixed,domain local groups can contain user accounts, computer accounts, and glo-bal groups from any domain.

e. In domains with a domain functional level set to Windows 2000 mixed, uni-versal groups can contain user accounts, computer accounts, global groups,and other universal groups from any domain.

f. In domains with a domain functional level set to Windows 2000 mixed, uni-versal groups do not exist.


Questions and Answers 8-41

The correct answers are b, c, and e. In domains with a domain functional level set to Windows2000 mixed, global groups can contain user accounts and computer accounts from the samedomain. In domains with a domain functional level set to Windows 2000 mixed, domain localgroups can contain user accounts, computer accounts, and global groups from any domain. Indomains with a domain functional level set to Windows 2000 mixed, universal groups do notexist.

Page 8-27

Lesson 2 Review

1. Where can you create groups?

With the necessary permissions, you can create groups in any domain in the forest, in an OU,or in a container you have created specifically for groups.

2. What is deleted when you delete a group?

When you delete a group, you delete only the group and remove the permissions and rights thatare associated with it. Deleting a group does not delete the user accounts that are membersof the group.

3. What Active Directory components can be members of groups?

Members of groups can include user accounts, contacts, other groups, and computers.

4. In what domain functional level is changing the group scope allowed? What scopechanges are permitted in this domain functional level?

You can change the scope of domains with the domain functional level set to Windows 2000native or Windows Server 2003. The following scope changes are permitted:

❑ Global to universal, as long as the group is not a member of another grouphaving global scope

❑ Domain local to universal, as long as the group being converted does nothave another group with a domain local scope as its member

❑ Universal to global, as long as the group being converted does not haveanother universal group as its member

❑ Universal to domain local

5. The name you select for a group must be unique to which of the following ActiveDirectory components?

a. forest

b. tree

c. domain

d. site

e. OU

The correct answer is c. The name you select for a group must be unique to the domain in whichthe group is created.



Page 8-33

Lesson 3 Review

1. Why shouldn’t administrators be assigned to the Administrators group?

Running Windows Server 2003 as an administrator makes the system vulnerable to Trojanhorse attacks and other security risks. For most tasks, administrators should be assigned tothe Users or Power Users group. To perform administrative-only tasks, administrators shouldlog on as an administrator, perform the task, and then log off.

2. What is the purpose of the Run As program?

The Run As program allows a user to run specific tools and programs with permissions otherthan those provided by the account with which the user is currently logged on. Therefore, theRun As program can be used to run administrative tools with either local or domain administra-tor rights and permissions while logged on as a normal user.

3. What are the two ways of invoking the Run As Program?

The Run As program can be invoked on the desktop or by using the Runas command from thecommand line.

Page 8-34

Case Scenario Exercise

1. Jean says that there are four internal auditors in the forest root domain. There aretwo internal auditors in each of the child domains. Each set of internal auditorshas been placed in a global group within each domain. These groups are namedIA_Main, IA_East, and IA_West after their respective locations. Jean wants all ofthe members of these groups to be able to access the same resources in everydomain. What is the recommended way to configure this?

Create a universal group that all individual global groups can become a member of. This willallow each internal auditor to have access to resources granted to the universal group. Choosea name for the group that represents the entire company, such as Humongous_IA.

2. The network administrators from the East domain want to know why the option tocreate a universal group is not available in their domain. What can you tell them?

Universal groups are only available to domains that have a functional level of Windows 2000native or later. When using the mixed functional level, you cannot create universal groups. Inorder to change the functional level, all of the existing Windows NT 4 backup domain controllers(BDCs) must be removed or upgraded. Once the domain functional level is raised, the two Win-dows Server 2003 domain controllers will no longer replicate the domain database to WindowsNT 4 BDCs.

3. The network administrators from the West domain want to know why everyonealways recommends placing global groups into universal groups, instead of justplacing the users directly into the universal groups. What should you tell them?

Universal group membership changes cause forest-wide replication. If you use global groups inthe universal groups instead of users, it is less likely that there will be membership changes tothe universal groups. If instead you decided to place users in universal groups, every time auser was added to, or deleted from, a universal group, forest-wide replication would take place.


Questions and Answers 8-43

In most domains the user accounts are modified more frequently than the groups themselves.Once you are able to upgrade all the domain controllers in the forest, you’ll be able to raise thedomain functional level to Windows Server 2003, which would alleviate this issue and concern.

4. Jean approves a plan to hire assistants for each domain to create and manage useraccounts. How can you give the assistants the immediate ability to help in this waywithout making them domain administrators?

Place the assistants in the Account Operators group of the domains for which they areexpected to be assistants.

5. Two employees have been hired to back up data, maintain the Windows Server2003 domain controllers, and manage printers for the Main_Site. Which Builtingroups will give these users the permissions they require to manage the domaincontrollers? How should you set up their accounts and group memberships?

These users will need permissions assigned to the Backup Operators, Print Operators, andServer Operators. You should create a global group specifically for these users. For example,create the Maintenance_Main global group. Make that group a member of the Backup Opera-tors, Print Operators, and Server Operator domain local groups. Then place the user accountsfor these new employees in that new global group.

6. Two security specialists have been contracted to create group policy for thehumongous.com domain. They have no need to perform most administrativetasks. How should you assign their group memberships?

Make them a member of the Group Policy Creator Owners domain group.


mcse self-paced training kit (exam 70-294): planning, implementing…€¦ · microsoft windows...

Documents