Module 4 - Managing Groups

07/06/13
Module 4: Managing Groups
Module4:ManagingGroups
Contents: Lesson1: Lesson2: LabA: Lesson3: LabB: OverviewofGroups AdministerGroups AdministerGroups BestPracticesforGroupManagement BestPracticesforGroupManagement
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
1/88
07/06/13
Althoughusersandcomputers,andevenservices,changeovertime,businessroles andrulestendtoremainmorestable.Yourbusinessprobablyhasafinancerole, whichrequirescertaincapabilitiesintheenterprise.Theuseroruserswhoperform thatrolewillchange,buttherolewillremain.Forthatreason,itisnotpracticalto manageanenterprisebyassigningrightsandpermissionstoindividualusers, computers,orserviceidentities.Managementtasksshouldbeassociatedwithgroups. Inthiscourse,youwillusegroupstoidentifyadministrativeanduserroles,tofilter GroupPolicy,toassignuniquepasswordpolicies,toassignrightsandpermissions, andmore.Toprepareforthosetasks,inthismodule,youwilllearnhowtocreate, modify,delete,andsupportgroupobjectsinanActiveDirectorydomain.
Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 2/88
07/06/13
Aftercompletingthismodule,youwillbeableto: Describetheroleofgroupsinmanaginganenterprise. AdministergroupsbyusingthebuiltintoolsinWindowsServer2008. Describethebestpracticesformanaginggroups.
Lesson 1: Overview of Groups
Beforeimplementinggroupsinyourenvironment,youshouldlearnandunderstand
07/06/13
howgroupsareusedandwhichtypesofgroupsexist.Itisimportanttounderstand groupscopesothatyoucanidentifypropergrouptypeinvariousscenarios.Also,it isveryimportanttodefinepropergroupnamingconventionandtounderstandhow groupscanbenestedinothergroupsandthebenefitsofthatapproach.
Objectives
Aftercompletingthislesson,youwillbeableto: Understandtheroleofgroupsinmanaginganenterprise. Definegroupnamingconventions. Understandgrouptypes. Understandgroupscope. Identifygroupmembershipandnestingpossibilities. Understandhowtomanageandadministergroups Understandthebestpracticeforgroupnestingtoachieverolebasedmanagement.
Role-Based Management: Role Groups and Rule Groups
4/88
07/06/13
ImaginenextthatitisnotonlysalespeoplewhorequireReadaccesstothefolders. Executives,Marketingdepartmentemployees,andthesalesconsultanthiredbyyour organizationalsorequireReadpermissiontothesamefolders.Itisverycommonthat variousgroupsofusersrequireaccesstosameresources. YoucouldaddthosegroupstotheACLofthefolders,grantingeachofthemAllow Readpermission,butsoonyouwillendupwithanACLwithmultiplepermissions, thistimeassigningtheAllowReadpermissiontomultiplegroups,insteadofmultiple users.Togivethethreegroupsandoneuserpermissiontothethreefoldersonthe threeservers,youwillhavetoaddtwelvepermissions!Thenextgroupthatrequires accesswillrequirethreemorechangestograntpermissionstotheACLsofthethree sharedfolders.
07/06/13
Whatifeightuserswhoarenotsalespeople,marketingemployees,orexecutives, haveabusinessneedforReadaccesstothethreefolders?Doyouaddtheir individualuseraccountstotheACLs?Ifso,thatis24morepermissionstoaddand manage! Youcanseethatusingonlyonetypeofgrouparolegroupthatdefinesthe businessrolesofusersquicklybecomesanineffectivewayofenablingmanagement ofaccesstothethreefolders.Ifthemanagementrulesuggeststhatthreerolesand nineadditionalusersrequireaccesstotheresource,youareassigningatotalof36 permissionsonACLs.Itbecomesverydifficulttomaintaincomplianceandtoaudit. Evensimplequestionssuchas,"CanyoutellmeeveryuserwhocanreadtheSales folders?"becomedifficulttoanswer. Thesolutionistorecognizethattherearetwotypesofmanagementthatmusttake placetoeffectivelymanagethisscenario.Youmustmanagetheusersascollections, basedupontheirbusinessrolesand,separately,youmustmanageaccesstothe threefolders. Thethreefoldersarealsoacollectionofitems.Theyareasingleresourcea collectionofSalesfoldersthatjusthappenstobedistributedacrossthreefolderson threeservers.YouaretryingtomanageReadaccesstothatresource.Youneeda singlepointofmanagementwithwhichtomanageaccesstotheresource. ThisrequiresanothergroupagroupthatrepresentsReadaccesstothethreefolders
07/06/13
onthethreeservers.Wecallthattypeofgrouparulegroup(sometimes,also resourcegroups).ImaginethatyoucreateagroupcalledACL_SalesFolders_Read. ThisgroupwillbeassignedtheAllowReadpermissiononthethreefolders.The Sales,Marketing,andExecutivesgroups,alongwiththeindividualusers,willallbe membersoftheACL_SalesFolders_Readgroup.Youassignonlythreepermissions: oneoneachfolder,grantingReadaccesstotheACL_SalesFolders_Readgroup. TheACL_SalesFolders_Readgroupbecomesthefocusofaccessmanagement.As additionalgroupsorusersrequireaccesstothefolders,theywillbeaddedtothat group.Italsobecomeseasiertoreportwhohasaccesstothefolders.Insteadof havingtoexaminetheACLsoneachofthetenfolders,yousimplyexaminethe membershipoftheACL_SalesFolders_Readgroup. Toeffectivelymanageevenaslightlycomplexenterprise,youwillneedtwo"types"of groupsthatperformtwodistinctpurposes: Groupsthatdefineroles.Thesegroups,referredtoasrolegroups,containusers, computers,andotherrolegroupsbasedoncommonbusinesscharacteristicssuch aslocation,jobtype,andsoon. Groupsthatdefinemanagementrules.Thesegroups,referredtoasrulegroups, definehowanenterpriseresourceisbeingmanaged.
Thisapproachtomanagingtheenterprisewithgroupsiscalledrolebased
07/06/13
management.Youdefinerolesofusersbasedonbusinesscharacteristicsfor
example,departmentordivisionaffiliationsuchassales,marketing,andexecutives, andyoudefinemanagementrulesforexample,therulethatmanageswhichroles andindividualscanaccessthethreefolders. Youcanachievebothmanagementtasksbyusinggroupsinadirectory.Rolesare representedbygroupsthatcontainusers,computers,andotherroles.Rolescan includeotherroles,forexample,aManagerrolemightincludeSalesManagers, FinanceManagers,andProductionManagersroles.Managementrules,suchasthe rulethatdefinesandmanagesReadaccesstothethreefolders,arerepresentedby groupsalso.Rulegroupscontainroles,andoccasionally,individualusersor computerssuchasthesalesconsultantandeightotherusersintheexample. Thekeytakeawayisthattherearetwo"types"ofgroups:onethatdefinestherole, andtheotherthatdefineshowaresourceismanaged.
Define Group Naming Conventions
8/88
07/06/13
TocreateagroupbyusingtheActiveDirectoryUsersandComputerssnapin,you shouldrightclicktheorganizationalunit(OU)inwhichyouwanttocreateagroup, pointtoNew,andthenclickGroup.TheNewObjectGroupdialogbox,shownin thefollowingimage,allowsyoutospecifyfundamentalpropertiesofthenewgroup.
9/88
07/06/13
Thefollowingnamepropertiescanbeconfiguredinthisdialogbox: Groupname.Thecnandnameofgroupobjectmustbeuniqueonlywithinthe OU Groupname(preWindows2000).sAMAccountNameofgroup,uniquein domain
ImportantbestpracticeUsethesamename(uniqueinthedomain)for bothproperties.
Thefirstpropertyyoumustconfigurearethegroupsnames.Agroup,likeauseror
07/06/13
computer,hasseveralnames.Thefirst,shownintheGroupNameboxabove,isused byWindows2000andlatersystemstoidentifytheobjectitbecomesthecn,and nameattributesoftheobject.Thesecond,thepreWindows2000name,isthe sAMAccountNameattribute,usedtoidentifythegrouptocomputersrunning WindowsNT4.0andtosomedevices,suchasnetworkattachedstorage(NAS) devicesrunningnonMicrosoftoperatingsystems.Thecnandnameattributesmust beuniqueonlywithinthecontainertheOUinwhichthegroupexists.The sAMAccountNamemustbeuniqueintheentiredomain.Technically,the sAMAccountNamecouldbeadifferentvaluethanthecnandname,butitishighly discouragedtomakethesedifferent.Pickanamethatisuniqueinthedomain,and useitinbothnamefieldsintheNewObjectGroupdialogbox. Thenameyouchooseshouldhelpyoumanagethegroupandmanageyour enterpriseonadaytodaybasis.Werecommendthatyoufollowanaming conventionthatidentifiesthetypeofgroupandthepurposeofthegroup. Rolegroups.Simple,uniquename,suchasSalesorConsultants Managementgroups.Forexample,ACL_SalesFolders_Read Prefix.Thisidentifiesthemanagementpurposeofgroup,suchasACLforgroups managingaccesspermissionstosharedresources.Itisusedonaccesscontrol lists,sotheprefixACLisused. Resourceidentifier.Thisisauniqueidentifierforwhatisbeingmanaged.The mainpartofthenameuniquelyidentifiestheresourcethatisbeingmanaged
07/06/13
withthegroup,inthisexample,SalesFolders. Suffix.Thesuffixfurtherdefineswhatisbeingmanagedbythegroup.Inthe caseofresourceaccessmanagementgroups,thesuffixdefinesthelevelof accessprovidedtomembersofthegroup.Inourexample,thatisRead. Delimiter.Thisshouldbeaconsistentlyusedmarkerseparatingprefix,identifier, andsuffix,suchasanunderscore(_).Donotusethedelimiterelsewhereinthe nameuseitonlyasadelimiter.Notethatthedelimiterisnotusedbetweenthe wordsSalesandFolder.Spacesareacceptableingroupnamesyouwilljust needtoenclosegroupnamesinquoteswhenyourefertothemincommandsor inscripts.Youcancreatescriptsthatusethedelimitertodeconstructgroup namestofacilitateauditingandreporting.
Keepinmindthatrolegroupsthatdefineuserroleswilloftenbeusedbynon technicalusers.Forexample,youmightemailenabletheSalesgroupsothatitcanbe usedasanemaildistributionlist.Therefore,werecommendthatyoukeepyour namingconventionforrolegroupssimpleandstraightforward.Inotherwords,your namingconventionforrolegroupsisnottouseprefixesorsuffixesordelimitersjust auserfriendly,descriptivename.
Group Type
12/88
07/06/13
Therearetwotypesofgroups:securityanddistribution.Whenyoucreateagroup, youmaketheselectionofthegrouptypeintheNewObjectGroupdialogbox. Distributiongroupsareusedprimarilybyemailapplications.Thesegroupsarenot securityenabledtheydonothaveSIDssotheycannotbegivenpermissionto resources.Sendingamessagetoadistributiongroupsendsthemessagetoall membersofthegroup. SecuritygroupsaresecurityprincipalswithSIDs.Thesegroupscanthereforebeused inpermissionentriesinACLstocontrolsecurityforresourceaccess.Securitygroups canalsobeusedasdistributiongroupsbyemailapplications.Ifagroupwillbeused tomanagesecurity,itmustbeasecuritygroup.
07/06/13
Becausesecuritygroupscanbeusedforbothresourceaccessandemaildistribution, manyorganizationsuseonlysecuritygroups.However,werecommendthatifagroup willbeusedonlyforemaildistribution,youshouldcreatethegroupasadistribution group.Otherwise,thegroupisassignedaSID,andtheSIDisaddedtotheusers securityaccesstoken,whichcanleadtounnecessarysizeincreaseofthesecurity token.
Group Scope
Groupshavemembers:users,computer,andothergroupsgroupscanbemembers ofothergroupsandgroupscanbereferredtobyACLs,GroupPolicyobject(GPO) filters,andothermanagementcomponents.Groupscopeimpactseachofthese

07/06/13
characteristicsofagroup:whatitcancontain,whatitcanbelongto,andwhereitcan beused.Therearefourgroupscopes:global,domainlocal,local,anduniversal. Thecharacteristicsthatdefineeachscopefallintothesecategories: Replication.Whereisthegroupdefined,andtowhatsystemsisthegroup replicated? Membership.Whattypesofsecurityprincipalscanthegroupcontainasmembers? Canthegroupincludesecurityprincipalsfromtrusteddomains? InModule14,youwilllearnabouttrustrelationships,ortrusts.Atrustallowsa domaintorefertoanotherdomainforuserauthentication,toincludesecurity principalsfromtheotherdomainasgroupmembers,andtoassignpermissionsto securityprincipalsintheotherdomain.Theterminologyusedcanbeconfusing.If DomainAtrustsDomainB,DomainAisthetrustingdomainandDomainBisthe trusteddomain.DomainAacceptsthecredentialsofusersinDomainB.Itforwards requestsbyDomainBuserstoauthenticatetoadomaincontrollerinDomainB, becauseittruststheidentitystoreandauthenticationserviceofDomainB.Domain AcanaddDomainBssecurityprincipalstogroupsandACLsinDomainA. Availability.Wherecanthegroupbeused?Isthegroupavailabletoaddtoanother group?IsthegroupavailabletoaddtoanACL?
Keepthesebroadcharacteristicsinmindasyouexplorethedetailsofeachgroup
07/06/13
scope.
Local Groups
Localgroupsaretrulylocaldefinedonandavailabletoasinglecomputer.Local groupsarecreatedinthesecurityaccountsmanager(SAM)databaseofadomain membercomputerbothworkstationsandservershavelocalgroups.Localgroups havethefollowingcharacteristics: Replication.AlocalgroupisdefinedonlyinthelocalSAMdatabaseofadomain member.Thegroupanditsmembershiparenotreplicatedtoanyothersystem.
16/88
07/06/13
Membership.Alocalgroupcanincludeasmembers: Anysecurityprincipalsfromthedomainusers,computers,globalgroups,or domainlocalgroups. Users,computers,andglobalgroupsfromanydomainintheforest. Users,computers,andglobalgroupsfromanytrusteddomain. Universalgroupsdefinedinanydomainintheforest. Availability.Alocalgrouphasonlymachinewidescope.ItcanbeusedinACLs onthelocalmachineonly.Alocalgroupcannotbeamemberofanyother group.
Best Practice
Inaworkgroup,youuselocalgroupstomanagesecurityofresourcesonasystem. Inadomain,however,managingthelocalgroupsofindividualmachinesbecomes unwieldy,andisforthemostpartunnecessary.Wedonotrecommendcreating customlocalgroupsondomainmembers.Thereareveryfewscenariosinadomain environmentthatareaddressedbyusinglocalgroups.Inmostcases,theUsersand Administratorslocalgroupsaretheonlylocalgroupsthatyoushouldbeconcerned withmanaging,inadomainenvironment.
Domain Local Groups

07/06/13
Domainlocalgroupsareusedprimarilytomanagepermissionstoresources,which meanstheymostlyserveasrulegroups.Forexample,theACL_SalesFolders_Read groupdiscussedearlierinthelessonwouldbecreatedasadomainlocalgroup. Domainlocalgroupshavethefollowingcharacteristics: Replication.Adomainlocalgroupisdefinedinthedomainnamingcontext.The groupobjectanditsmembership(thememberattribute)arereplicatedtoevery domaincontrollerinthedomain. Membership.Adomainlocalgroupcanincludeasmembers: Anysecurityprincipalsfromthedomainusers,computers,globalgroups,or otherdomainlocalgroups.
07/06/13
Users,computers,andglobalgroupsfromanydomainintheforest. Users,computers,andglobalgroupsfromanytrusteddomain. Universalgroupsdefinedinanydomainintheforest. Availability.AdomainlocalgroupcanbeaddedtoACLsonanyresourceonany domainmember.Additionally,adomainlocalgroupcanbeamemberofother domainlocalgroups,orevenmachinelocalgroups.
Themembershipcapabilitiesofadomainlocalgroup(thegroupstowhichadomain localgroupcanbelong)areidenticaltothoseoflocalgroups,butthereplicationand availabilityofthedomainlocalgroupmakeitusefulacrosstheentiredomain.
Best Practice
Domainlocalgroupsarewellsuitedfordefiningbusinessmanagementrules,suchas resourceaccessrules,becausethegroupcanbeappliedanywhereinthedomain,and itcanincludemembersofanytypewithinthedomain,andmembersfromtrusted domains. Forexample,adomainlocalsecuritygroupnamedACL_SalesFolders_Readmightbe usedtomanageReadaccesstoacollectionoffoldersthatcontainsalesinformation ononeormoreservers.
07/06/13
Global Groups
Globalgroupsareusedprimarilytodefinecollectionsofdomainobjectsbasedon businessroles,whichmeansthattheymostlyserveasrolegroups.Rolegroups,such astheSalesandMarketinggroupsmentionedearlier,androlesofcomputerssuchas aSalesLaptopsgroup,arecreatedasglobalgroups.Globalgroupshavethefollowing characteristics: Replication.Aglobalgroupisdefinedinthedomainnamingcontext.Thegroup object,includingthememberattribute,isreplicatedtoalldomaincontrollersinthe domain.
20/88
07/06/13
Membership.Aglobalgroupcanincludeasmembersonlythoseusers,computers, andotherglobalgroupsinthesamedomain. Availability.Aglobalgroupisavailableforusebyalldomainmembers,andbyall otherdomainsintheforestandalltrustingexternaldomains.Aglobalgroupcan beamemberofanydomainlocaloruniversalgroupinthedomainorintheforest. Itcanalsobeamemberofanydomainlocalgroupinatrustingdomain.Finally,a globalgroupcanbeaddedtoACLsinthedomain,intheforest,orintrusting domains.
Asyoucansee,globalgroupshavethemostlimitedmembership(onlyusers, computers,andglobalgroupsfromthesamedomain)butthebroadestavailability acrossthedomain,theforest,andtrustingdomains.
Best Practice
Globalgroupsarewellsuitedtodefiningroles,becauserolesaregenerallycollections ofobjectsfromthesamedirectory. Forexample,globalsecuritygroupsnamedConsultantsandSalesmightbeusedto defineuserswhoareconsultantsandsalespeople,respectively.
Universal Groups
07/06/13
UnlikeGlobalandDomainlocalgroups,theuseofUniversalGroupsisnotlimitedto roleorruletypeofgroupstheycanbeusedinbothtypesofgroupsdependingon thescenario. Universalgroupshavethefollowingcharacteristics: Replication.Auniversalgroupisdefinedinasingledomainintheforestbutis replicatedtotheglobalcatalog.Youwilllearnmoreabouttheglobalcatalogin Module12.Objectsintheglobalcatalogwillbereadilyaccessibleacrosstheforest. Membership.Auniversalgroupcanincludeasmembersusers,globalgroups,and otheruniversalgroupsfromanydomainintheforest.

07/06/13
Availability.Auniversalgroupcanbeamemberofauniversalgroupordomain localgroupanywhereintheforest.Additionally,auniversalgroupcanbeusedto manageresources,forexample,toassignpermissions,anywhereintheforest.
Universalgroupsareusefulinmultidomainforests.Theyallowyoutodefinerolesor tomanageresourcesthatspanmorethanonedomain.Thebestwaytounderstand universalgroupsisthroughanexample:TreyResearchhasaforestwiththree domains:Americas,Asia,andEurope.Eachdomainhasuseraccountsandaglobal groupcalled,RegionalManagers,whichincludesthemanagersofthatregion. Rememberthatglobalgroupscancontainonlyusersfromthesamedomain.A universalgroupcalled,TreyResearchRegionalManagers,iscreated,andthethree RegionalManagersgroupsareaddedasmembers.TheTreyResearchRegional Managersgroupthereforedefinesarolefortheentireforest.Asusersareaddedto anyoneoftheRegionalManagersgroups,theywill,throughgroupnesting,be membersoftheTreyResearchRegionalManagers. TreyResearchisplanningtoreleaseanewproductthatrequirescollaborationacross itsregions. Resourcesrelatedtotheprojectarestoredonfileserversineachdomain.Todefine whohastheabilitytomodifyfilesrelatedtothenewproduct,auniversalgroupis createdcalledACL_NewProduct_Modify.ThatgroupisassignedtheAllowModify permissiontothesharedfoldersoneachofthefileserversineachofthedomains.
07/06/13
TheTreyResearchRegionalManagersgroupismadeamemberoftheACL_New Product_Modifygroup,asarevariousglobalgroupsandahandfulofusersfromeach oftheregions. Asyoucanseefromthisexample,universalgroupscanhelpyoutorepresentand consolidaterolesthatspandomainsinaforest,andtodefinerulesthatcanbe appliedacrosstheforest.
Summary of Group Scope Possibilities
Indaytodayadministration,itisimportantthatyoubecompletelyfamiliarwiththe membershipcharacteristicsofeachgroupscope.
07/06/13
Thefollowingtablesummarizestheobjectsthatcanbemembersofeachgroup scope.
Group Scope
Membersfromthe Same Domain
Membersfrom Another Domaininthe Same Forest
Membersfroma TrustedExternal Domain
Local
Users Computers Globalgroups Universalgroups Domainlocalgroups Also,localusersdefined onthesamecomputeras thelocalgroup
Users Computers Globalgroups Universalgroups
Users Computers Globalgroups
DomainLocal
Users Computers
Users Computers
Users Computers
25/88
07/06/13
Globalgroups Domainlocalgroups Universalgroups
Globalgroups Universalgroups
Globalgroups
Universal
N/A
Global
Users Globalgroups
N/A
N/A
Develop a Group Management Strategy
26/88
07/06/13
Addinggroupstoothergroupsaprocesscallednestingcancreateahierarchyof groupsthatsupportyourbusinessrolesandmanagementrules.Nowthatyouhave learnedthebusinesspurposesandtechnicalcharacteristicsofgroups,itistimeto alignthetwoinastrategyforgroupmanagement. Earlierinthislesson,youlearnedwhattypesofobjectscanbemembersofeach groupscope.Nowitistimetoidentifywhattypesofobjectsshouldbemembersof eachgroupscope.Thisleadstothebestpracticeforgroupnesting,knownasIGDLA. IGDLAstandsforIdentities,Globalgroups,Domainlocalgroups,andAccess: Identities(userandcomputeraccounts)aremembersof:

07/06/13
Globalgroupsthatrepresentbusinessroles.Thoserolegroups(globalgroups)are membersof: DomainLocalgroupsthatrepresentmanagementrulesdeterminingwhohasRead permissiontoaspecificcollectionoffolders,forexample.Theserulegroups (domainlocalgroups)aregranted: Accesstoresources.Inthecaseofasharedfolder,accessisgrantedbyaddingthe domainlocalgrouptothefolder'saccesscontrollist(ACL),withapermissionthat providestheappropriatelevelofaccess.
NoteThisapproachofgroupsnestingwasearlierknownasAGDLP,thatis, Accounts,
GlobalGroups,DomainLocalGroups,Permissions.However,theterminologyused inthiscourse,IGDLA,hasmoregeneralscopeofapplianceanditalsoalignswith industry standardterminology.
Inamultidomainforest,thereareuniversalgroupsalso,whichfitinbetweenglobal anddomainlocalgroups.Globalgroupsfrommultipledomainsaremembersofa singleuniversalgroup.Thatuniversalgroupisamemberofdomainlocalgroupsin multipledomains.YoucanrememberthenestingasIGUDLA.

07/06/13
IGDLP Example
Thisbestpracticeforimplementinggroupnestingtranslateswelleveninmultidomain scenarios.Considerthefigurebelow,whichdescribesusageofIGDLPscenario:
Thisfigurerepresentsagroupimplementationthatreflectsnotonlythetechnicalview ofgroupmanagementbestpractices(IGDLA),butalsothebusinessviewofrole based,rulebasedmanagement. Considerthefollowingscenario: ThesalesforceatContoso,Ltd.hasjustcompleteditsfiscalyear.Salesfilesfromthe previousyearareinafoldercalled,Sales.ThesalesforceneedsReadaccesstothe Salesfolders.Additionally,ateamofauditorsfromWoodgroveBank,apotential investor,requireReadaccesstotheSalesfolderstoperformtheaudit.Thefollowing

07/06/13
stepsarerequiredtoimplementthesecurityrequiredbythisscenario: 1. Assignuserswithcommonjobresponsibilitiesorotherbusinesscharacteristicsto rolegroupsimplementedasglobalsecuritygroups.Thishappensseparatelyin eachdomain.SalespeopleatContosoareaddedtoaSalesrolegroup.Auditors atWoodgroveBankareaddedtoanAuditorsrolegroup. 2. CreateagrouptomanageaccesstotheSalesfolderswithReadpermission.This isimplementedinthedomaincontainingtheresourcethatisbeingmanaged.In thiscase,itistheContosodomaininwhichtheSalesfoldersreside.The resourceaccessmanagementrulegroupiscreatedasadomainlocalgroup, ACL_SalesFolders_Read. 3. Addtherolegroupstotheresourceaccessmanagementrulegrouptorepresent themanagementrule.Thesegroupscancomefromanydomainintheforestor fromatrusteddomainsuchasWoodgroveBank.Globalgroupsfromtrusted externaldomains,orfromanydomaininthesameforest,canbemembersofa domainlocalgroup. 4. Assignthepermissionthatimplementstherequiredlevelofaccess.Inthiscase, granttheAllowReadpermissiontothedomainlocalgroup.
Thisstrategyresultsinsinglepointsofmanagement,reducingthemanagement burden.ThereisonepointofmanagementthatdefineswhoisinSales,orwhoisan Auditor.Thoseroles,ofcourse,arelikelytohaveaccesstoavarietyofresources

07/06/13
beyondsimplytheSalesfolders.Thereisanothersinglepointofmanagementto determinewhohasReadaccesstotheSalesfoldersandtheSalesfoldersmaynot justbeasinglefolderonasingleserver.Itcouldbeacollectionoffoldersacross multipleservers,eachofwhichassignstheAllowReadpermissiontothesingle domainlocalgroup.
Default Groups
ThereareanumberofgroupsthatarecreatedautomaticallyonaWindowsServer 2008server.Thesearecalleddefaultlocalgroups,andtheyincludewellknown groupssuchasAdministrators,BackupOperators,andRemoteDesktopUsers.There areadditionalgroupsthatarecreatedinadomain,bothintheBuiltinandUsers

07/06/13
containers,includingDomainAdmins,EnterpriseAdmins,andSchemaAdmins.The followinglistprovidesasummaryofcapabilitiesofthesubsetofdefaultgroupsthat havesignificantpermissionsanduserrightsrelatedtothemanagementofActive Directory.
Enterprise Admins (Users Container of the Forest Root Domain)

ThisgroupisamemberoftheAdministratorsgroupineverydomainintheforest, givingitcompleteaccesstotheconfigurationofalldomaincontrollers.Italsoowns theConfigurationpartitionofthedirectoryandhasfullcontrolofthedomainnaming contextinallforestdomains.
Schema Admins (Users Container of the Forest Root Domain)

ThisgroupownsandhasfullcontroloftheActiveDirectoryschema.
Administrators (Builtin Container of Each Domain)

Thisgrouphascompletecontroloveralldomaincontrollersanddatainthedomain namingcontext.Itcanchangethemembershipofallotheradministrativegroupsin thedomain,andtheAdministratorsgroupintheforestrootdomaincanchangethe membershipofEnterpriseAdmins,SchemaAdmins,andDomainAdmins.The Administratorsgroupintheforestrootdomainisarguablythemostpowerfulservice administrationgroupintheforest.
Domain Admins (Users Container of Each Domain)

07/06/13
ThisgroupisaddedtotheAdministratorsgroupofitsdomain.Itthereforeinheritsall ofthecapabilitiesoftheAdministratorsgroup.Itisalso,bydefault,addedtothe localAdministratorsgroupofeachdomainmembercomputer,givingDomainAdmins ownershipofalldomaincomputers.
Server Operators (Built-in Container of Each Domain)

Thisgroupcanperformmaintenancetasksondomaincontrollers.Ithastherightto logonlocally,startandstopservices,performbackupandrestoreoperations,format disks,createordeleteshares,andshutdowndomaincontrollers.Bydefault,this grouphasnomembers.
Account Operators (Built-in Container of Each Domain)

Thisgroupcancreate,modify,anddeleteaccountsforusers,groups,andcomputers locatedinanyOUinthedomain(excepttheDomainControllersOU),andinthe UsersandComputerscontainer.AccountOperatorscannotmodifyaccountsthatare membersoftheAdministratorsorDomainAdminsgroups,norcantheymodifythose groups.AccountOperatorscanalsologonlocallytodomaincontrollers.Bydefault, thisgrouphasnomembers.
Backup Operators (Built-in Container of Each Domain)

Thisgroupcanperformbackupandrestoreoperationsondomaincontrollers,andlog onlocallyandshutdowndomaincontrollers.Bydefault,thisgrouphasnomembers.
07/06/13
Print Operators (Built-in Container of Each Domain)

Thisgroupcanmaintainprintqueuesondomaincontrollers.Itcanalsologonlocally andshutdowndomaincontrollers. Thedefaultgroupsthatprovideadministrativeprivilegesshouldbemanaged carefully,becausetheytypicallyhavebroaderprivilegesthanarenecessaryformost delegatedenvironmentsandbecausetheyoftenapplyprotectiontotheirmembers. TheAccountOperatorsgroupisaperfectexample.Ifyouexamineitscapabilitiesin theprecedinglist,youwillseethatitsrightsareverybroadindeed.Itcanevenlog onlocallytoadomaincontroller.Inverysmallenterprises,suchrightswould probablybeappropriateforoneortwoindividualswhowouldprobablybedomain administratorsanyway.Inlargerenterprises,therightsandpermissionsgrantedto AccountOperatorsareusuallyfartoobroad. Additionally,theAccountOperatorsgroupis,liketheotheradministrativegroups,a protectedgroup. Protectedgroupsaredefinedbytheoperatingsystemandcannotbeunprotected. Membersofaprotectedgroupbecomeprotected.Theresultofprotectionisthatthe permissions(ACLs)ofmembersaremodifiedsothattheynolongerinherit permissionsfromtheirOU,butratherreceiveacopyofanACLthatisquite restrictive.Forexample,ifJeffFordisaddedtotheAccountOperatorsgroup,his accountbecomesprotected,andthehelpdesk,whichcanresetallotheruser
07/06/13
passwordsintheEmployeesOU,cannotresetJeffFordspassword. Forthesereasonsofoverdelegationandprotection,youshouldstrivetoavoidadding userstothegroupslistedabovethatdonothavemembersbydefault:Account Operators,BackupOperators,ServerOperators,andPrintOperators.Instead,create customgroupstowhichyouassignpermissionsanduserrightsthatachieveyour businessandadministrativerequirements. Forexample,ifScottMitchellshouldbeabletoperformbackupoperationsona domaincontroller,butshouldnotbeabletoperformrestoreoperationsthatcould leadtodatabaserollbackorcorruption,andshouldnotbeabletoshutdowna domaincontroller,donotputScottintheBackupOperatorsgroup.Instead,createa groupandassignitonlytheBackupFilesAndDirectoriesuserright,thenaddScottas amember.
Special Identities
35/88
07/06/13
WindowsandActiveDirectoryalsosupportspecialidentities,groupsforwhich membershipiscontrolledbytheoperatingsystem.Youcannotviewthegroupsinany list(intheActiveDirectoryUsersandComputerssnapin,forexample),youcannot viewormodifythemembershipofthesespecialidentities,andyoucannotaddthem toothergroups.Youcan,however,usethesegroupstoassignrightsand permissions.Themostimportantspecialidentities,oftenreferredtoasgroups,for convenience,aredescribedinthefollowinglist: AnonymousLogon.Thisidentityrepresentsconnectionstoacomputerandits resourcesthataremadewithoutsupplyingausernameandpassword.Priorto WindowsServer2003,thisgroupwasamemberoftheEveryonegroup.Beginning withWindowsServer2003,thisgroupisnolongeradefaultmemberofthe
07/06/13
Everyonegroup. AuthenticatedUsers.Thisrepresentsidentitiesthathavebeenauthenticated.This groupdoesnotincludeGuest,eveniftheGuestaccounthasapassword. Everyone.ThisidentityincludesAuthenticatedUsersandtheGuestaccount.On computersrunningversionsofWindowsearlierthanWindowsServer2003,this groupincludesAnonymousLogon. Interactive.Thisrepresentsusersaccessingaresourcewhileloggedonlocallyto thecomputerthatishostingtheresource,asopposedtoaccessingtheresource overthenetwork.Whenauseraccessesanygivenresourceonacomputerto whichtheuserisloggedonlocally,theuserisautomaticallyaddedtothe Interactivegroupforthatresource.Interactivealsoincludesusersloggedon throughaRemoteDesktopconnection. Network.Thisrepresentsusersaccessingaresourceoverthenetwork,asopposed touserswhoareloggedonlocallyatthecomputerthatishostingtheresource. Whenauseraccessesanygivenresourceoverthenetwork,theuseris automaticallyaddedtotheNetworkgroupforthatresource.
Theimportanceofthesespecialidentitiesisthattheyallowyoutoprovideaccessto resourcesbasedonthetypeofauthenticationorconnection,ratherthantheuser account.Forexample,youcouldcreateafolderonasystemthatallowsuserstoview itscontentswhentheyareloggedonlocallytothesystem,butthatdoesnotallow

07/06/13
thesameuserstoviewthecontentsfromamappeddriveoverthenetwork.This wouldbeachievedbyassigningpermissionstotheInteractivespecialidentity.
Lesson 2: Administer Groups
Inthislesson,youwilllearnaboutthedifferenttoolsthatyoucanusetomanage groups.UsingthetoolsincludedinWindowsServer2008,youcancreateanddelete groupobjects,convertgrouptypeandscope,andmanagegroupmembership.
Objectives
07/06/13
Aftercompletingthislesson,youwillbeableto: CreategroupswithDSADD,CSVDE,andLDIFDE. Manageandconvertgrouptypeandscope. ManagegroupmembershipwithDSMODandLDIFDE. EnumerategroupmembershipwithDSGET. DeleteagroupwithDSRM. Copygroupmembership.
Tools for Group Management
39/88
07/06/13
YoucanuseseveralGUIbasedandcommandlinetoolstocreateandmanagegroups inActiveDirectoryDomainServices(ADDS).Eachtoolprovidessimilarfunctionality, buttheusagescenariowilldeterminewhichtoolismostappropriate.Inthistopic,we willreviewtheavailabletoolsforcreatingandmanaginggroups.
Active Directory Users and Computers

TheActiveDirectoryUsersandComputersconsoleisprimarilyusedforgroup managementonadaytodaybasis.ItisaGUIbasedconsoleandisavailablein earlierversionsofWindowsServer.Itcanbeusedlocallyonadomaincontrolleror installedonanotherserverorworkstation,andthenusedremotely.Inthisconsole, youcancreategroups,managegroupmembership,convertagroupfromonetypeto
07/06/13
another,andchangegroupscope.Usingthisconsole,youcanalsodeletegroups, modifygroupproperties,andrenamegroups.Thisconsoleisveryuserfriendlyand convenientforsimpletasksperformedonarelativelysmallnumberofgroupobjects. NoteThecontentinthefollowingsectionsActiveDirectoryAdministrative CenterandWindowsPowerShellwithActiveDirectoryModuleonlyapplies toWindowsServer2008
R2.
Active Directory Administrative Center

InWindowsServer2008R2,inadditiontousingActiveDirectoryUsersand Computers,administratorscanmanagetheirdirectoryserviceobjectsbyusingthe newActiveDirectoryAdministrativeCenter. BuiltonWindowsPowerShellcommandlineinterfacetechnology,ActiveDirectory AdministrativeCenterprovidesnetworkadministratorswithanenhancedActive DirectorydatamanagementexperienceandarichGUI.AdministratorscanuseActive DirectoryAdministrativeCentertoperformcommonActiveDirectoryobject managementtasksthroughbothdatadrivennavigationandtaskorientednavigation. AlthoughthisconsoleprovidesalmostthesamefunctionalityasActiveDirectoryUsers andGroupswhenitcomestogroups,itisnotbasedonthesametechnology.Inthis console,youcanusetheenhancedGUItocustomizeActiveDirectoryAdministrative
07/06/13
Centertomeetyourparticulardirectoryserviceadministeringrequirements.Thiscan helpimproveyourproductivityandefficiencyasyouperformcommonActive Directoryobjectmanagementtasks.
Windows PowerShell with Active Directory Module

WindowsPowerShellisacommandlineshellandscriptinglanguagethatcanhelp informationtechnology(IT)professionalstocontrolsystemadministrationmore easilyandachievegreaterproductivity. TheActiveDirectorymoduleforWindowsPowerShellinWindowsServer2008R2isa WindowsPowerShellmodulenamedActiveDirectorythatconsolidatesagroupof cmdlets.YoucanusethesecmdletstomanageyourActiveDirectorydomains, ActiveDirectoryLightweightDirectoryServices(ADLDS)configurationsets,and ActiveDirectoryDatabaseMountingToolinstancesinasingle,selfcontained package. UsingWindowsPowerShell,youcanmanagegroups,andperformthefollowingtasks: ViewthepermissionsofagroupbyusingtheGetACLcmdlet. CreateagroupbyusingtheNewADGroupcmdlet. ViewthenestedmembersofagroupbyusingtheGetADGroupMembercmdlet. MoveagroupwithinadomainbyusingtheMoveADObjectcmdlet.
07/06/13
EnableUniversalgroupmembershipcachingbyusingtheSetADObjectcmdlet. ViewthedirectmembersofagroupbyusingtheGetADGroupMembercmdlet. ModifygroupattributesbyusingtheSetADGroupcmdlet. ResolveaprimarygroupIDbyusingtheGetADUsercmdlet. AddandremovemembersofagroupbyusingtheAddADGroupMemberor RemoveADGroupMembercmdlets. ChangethescopeortypeofagroupbyusingtheSetADGroupcmdlet. RestoreadeletedgroupbyusingtheRestoreADObjectcmdlet.
Forexample,ifyouwanttocreateaglobalgroupnamed,ITAdmins,inthe contoso.comdomainbyusingWindowsPowerShell,youneedtousethefollowing command.
N e w A D G r o u pN a m e" I T A d m i n s "S a m A c c o u n t N a m eI T A d m i n sG r o u p C a t e g o r yS e c u r i t y-G r o u p S c o p eG l o b a lD i s p l a y N a m e" I T A d m i n i s t r a t o r s "P a t h" C N = U s e r s , D C = C o n t o s o , D C = C o m "
Ifyouwanttoviewthedirectmembersofthegroup,ITAdmins,inthecontoso.com domain,youcanusefollowingsyntax.
07/06/13
G e t A D G r o u p M e m b e rI T A d m i n s|F TN a m e , O b j e c t C l a s sA
ThefollowingexampledemonstrateshowtomovethegroupSvcAccPSOGroupfrom theOUManagedtotheOUManagedGroupsinthecontoso.comdomain.
M o v e A D O b j e c t" C N = S v c A c c P S O G r o u p , O U = M a n a g e d , D C = C o n t o s o , D C = C o m "T a r g e t P a t h " O U = M a n a g e d G r o u p s , D C = C o n t o s o , D C = C o m "
Thefollowingexampledemonstrateshowtoaddtheuser,SaraDavis,tothegroup, SvcAccPSOGroup.
A d d A D G r o u p M e m b e rI d e n t i t yS v c A c c P S O G r o u pM e m b e r S a r a D a v i s
NoteForafullexplanationoftheparametersthatyoucanpasstoanycmdlet inWindowsPowerShell,attheActiveDirectorymodulecommandprompt,type GetHelpcmdletnamedetailedandthenpressEnter.
44/88
07/06/13
DS commands
InpreviousversionsofWindowsServer,suchasWindowsServer2003,where PowerShellwasnotincluded,othertypeofcommandlineutilitieswereusedto manageActiveDirectoryobjects. Thesecommandlinetoolswereprovidedwithserveroperatingsystemstoallow betterandmoreproductivemanagementofthedirectoryservice.Thesetoolsare calledDScommands. ThefollowingisalistofDScommandsandtheirfunctionality: DSGet.Returnsthecurrentvalueofthespecifieddirectoryobjectproperty DSQuery.Allowsthedirectoryservicetobesearchedforanobjectorallobjects withlikeproperties DSMod.Helpsanadministratorchangepropertiesforexistingdirectoryobjects DSrm.Removesobjectsfromthedirectory DSAdd.Allowsadministratorstoaddnewdirectoryobjects DSMove.AllowsobjectstobemovedfromoneOUtoanother
ThesecommandscanbealsousedinWindowsServer2008R2tomanagegroups.
07/06/13
However,becauseWindowsServer2008R2includesanewerandmorepowerful commandlinebasedenvironment,thesetoolsareusedtosupportlegacyscripts. Forexample,tocreateanewglobalsecuritygroupnamed,Marketing,thefollowing commandwouldbeused.
d s a d dg r o u p " C N = M a r k e t i n g , O U = R o l e , O U = G r o u p s , D C = c o n t o s o , D C = c o m " s a m i d M a r k e t i n g s e c g r py e s s c o p eg
Demonstration: Create a Group Object
46/88
07/06/13
Groupsareanimportantclassofobject,becausetheyareusedtocollectusers, computers,andothergroupstocreateasinglepointofmanagement.Themost straightforwardandcommonuseofagroupistograntpermissionstoashared folder.Forexample,ifagrouphasbeengiventheReadaccesstoafolder,anyofthe groupsmemberswillbeabletoreadthefolder.YoudonothavetograntRead accessdirectlytoeachindividualmemberyoucanmanageaccesstothefolder simplybyaddingandremovingmembersofthegroup.
Demonstration steps:
CreateagroupbyusingActiveDirectoryUsersandComputers.
07/06/13
Configuregroupproperties. ChangegroupscopebyusingWindowsPowerShellwithActiveDirectoryModule.
Manage Group Membership
Youcanaddorremovemembersofagroupbyusingseveralmethods.Theseinclude usingtheMemberstab,theMemberoftab,theAddtoagroupcommand,and theMemberandMemberOfAttributes. TheMembersTab

07/06/13
Tomanagegroupmembershipbyusingthegroup'sMemberstab: 1. 2. 3. 4. OpenthegroupsPropertiesdialogbox. ClicktheMemberstab. Toremoveamember,simplyselectthememberandclickRemove. Toaddamember,clicktheAddbutton.TheSelectUsers,Computers, ServiceAccounts,orGroupsdialogboxappears,asfollows:
Thereareseveraltipsworthmentioningaboutthisprocess:
07/06/13
IntheSelectdialogbox,intheEnterTheObjectNamesbox,youcantype multipleaccountsseparatedbysemicolons.Forexample,inthescreenshotshown above,bothsalesandfinancewereentered.Theyareseparatedbyasemicolon. Youcantypepartialnamesofaccountsyoudonotneedtotypethefullname. WindowssearchesActiveDirectoryforaccountsthatbeginwiththenameyou entered.Ifthereisonlyonematch,Windowsselectsitautomatically.Ifthereare multipleaccountsthatmatch,theMultipleNamesFounddialogboxappears, allowingyoutoselectthespecificobjectyouwant.Thisshortcuttypingpartial namescansavetimewhenyouareaddingmemberstogroupsandcanhelpwhen youdontremembertheexactnameofamember. Bydefault,Windowssearchesonlyforusersandgroupsthatmatchthenamesyou enterintheSelectdialogbox.Ifyouwanttoaddcomputerstoagroup,youmust clicktheOptionsbuttonandselectComputers. Bydefault,Windowssearchesonlydomaingroups.Ifyouwanttoaddlocal accounts,clicktheLocationsbuttonontheSelectdialogbox. Ifyoucannotfindthememberyouwanttoadd,clicktheAdvancedbuttonon theSelectdialogbox.Amorepowerfulquerywindowwillappear,givingyoumore optionsforsearchingActiveDirectory.
The Member Of Tab

Tomanagegroupmembershipbyusingthememberobject'sMemberOftab:
07/06/13
1. 2.
Openthepropertiesofthememberobject,andthenclickitsMemberOftab. Toremovetheobjectfromagroup,selectthegroupandthenclickthe Removebutton.
3.
Toaddtheobjecttoagroup,clicktheAddbutton,andthenselectthegroup.
The Add to a group Command

TomanagegroupmembershipbyusingtheAddtoagroupcommand: 1. RightclickoneormoreselectedobjectsintheActiveDirectoryUsersand Computersdetailspane. 2. 3. ClicktheAddtoagroupcommand. UsetheSelectdialogboxtospecifythegroup.
The Member and MemberOf Attributes

Whenyouaddamembertoagroup,youchangethegroupsmemberattribute.The memberattributeisamultivaluedattribute.Eachmemberisavaluerepresentedby thedistinguishednameofthemember.Ifthememberismovedorrenamed,Active Directoryautomaticallyupdatesthememberattributesofgroupsthatincludethe member.
07/06/13
Whenyouaddamembertoagroup,themembersmemberOfattributeisalso updated,indirectly.ThememberOfattributeisaspecialtypeofattributecalleda backlink.ItisupdatedbyActiveDirectorywhenaforwardlinkattribute,suchas member,referstotheobject.Whenyouaddamembertoagroup,youarealways changingthememberattribute.Therefore,whenyouusetheMemberOftabofan objecttoaddtoagroup,youareactuallychangingthegroupsmemberattribute. ActiveDirectoryupdatesthememberOfattributeautomatically.
Helping Membership Changes Take Effect Quickly

Whenyouaddausertoagroup,themembershipdoesnottakeeffectimmediately. Groupmembershipisevaluatedatlogonforauser(atstartupforacomputer). Therefore,auserwillhavetologoffandlogonbeforethemembershipchange becomesapartoftheuserstoken. Additionally,theremaybeadelaywhilethegroupmembershipchangereplicates. (ReplicationwillbediscussedinModule12.)Thisisparticularlytrueifyourenterprise hasmorethanoneActiveDirectorysite.Youcanfacilitatethespeedwithwhicha changeimpactsauserbymakingthechangeonadomaincontrollerintheuserssite. RightclickthedomainintheActiveDirectoryUsersandComputerssnapin,andthen clickChangeDomainController.
Convert Group Type and Scope
52/88
07/06/13
If,aftercreatingagroup,youdeterminethatyouneedtomodifythegroup'sscope ortype,youcandoso.OpenthePropertiesofanexistinggroup,andonthe Generaltab,showninthefollowingimage,youwillseetheexistingscopeandtype. Atleastonemorescopeandtypeareavailabletobeselected.
53/88
07/06/13
YoucanconvertthegrouptypeatanytimebychangingtheselectionintheGroup TypesectionoftheGeneraltab.Becautious,howeverwhenyouconvertagroup fromsecuritytodistribution,anyresourcestowhichthegrouphadbeenassigned permissionwillnolongerbeaccessibleinthesameway.Afterthegroupbecomesa distributiongroup,userswhologontothedomainwillnolongerincludethegroups SIDintheirsecurityaccesstokens. Youcanchangethegroupscopeinoneofthefollowingways: GlobaltoUniversal DomainlocaltoUniversal UniversaltoGlobal
07/06/13
UniversaltoDomainlocal
Theonlyscopechangesthatyoucannotmakedirectlyarefromglobaltodomain localordomainlocaltoglobal.However,youcanmakethesechangesindirectlyby firstconvertingtouniversalscope,thenconvertingtothedesiredscope.So,allscope changesarepossible. Remember,however,thatagroupsscopedeterminesthetypesofobjectsthatcan bemembersofthegroup.Ifagroupalreadycontainsmembers,orisamemberof anothergroup,youwillbepreventedfromchangingthescope.Forexample,ifa globalgroupisamemberofanotherglobalgroup,youcannotchangethefirstgroup touniversalscope,becauseauniversalgroupcannotbeamemberofaglobalgroup. Youwillbegivenanexplanatoryerrormessage,suchasthatshownbelow.Youmust correctthemembershipconflictsbeforeyoucanchangethegroupsscope.
TheDSModcommandcanbeusedtochangegrouptypeandscopebyusingthe followingsyntax.
55/88
07/06/13
d s m o dg r o u pG r o u p D N s e c g r p{y e s|n o} s c o p e{l|g|u }
TheGroupDNisthedistinguishednameofthegrouptomodify.Thefollowingtwo parametersaffectgroupscopeandtype. secgrp{yes|no}.Specifiesgrouptype:security(yes)ordistribution(no) scope{l|g|u}.Determinesthegroupscope:domainlocal(l),global(g),or universal(u)
Copy Group Membership
56/88
07/06/13
YoucanuseDSGetincombinationwithDSModtocopygroupmembership.Inthe followingexample,theDSGetcommandisusedtogetinformationaboutallthe membersoftheSalesgroup,andthen,bypipingthatlisttoDSMod,toaddthose userstotheMarketinggroup.
d s g e tg r o u p" C N = S a l e s , O U = R o l e , O U = G r o u p s , D C = c o n t o s o , D C = c o m " m e m b e r s|d s m o dg r o u p " C N = M a r k e t i n g , O U = R o l e , O U = G r o u p s , D C = c o n t o s o , D C = c o m " a d d m b r
Noticetheuseofpiping.The"output"ofDSGet(distinguishednamesofmembersof
07/06/13
thefirstgroup)ispiped,usingthepipesymbol("|"),toactasthe"input"fortheDNs thataremissingfromtheaddmbrswitch. Similarly,theDSGetandDSModcommandscanworktogethertocopythegroup membershipofoneobject,suchasauser,toanotherobject.
d s g e tu s e r" S o u r c e U s e r D N " m e m b e r o f|d s m o dg r o u p a d d m b r " T a r g e t U s e r D N "
Delete Groups
58/88
07/06/13
YoucandeleteagroupintheActiveDirectoryUsersandComputerssnapinbyright clickingthegroupandchoosingtheDeletecommand. Also,DSrmcanbeusedtodeleteagrouporanyotherActiveDirectoryobject.The basicsyntaxofDSRmisasfollows.
d s r mO b j e c t D N. . .[ s u b t r e e[ e x c l u d e ] ][ n o p r o m p t ][ c ]
TheobjectisspecifiedbyitsdistinguishednameintheObjectDNparameter.Youwill bepromptedtoconfirmthedeletionofeachobject,unlessyouspecifythenoprompt option.ThecswitchputsDSRmintocontinuousoperationmode,inwhicherrorsare reportedbutthecommandkeepsprocessingadditionalobjectswithoutthecswitch, processinghaltsonthefirsterror. ThesubtreeoptioncausesDSrmtodeletetheobjectandallchildobjects.The
subtreeexcludeoptionwilldeleteallchildobjects,butnottheobjectitself.
TodeletethePublicRelationsgroup,typethefollowingcommand.
d s r m" C N = P u b l i c R e l a t i o n s , O U = R o l e , O U = G r o u p s , D C = c o n t o s o , D C = c o m "
59/88
07/06/13
Know the Impact Before Deleting a Group

Whenyoudeleteagroup,youareremovingapointofmanagementinyour organization.Becertainyouhaveevaluatedtheenvironmenttoknowthatthereare nopermissionsorotherresourcesthatrelyonthegroup.Deletingagroupisa seriousactionwithpotentiallysignificantconsequences.Whenyoudeleteagroup, youremoveitsSID.Recreatingthegroupwiththesamenamedoesnotrestore permissions,becausethenewgroup'sSIDisdifferentthanthatoftheoriginalgroup. Werecommendthatbeforeyoudeleteagroup,yourecorditsmembershipand removeallmembersforaperiodoftime,todeterminewhetherthememberslose accesstoanyresources.Ifanythinggoeswrong,simplyreaddthemembers.Ifthe testsucceeds,thendeletethegroup.
Lab A: Administer Groups
60/88
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
61/88
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd
5. 6.
OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab04a. RunLab04a_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd.
7. 8.
Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab04a.
Lab Scenario
ToimprovethemanageabilityofresourceaccessatContoso,Ltd.,youhavedecided toimplementrolebasedmanagement.Thefirstapplicationofrolebased managementwillbetomanagewhocanaccessthefolderscontainingsales information.Youmustcreategroupsthatmanageaccesstothatsensitive information.BusinessrulesarethatSalesandMarketingemployees,andateamof Consultants,shouldbeabletoreadtheSalesfolders.Additionally,BobbyMoore requiresReadaccess.Finally,youhavebeenaskedtodiscoverawaytoproducealist ofgroupmembers,includingthosewhoareinnestedgroupsandalistofauser's groupmembership,includingindirectornestedmembership.
07/06/13
Exercise 1: Implement Role-Based Management by Using Groups

Inthisexercise,youwillimplementrolebasedmanagementbyusing groupsandthebestpracticegroupnestingstrategy,IGDLA.Youwillcreate differentscopesandtypesbyusingboththeActiveDirectoryUsersand Computerssnapin,andcommandlinetools. Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. CreaterolegroupswithActiveDirectoryUsersandComputers. CreaterolegroupswithDSAdd. Adduserstotherolegroup. ImplementarolehierarchyinwhichSalesManagersarealsopartoftheSales role. 5. 6. 7. Createaresourceaccessmanagementgroup. Assignpermissionstotheresourceaccessmanagementgroup. Definewhichrolesandusershaveaccesstoaresource.
Task 1: Create role groups with Active Directory Users and Computers.
63/88
07/06/13
1.
RunActiveDirectoryUsersandComputerswithadministrativecredentials. UsetheaccountPat.Coleman_Admin,withthepassword,Pa$$w0rd.
2.
Createglobalsecuritygroupscalled,SalesandConsultants,inthe Groups\RoleOU.
Task 2: Create role groups with DSAdd.
1.
Runcommandpromptwithadministrativecredentials.Usetheaccount, Pat.Coleman_Admin,withthepassword,Pa$$w0rd.
2.
UsingtheDSAddcommand,createaglobalsecuritygroupnamed,Auditors,in theGroups\RoleOU.
3.
InActiveDirectoryUsersandComputers,confirmthattheobjecthasbeen created.
Task 3: Add users to the role group.
1.
AddTonyKrijnentotheSalesgroupbyusingtheMemberstaboftheSales group.
2.
AddLindaMitchelltotheSalesgroupbyrightclickingLindaMitchelland choosingAddtoagroup.
64/88
07/06/13
Task 4: Implement a role hierarchy in which Sales Managers are also part of the Sales role. AddtheSalesManagersgroupasamemberoftheSalesgroupbyusingthe MemberOftaboftheSalesManagersgroup.
Task 5: Create a resource access management group.
Createadomainlocalsecuritygroupnamed,ACL_SalesFolders_Read,inthe Groups\AccessOU.
Task 6: Assign permissions to the resource access management group.
1. 2. 3. 4.
VerifythatthereisafolderinD:\Datanamed,Sales. RightclicktheSalesfolder,clickProperties,andthenclicktheSecuritytab. ClickEdit,andthenclickAdd. TypeACL_andpressENTER. Noticethatwhenyouuseaprefixforgroupnames,suchastheACL_prefixfor
65/88
07/06/13
resourceaccessgroups,youcanfindthemquickly. 5. 6. 7. ClickACL_SalesFolders_Read,andthenclickOK. ConfirmthatthegrouphasbeengivenRead&executepermission. ClickOKtocloseeachopendialogbox.
Task 7: Define the roles and users that have access to a resource.
AddSales,Consultants,Auditors,andBobbyMooretotheACL_Sales Folders_Readgroup.
Results:Inthisexercise,youimplementedsimplerolebasedmanagementto manageReadaccesstotheSalesfolder.
Exercise 2 (Advanced Optional): Explore Group Membership Reporting Tools

AdvancedOptionalexercisesprovideadditionalchallengesforstudents whoareabletocompletelabexercisesquickly.Therearenoanswersinthe LabAnswerKey.
07/06/13
Themaintasksforthisexerciseareasfollows:
1.
OpenD:\AdminTools\Members_Report.hta.Enterthenameofagroup, andthenclickSHOWMEMBERS.
2.
OpenD:\AdminTools\MemberOf_Report.hta.Enterthenameofauser, computer,orgroup,andthenclickReport.
Exercise 3 (Advanced Optional): Understand "Account Unknown" Permissions

AdvancedOptionalexercisesprovideadditionalchallengesforstudents whoareabletocompletelabexercisesquickly.Therearenoanswersinthe LabAnswerKey.
Themaintasksforthisexerciseareasfollows:
1. 2. 3.
IntheRoleOU,createaglobalsecuritygroupnamed,Test. GivethegroupRead&ExecutepermissiontotheD:\Data\Salesfolder. Deletethegroupnamed,Test.
67/88
07/06/13
4.
ExaminetheSecuritytaboftheSalesfolder'spropertiesdialogbox.Ifyoustill seetheTestgrouplisted,WindowsExplorermaybecachingthemappingofthe SIDtothegroupname.Logoff,logon,andcheckagain.
NoteDonotshutdownthevirtualmachinesafteryoufinishthislab becausethesettings
youhaveconfiguredherewillbeusedinLabB.
Lab Review Questions Question:Describethepurposeofglobalgroupsintermsofrolebased management. Question:Whattypesofobjectscanbemembersofglobalgroups? Question:Describethepurposeofdomainlocalgroupsintermsofrolebased management ofresourceaccess. Question:Whattypesofobjectscanbemembersofdomainlocalgroups?
07/06/13
Question:Ifyouhaveimplementedrolebasedmanagementandareaskedto reportwho canreadtheSalesfolders,whatcommandwouldyouusetodoso?
Lesson 3: Best Practices for Group Management
Inthislesson,youwilllearnaboutthebestpracticesthatyoushouldfollowwhen youmanagegroups.Youwillalsoseehowtoprotectgroupsfromaccidentaldeletion andhowtousetheManagedBytabtodelegatemembershipmanagement.

07/06/13
Objectives
Aftercompletingthislesson,youwillbeableto: Describethebestpracticesforgroupdocumentation. Protectagroupfromaccidentaldeletion. DelegategroupmembershipmanagementbyusingtheManagedBytab.
Best Practices for Documenting Groups
70/88
07/06/13
CreatingagroupinActiveDirectoryiseasy.Itisnotsoeasytoensurethatthegroup isusedcorrectlyovertime.Youcanfacilitatethecorrectmanagementanduseofa groupbydocumentingitspurpose,tohelpadministratorsunderstandhowandwhen tousethegroup.Thereareseveralbestpracticesthatwillproveimmenselyusefulto yourenterprisegroupadministration.
Establish and Adhere to a Strict Naming Convention

Anearlierlessondealtwithasuggestednamingconvention.Inthecontextof ongoinggroupadministration,establishingandfollowinggroupnamingstandards increasesadministrativeproductivity.Usingprefixestoindicatethepurposeofa group,andusingaconsistentdelimiterbetweentheprefixandthedescriptivepartof thegroupnamecanhelpuserslocatethecorrectgroupforaparticularpurpose.For example,theprefixAPPcanbeusedtodesignategroupsthatareusedtomanage applications,andtheprefixACLcanbeusedforgroupsthatareassignedpermissions onaccesscontrollists(ACLs).Withsuchprefixes,itbecomeseasiertolocateand interpretthepurposeofgroupsnamed,forexample,APP_Accountingversus ACL_Accounting_Readtheformerisusedtomanagethedeploymentofthe accountingsoftware,andthelattertoprovideReadaccesstotheaccountingfolder. Prefixesalsohelptogroupthenamesofgroupsintheuserinterfaceasillustratedin theexampleshowninthefollowingscreenshot.
71/88
07/06/13
Whenattemptingtolocateagrouptouseinassigningpermissionstoafolder,you cantypetheprefix,ACL,_intheSelectdialogboxandclickOK.AMultipleItems FounddialogboxappearsshowingonlytheACL_groupsinthedirectory,thereby ensuringthatpermissionswillbeassignedtoagroupthatisdesignedtomanage resourceaccess.
Summarize a Groups Purpose with its Description Attribute

UsetheDescriptionattributeofagrouptosummarizethegroupspurpose.Because theDescriptioncolumnisenabledbydefaultinthedetailspaneoftheActive DirectoryUsersandComputerssnapin,thegroupspurposecanbehighlyvisibleto administrators.
72/88
07/06/13
Detail a Groups Purpose in its Notes

WhenyouopenagroupsPropertiesdialogbox,theNotesfieldisvisibleatthe bottomoftheGeneraltab.Thisfieldcanbeusedtorecordthegroupspurpose.For example,youcanlistthefolderstowhichagrouphasbeengivenpermission,as follows.
Protect Groups from Accidental Deletion
73/88
07/06/13
Protectyourselffromthepotentiallydevastatingresultsofdeletingagroupby protectingeachgroupyoucreatefromdeletion.WindowsServer2008makesiteasy toprotectanyobjectfromaccidentaldeletion. Toprotectanobject,performthefollowingsteps: 1. IntheActiveDirectoryUsersandComputerssnapin,clicktheViewmenu andensurethatAdvancedFeaturesisselected. 2. 3. OpenthePropertiesdialogboxforagroup. OntheObjecttab,selecttheProtectObjectFromAccidentalDeletion

74/88
07/06/13
checkbox. 4. ClickOK.
ThisisoneofthefewplacesinWindowsinwhichyouactuallyhavetoclickOK. ClickingApplydoesnotmodifytheACLbasedonyourselection. TheProtectObjectFromAccidentalDeletionoptionappliesanaccesscontrol entry(ACE)totheACLoftheobjectthatexplicitlydeniestheEveryonegroupboth theDeletepermissionandtheDeleteSubtreepermission.Ifyoureallydowantto deletethegroup,youcanreturntotheObjecttabofthePropertiesdialogboxand cleartheProtectObjectFromAccidentalDeletioncheckbox. Deletingagrouphasahighimpactonadministrators,andpotentially,onsecurity. Consideragroupthathasbeenusedtomanageaccesstoresources.Ifthegroupis deleted,accesstothatresourceischanged.Eitheruserswhoshouldbeabletoaccess theresourcearesuddenlypreventedfromaccess,creatingadenialofservice scenario,orifyouhadusedthegrouptodenyaccesstoaresourcewithaDeny permission,inappropriateaccesstotheresourcebecomespossible. Additionally,ifyourecreatethegroup,thenewgroupobjectwillhaveanewSID, whichwillnotmatchtheSIDsonACLsofresources.Soyoumustinsteadperform objectrecoverytoreanimatethedeletedgroupbeforethetombstoneintervalis reached.Whenagrouphasbeendeletedforthetombstoneinterval60days,by
07/06/13
defaultthegroupanditsSIDarepermanentlydeletedfromActiveDirectory.When youreanimateatombstonedobject,youmustrecreatemostofitsattributes, includingimportantly,thememberattributeofgroupobjects.Thatmeans,youmust rebuildthegroupmembershipafterrestoringthedeletedobject.Alternatively,you canperformanauthoritativerestoreor,inWindowsServer2008,turntoyourActive Directorysnapshotstorecoverboththegroupanditsmembership.Authoritative restoreandsnapshotsarediscussedinModule13. Inanyevent,itissafetosaythatrecoveringadeletedgroupisaskillyoushould hopetouseonlyindisasterrecoveryfiredrills,notinaproductionenvironment.
Delegate Membership Management with the Managed By Tab
76/88
07/06/13
Afteragrouphasbeencreated,youmightwanttodelegatethemanagementofthe groupsmembershiptoateamoranindividualwhohasthebusinessresponsibilityfor theresourcethatthegroupmanages.Forexample,letsassumethatyourfinance managerisresponsibleforcreatingnextyearsbudget.Youcreateasharedfolderfor thebudgetandassignWritepermissiontoagroupnamed,ACL_Budget_Edit.If someoneneedsaccesstothebudgetfolder,heorshecontactsthehelpdesktoenter arequest,thehelpdeskcontactsthefinancemanagerforbusinessapproval,and thenthehelpdeskaddstheusertotheACL_Budget_Editgroup.Youcanimprove theresponsivenessandaccountabilityoftheprocessbyallowingthefinancemanager tochangethegroupsmembership.Then,userswhoneedaccesscanrequestaccess directlyfromthefinancemanager,whocanmakethechange,thusremovingthe intermediatestepofcontactingthehelpdesk.Todelegatethemanagementofa
07/06/13
groupsmembership,youmustassigntothefinancemanagertheAllowWrite Memberpermissionforthegroup.Thememberattributeisthemultivaluedattribute thatisthegroupsmembership. Theeasiestwaytodelegatemembershipmanagementofasinglegroupistousethe ManagedBytab.TheManagedBytabofagroupobjectsPropertiesdialogbox isshownhere:
TheManagedBytabservestwopurposes.First,itprovidescontactinformation relatedtothemanagerofagroup.Youcanusethisinformationtocontactthe businessownerofagrouptoobtainapprovalbeforeaddingausertothegroup. ThesecondpurposeservedbytheManagedBytabistomanagethedelegationof

07/06/13
thememberattribute.Notethecheckboxshownintheprecedingscreenshot.Itis labeledManagercanupdatemembershiplist.Whenselected,theuserorgroup shownintheNameboxisgiventheAllowWriteMemberpermission.Ifyou changeorclearthemanager,theappropriatechangeismadetothegroupsACL. TipYoumustactuallyclickOKtoimplementthechange.ClickingApplydoes notchange
theACLonthegroup. ItisnotquitesoeasytoinsertagroupintotheManagedBytabofanothergroup. WhenyouclicktheChangebutton,theSelectUser,Contact,OrGroupdialog boxappears.IfyouenterthenameofagroupandclickOK,anerroroccurs.Thatis becausethisdialogboxisnotconfiguredtoacceptgroupsasvalidobjecttypes,even thoughGroupisinthenameofthedialogboxitself.Toworkaroundthisodd limitation,clicktheObjectTypesbutton,andthenselectthecheckboxnextto Groups.ClickOKtocloseboththeObjectTypesandSelectdialogboxes.Ensure toselecttheManagerCanUpdateMembershipListcheckboxifyouwantto assigntheAllowWriteMemberpermissiontothegroup.Whenagroupisusedonthe ManagedBytab,nocontactinformationisvisible,becausegroupsdonotmaintain contactrelatedattributes.
79/88
07/06/13
Afteryouhavedelegatedgroupmembershipmanagement,auserdoesnotrequire ActiveDirectoryUsersandComputerstomodifythemembershipofthegroup.Auser cansimplyusetheSearchActiveDirectorycapabilityofWindowsclientstofind thegroup,andthenchangeitsmembership. Tofindagroup: 1. 2. 3. ClickStart,andthenclickNetwork. ClicktheSearchActiveDirectorybuttononthetoolbar. TypethenameofthegroupandclickFindNow.
80/88
07/06/13
Lab B: Best Practices for Group Management
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start.
07/06/13
3. 4.
IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd
Lab Scenario
YourimplementationofrolebasedmanagementatContoso,Ltd.hasbeenhighly successful.Asthenumberofgroupsinthedomainhasincreased,you'vecometo realizethatitisimportanttorecordthegroupsandpreventadministratorsfrom accidentallydeletingagroup.Finally,youwanttoallowthebusinessownersof resourcestomanageaccesstothoseresourcesbydelegatingtothoseownersthe righttomodifythemembershipofappropriategroups.
Exercise 1: Implement Best Practices for Group Management

Inthisexercise,youwillperformthefollowingtaskstorecord,delegate, andsecuregroups: 1. 2. Createawelldocumentedgroup. Protectagroupfromaccidentaldeletion.
82/88
07/06/13
3. 4.
Delegategroupmembershipmanagement. Validatethedelegationofgroupmembershipmanagement.
Task 1: Create a well-documented group.
1.
RunActiveDirectoryUsersandComputerswithadministrativecredentials. Usetheaccount,Pat.Coleman_Admin,withthepassword,Pa$$w0rd.
2.
BrowsetotheGroups\AccessOU.InthepropertiesoftheACL_Sales Folders_Readgroup,configurethefollowing: ADescriptionthatsummarizestheresourcemanagementrulerepresentedby thegroup:SalesFolders(READ) IntheNotesbox,typethefollowingpathstorepresentthefoldersthathave permissionsassignedtothisgroup. \\contoso\teams\Sales(READ) \\file02\data\Sales(READ) \\file03\news\Sales(READ)
Task 2: Protect a group from accidental deletion.

07/06/13
1.
EnabletheAdvancedFeaturesviewoftheActiveDirectoryUsersand Computerssnapin.
2. 3.
ProtecttheACL_SalesFolders_Readgroupfrombeingaccidentallydeleted. Attempttodeletethegroup.Confirmthattheattempttodeletethegroupis denied.
Task 3: Delegate group membership management.
ConfiguretheManagedByattributeofAuditorstorefertoMikeDanseglio.
Task 4: Validate the delegation of group membership management.
1.
LogofffromNYCDC1,thenlogonwithusername,Mike.Danseglio,andthe password,Pa$$w0rd.
2.
OpentheNetworkwindowanduseSearchActiveDirectorytolocatethe Auditorsgroup.
3. 4.
AddtheExecutivesgrouptotheAuditorsgroup. LogofffromNYCDC1.
84/88
07/06/13
Results:Inthisexercise,youcreatedawelldocumentedgroup,protecteditfrom accidentaldeletion,anddelegatedgroupmembershipmanagement.
To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. Rightclick6425BNYCDC1intheVirtualMachineslist,andthenclick Revert.
3.
IntheRevertVirtualMachinedialogbox,clickRevert.
Lab Review Questions Question:WhataresomebenefitsofusingtheDescriptionandNotesfieldsof agroup? Question:Whataretheadvantagesanddisadvantagesofdelegatinggroup membership?
85/88
07/06/13
Module Review and Takeaways
Review Questions
1. MembersofaSalesdepartmentinacompanythathasbranchesinmultiplecities travelfrequentlybetweendomains.Howwillyouprovidethesememberswith accesstoprintersonvariousdomainsthataremanagedbyusingdomainlocal groups? 2. Youareresponsibleformanagingaccountsandaccesstoresourcesforyour groupmembers.Auserinyourgrouptransfersintoanotherdepartmentwithin
07/06/13
thecompany.Whatshouldyoudowiththeusersaccount? 3. Whichgroupscopecanbeassignedpermissionsinanydomainorforest?
Common Issues Related to Group Management

Issue
Cannotconvertgroupscope Cannotaddgrouptoanothergroup CannotcreategroupinADDS
Troubleshootingtip

Real-World Issues and Scenarios

Aprojectmanagerinyourdepartmentisstartingagroupprojectthatwillcontinue forthenextyear.Severalusersfromyourdepartmentandotherdepartmentswill bededicatedtotheprojectduringthistime.Theprojectteammusthaveaccessto thesamesharedresources.Theprojectmanagermustbeabletomanagetheuser accountsandgroupaccountsinADDS.However,youdonotwanttogivethe projectmanagerpermissiontomanageanythingelseinADDS.Whatisthebest waytodothis?
Best Practices for Group Management

07/06/13
Whenmanagingaccesstoresources,trytousebothruleandrolegroups. UseUniversalgroupsonlywhennecessarybecausetheyaddweighttoreplication traffic. UseWindowsPowerShellwithActiveDirectoryModuleforbatchjobsongroups. AvoidaddinguserstoBuiltinandDefaultGroups.
Tools
Tool
ActiveDirectoryUsersand Computers WindowsPowerShellwith ActiveDirectoryModule DSutilities
Use
Managegroups
Wheretofindit
AdministrativeTools
Managegroups
InstalledasWindowsFeature
Managegroups
Commandline
Windows Server 2008 R2 Features Introduced in this Module

Feature
WindowsPowerShellwithActive DirectoryModule
Description
NewadministrationutilityforActiveDirectory,basedonWindows PowerShell
88/88

Module 4 - Managing Groups

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Module 4 - Managing Groups

Transféré par

Droits d'auteur :

Formats disponibles

07/06/13

Module 4: Managing Groups

Module 4: Managing Groups

Module 4: Managing Groups

Aftercompletingthismodule,youwillbeableto: Describetheroleofgroupsinmanaginganenterprise. AdministergroupsbyusingthebuiltintoolsinWindowsServer2008. Describethebestpracticesformanaginggroups.

Lesson 1: Overview of Groups

Module 4: Managing Groups

howgroupsareusedandwhichtypesofgroupsexist.Itisimportanttounderstand groupscopesothatyoucanidentifypropergrouptypeinvariousscenarios.Also,it isveryimportanttodefinepropergroupnamingconventionandtounderstandhow groupscanbenestedinothergroupsandthebenefitsofthatapproach.

Role-Based Management: Role Groups and Rule Groups

Module 4: Managing Groups

Module 4: Managing Groups

Module 4: Managing Groups

Module 4: Managing Groups

Define Group Naming Conventions

Module 4: Managing Groups

TocreateagroupbyusingtheActiveDirectoryUsersandComputerssnapin,you shouldrightclicktheorganizationalunit(OU)inwhichyouwanttocreateagroup, pointtoNew,andthenclickGroup.TheNewObjectGroupdialogbox,shownin thefollowingimage,allowsyoutospecifyfundamentalpropertiesofthenewgroup.

Module 4: Managing Groups

Thefollowingnamepropertiescanbeconfiguredinthisdialogbox: Groupname.Thecnandnameofgroupobjectmustbeuniqueonlywithinthe OU Groupname(preWindows2000).sAMAccountNameofgroup,uniquein domain

Module 4: Managing Groups

Module 4: Managing Groups

Module 4: Managing Groups

Module 4: Managing Groups

Groupshavemembers:users,computer,andothergroupsgroupscanbemembers ofothergroupsandgroupscanbereferredtobyACLs,GroupPolicyobject(GPO) filters,andothermanagementcomponents.Groupscopeimpactseachofthese

Module 4: Managing Groups

Module 4: Managing Groups

Module 4: Managing Groups

Domain Local Groups

Module 4: Managing Groups

Module 4: Managing Groups

Themembershipcapabilitiesofadomainlocalgroup(thegroupstowhichadomain localgroupcanbelong)areidenticaltothoseoflocalgroups,butthereplicationand availabilityofthedomainlocalgroupmakeitusefulacrosstheentiredomain.

Module 4: Managing Groups

Module 4: Managing Groups

Asyoucansee,globalgroupshavethemostlimitedmembership(onlyusers, computers,andglobalgroupsfromthesamedomain)butthebroadestavailability acrossthedomain,theforest,andtrustingdomains.

Module 4: Managing Groups

Module 4: Managing Groups

Availability.Auniversalgroupcanbeamemberofauniversalgroupordomain localgroupanywhereintheforest.Additionally,auniversalgroupcanbeusedto manageresources,forexample,toassignpermissions,anywhereintheforest.

Module 4: Managing Groups

Summary of Group Scope Possibilities

Module 4: Managing Groups

Membersfromthe Same Domain

Membersfrom Another Domaininthe Same Forest

Membersfroma TrustedExternal Domain

Users Computers Globalgroups Universalgroups Domainlocalgroups Also,localusersdefined onthesamecomputeras thelocalgroup

Users Computers Globalgroups Universalgroups

Users Computers Globalgroups

Module 4: Managing Groups

Globalgroups Domainlocalgroups Universalgroups

Users Computers Globalgroups Universalgroups

Users Computers Globalgroups Universalgroups

Develop a Group Management Strategy

Module 4: Managing Groups

Module 4: Managing Groups

GlobalGroups,DomainLocalGroups,Permissions.However,theterminologyused inthiscourse,IGDLA,hasmoregeneralscopeofapplianceanditalsoalignswith industry standardterminology.

Inamultidomainforest,thereareuniversalgroupsalso,whichfitinbetweenglobal anddomainlocalgroups.Globalgroupsfrommultipledomainsaremembersofa singleuniversalgroup.Thatuniversalgroupisamemberofdomainlocalgroupsin multipledomains.YoucanrememberthenestingasIGUDLA.

Module 4: Managing Groups

Module 4: Managing Groups

Thisstrategyresultsinsinglepointsofmanagement,reducingthemanagement burden.ThereisonepointofmanagementthatdefineswhoisinSales,orwhoisan Auditor.Thoseroles,ofcourse,arelikelytohaveaccesstoavarietyofresources

Module 4: Managing Groups

beyondsimplytheSalesfolders.Thereisanothersinglepointofmanagementto determinewhohasReadaccesstotheSalesfoldersandtheSalesfoldersmaynot justbeasinglefolderonasingleserver.Itcouldbeacollectionoffoldersacross multipleservers,eachofwhichassignstheAllowReadpermissiontothesingle domainlocalgroup.

ThereareanumberofgroupsthatarecreatedautomaticallyonaWindowsServer 2008server.Thesearecalleddefaultlocalgroups,andtheyincludewellknown groupssuchasAdministrators,BackupOperators,andRemoteDesktopUsers.There areadditionalgroupsthatarecreatedinadomain,bothintheBuiltinandUsers

Module 4: Managing Groups

containers,includingDomainAdmins,EnterpriseAdmins,andSchemaAdmins.The followinglistprovidesasummaryofcapabilitiesofthesubsetofdefaultgroupsthat havesignificantpermissionsanduserrightsrelatedtothemanagementofActive Directory.