Académique Documents
Professionnel Documents
Culture Documents
Module4:ManagingGroups
Contents: Lesson1: Lesson2: LabA: Lesson3: LabB: OverviewofGroups AdministerGroups AdministerGroups BestPracticesforGroupManagement BestPracticesforGroupManagement
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
1/88
07/06/13
Althoughusersandcomputers,andevenservices,changeovertime,businessroles andrulestendtoremainmorestable.Yourbusinessprobablyhasafinancerole, whichrequirescertaincapabilitiesintheenterprise.Theuseroruserswhoperform thatrolewillchange,buttherolewillremain.Forthatreason,itisnotpracticalto manageanenterprisebyassigningrightsandpermissionstoindividualusers, computers,orserviceidentities.Managementtasksshouldbeassociatedwithgroups. Inthiscourse,youwillusegroupstoidentifyadministrativeanduserroles,tofilter GroupPolicy,toassignuniquepasswordpolicies,toassignrightsandpermissions, andmore.Toprepareforthosetasks,inthismodule,youwilllearnhowtocreate, modify,delete,andsupportgroupobjectsinanActiveDirectorydomain.
Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 2/88
07/06/13
Beforeimplementinggroupsinyourenvironment,youshouldlearnandunderstand
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 3/88
07/06/13
Objectives
Aftercompletingthislesson,youwillbeableto: Understandtheroleofgroupsinmanaginganenterprise. Definegroupnamingconventions. Understandgrouptypes. Understandgroupscope. Identifygroupmembershipandnestingpossibilities. Understandhowtomanageandadministergroups Understandthebestpracticeforgroupnestingtoachieverolebasedmanagement.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
4/88
07/06/13
ImaginenextthatitisnotonlysalespeoplewhorequireReadaccesstothefolders. Executives,Marketingdepartmentemployees,andthesalesconsultanthiredbyyour organizationalsorequireReadpermissiontothesamefolders.Itisverycommonthat variousgroupsofusersrequireaccesstosameresources. YoucouldaddthosegroupstotheACLofthefolders,grantingeachofthemAllow Readpermission,butsoonyouwillendupwithanACLwithmultiplepermissions, thistimeassigningtheAllowReadpermissiontomultiplegroups,insteadofmultiple users.Togivethethreegroupsandoneuserpermissiontothethreefoldersonthe threeservers,youwillhavetoaddtwelvepermissions!Thenextgroupthatrequires accesswillrequirethreemorechangestograntpermissionstotheACLsofthethree sharedfolders.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 5/88
07/06/13
Whatifeightuserswhoarenotsalespeople,marketingemployees,orexecutives, haveabusinessneedforReadaccesstothethreefolders?Doyouaddtheir individualuseraccountstotheACLs?Ifso,thatis24morepermissionstoaddand manage! Youcanseethatusingonlyonetypeofgrouparolegroupthatdefinesthe businessrolesofusersquicklybecomesanineffectivewayofenablingmanagement ofaccesstothethreefolders.Ifthemanagementrulesuggeststhatthreerolesand nineadditionalusersrequireaccesstotheresource,youareassigningatotalof36 permissionsonACLs.Itbecomesverydifficulttomaintaincomplianceandtoaudit. Evensimplequestionssuchas,"CanyoutellmeeveryuserwhocanreadtheSales folders?"becomedifficulttoanswer. Thesolutionistorecognizethattherearetwotypesofmanagementthatmusttake placetoeffectivelymanagethisscenario.Youmustmanagetheusersascollections, basedupontheirbusinessrolesand,separately,youmustmanageaccesstothe threefolders. Thethreefoldersarealsoacollectionofitems.Theyareasingleresourcea collectionofSalesfoldersthatjusthappenstobedistributedacrossthreefolderson threeservers.YouaretryingtomanageReadaccesstothatresource.Youneeda singlepointofmanagementwithwhichtomanageaccesstotheresource. ThisrequiresanothergroupagroupthatrepresentsReadaccesstothethreefolders
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 6/88
07/06/13
onthethreeservers.Wecallthattypeofgrouparulegroup(sometimes,also resourcegroups).ImaginethatyoucreateagroupcalledACL_SalesFolders_Read. ThisgroupwillbeassignedtheAllowReadpermissiononthethreefolders.The Sales,Marketing,andExecutivesgroups,alongwiththeindividualusers,willallbe membersoftheACL_SalesFolders_Readgroup.Youassignonlythreepermissions: oneoneachfolder,grantingReadaccesstotheACL_SalesFolders_Readgroup. TheACL_SalesFolders_Readgroupbecomesthefocusofaccessmanagement.As additionalgroupsorusersrequireaccesstothefolders,theywillbeaddedtothat group.Italsobecomeseasiertoreportwhohasaccesstothefolders.Insteadof havingtoexaminetheACLsoneachofthetenfolders,yousimplyexaminethe membershipoftheACL_SalesFolders_Readgroup. Toeffectivelymanageevenaslightlycomplexenterprise,youwillneedtwo"types"of groupsthatperformtwodistinctpurposes: Groupsthatdefineroles.Thesegroups,referredtoasrolegroups,containusers, computers,andotherrolegroupsbasedoncommonbusinesscharacteristicssuch aslocation,jobtype,andsoon. Groupsthatdefinemanagementrules.Thesegroups,referredtoasrulegroups, definehowanenterpriseresourceisbeingmanaged.
Thisapproachtomanagingtheenterprisewithgroupsiscalledrolebased
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 7/88
07/06/13
management.Youdefinerolesofusersbasedonbusinesscharacteristicsfor
example,departmentordivisionaffiliationsuchassales,marketing,andexecutives, andyoudefinemanagementrulesforexample,therulethatmanageswhichroles andindividualscanaccessthethreefolders. Youcanachievebothmanagementtasksbyusinggroupsinadirectory.Rolesare representedbygroupsthatcontainusers,computers,andotherroles.Rolescan includeotherroles,forexample,aManagerrolemightincludeSalesManagers, FinanceManagers,andProductionManagersroles.Managementrules,suchasthe rulethatdefinesandmanagesReadaccesstothethreefolders,arerepresentedby groupsalso.Rulegroupscontainroles,andoccasionally,individualusersor computerssuchasthesalesconsultantandeightotherusersintheexample. Thekeytakeawayisthattherearetwo"types"ofgroups:onethatdefinestherole, andtheotherthatdefineshowaresourceismanaged.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
8/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
9/88
07/06/13
ImportantbestpracticeUsethesamename(uniqueinthedomain)for bothproperties.
Thefirstpropertyyoumustconfigurearethegroupsnames.Agroup,likeauseror
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 10/88
07/06/13
computer,hasseveralnames.Thefirst,shownintheGroupNameboxabove,isused byWindows2000andlatersystemstoidentifytheobjectitbecomesthecn,and nameattributesoftheobject.Thesecond,thepreWindows2000name,isthe sAMAccountNameattribute,usedtoidentifythegrouptocomputersrunning WindowsNT4.0andtosomedevices,suchasnetworkattachedstorage(NAS) devicesrunningnonMicrosoftoperatingsystems.Thecnandnameattributesmust beuniqueonlywithinthecontainertheOUinwhichthegroupexists.The sAMAccountNamemustbeuniqueintheentiredomain.Technically,the sAMAccountNamecouldbeadifferentvaluethanthecnandname,butitishighly discouragedtomakethesedifferent.Pickanamethatisuniqueinthedomain,and useitinbothnamefieldsintheNewObjectGroupdialogbox. Thenameyouchooseshouldhelpyoumanagethegroupandmanageyour enterpriseonadaytodaybasis.Werecommendthatyoufollowanaming conventionthatidentifiesthetypeofgroupandthepurposeofthegroup. Rolegroups.Simple,uniquename,suchasSalesorConsultants Managementgroups.Forexample,ACL_SalesFolders_Read Prefix.Thisidentifiesthemanagementpurposeofgroup,suchasACLforgroups managingaccesspermissionstosharedresources.Itisusedonaccesscontrol lists,sotheprefixACLisused. Resourceidentifier.Thisisauniqueidentifierforwhatisbeingmanaged.The mainpartofthenameuniquelyidentifiestheresourcethatisbeingmanaged
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 11/88
07/06/13
withthegroup,inthisexample,SalesFolders. Suffix.Thesuffixfurtherdefineswhatisbeingmanagedbythegroup.Inthe caseofresourceaccessmanagementgroups,thesuffixdefinesthelevelof accessprovidedtomembersofthegroup.Inourexample,thatisRead. Delimiter.Thisshouldbeaconsistentlyusedmarkerseparatingprefix,identifier, andsuffix,suchasanunderscore(_).Donotusethedelimiterelsewhereinthe nameuseitonlyasadelimiter.Notethatthedelimiterisnotusedbetweenthe wordsSalesandFolder.Spacesareacceptableingroupnamesyouwilljust needtoenclosegroupnamesinquoteswhenyourefertothemincommandsor inscripts.Youcancreatescriptsthatusethedelimitertodeconstructgroup namestofacilitateauditingandreporting.
Group Type
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
12/88
07/06/13
Therearetwotypesofgroups:securityanddistribution.Whenyoucreateagroup, youmaketheselectionofthegrouptypeintheNewObjectGroupdialogbox. Distributiongroupsareusedprimarilybyemailapplications.Thesegroupsarenot securityenabledtheydonothaveSIDssotheycannotbegivenpermissionto resources.Sendingamessagetoadistributiongroupsendsthemessagetoall membersofthegroup. SecuritygroupsaresecurityprincipalswithSIDs.Thesegroupscanthereforebeused inpermissionentriesinACLstocontrolsecurityforresourceaccess.Securitygroups canalsobeusedasdistributiongroupsbyemailapplications.Ifagroupwillbeused tomanagesecurity,itmustbeasecuritygroup.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 13/88
07/06/13
Group Scope
07/06/13
characteristicsofagroup:whatitcancontain,whatitcanbelongto,andwhereitcan beused.Therearefourgroupscopes:global,domainlocal,local,anduniversal. Thecharacteristicsthatdefineeachscopefallintothesecategories: Replication.Whereisthegroupdefined,andtowhatsystemsisthegroup replicated? Membership.Whattypesofsecurityprincipalscanthegroupcontainasmembers? Canthegroupincludesecurityprincipalsfromtrusteddomains? InModule14,youwilllearnabouttrustrelationships,ortrusts.Atrustallowsa domaintorefertoanotherdomainforuserauthentication,toincludesecurity principalsfromtheotherdomainasgroupmembers,andtoassignpermissionsto securityprincipalsintheotherdomain.Theterminologyusedcanbeconfusing.If DomainAtrustsDomainB,DomainAisthetrustingdomainandDomainBisthe trusteddomain.DomainAacceptsthecredentialsofusersinDomainB.Itforwards requestsbyDomainBuserstoauthenticatetoadomaincontrollerinDomainB, becauseittruststheidentitystoreandauthenticationserviceofDomainB.Domain AcanaddDomainBssecurityprincipalstogroupsandACLsinDomainA. Availability.Wherecanthegroupbeused?Isthegroupavailabletoaddtoanother group?IsthegroupavailabletoaddtoanACL?
Keepthesebroadcharacteristicsinmindasyouexplorethedetailsofeachgroup
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 15/88
07/06/13
scope.
Local Groups
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
16/88
07/06/13
Best Practice
Inaworkgroup,youuselocalgroupstomanagesecurityofresourcesonasystem. Inadomain,however,managingthelocalgroupsofindividualmachinesbecomes unwieldy,andisforthemostpartunnecessary.Wedonotrecommendcreating customlocalgroupsondomainmembers.Thereareveryfewscenariosinadomain environmentthatareaddressedbyusinglocalgroups.Inmostcases,theUsersand Administratorslocalgroupsaretheonlylocalgroupsthatyoushouldbeconcerned withmanaging,inadomainenvironment.
07/06/13
Domainlocalgroupsareusedprimarilytomanagepermissionstoresources,which meanstheymostlyserveasrulegroups.Forexample,theACL_SalesFolders_Read groupdiscussedearlierinthelessonwouldbecreatedasadomainlocalgroup. Domainlocalgroupshavethefollowingcharacteristics: Replication.Adomainlocalgroupisdefinedinthedomainnamingcontext.The groupobjectanditsmembership(thememberattribute)arereplicatedtoevery domaincontrollerinthedomain. Membership.Adomainlocalgroupcanincludeasmembers: Anysecurityprincipalsfromthedomainusers,computers,globalgroups,or otherdomainlocalgroups.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 18/88
07/06/13
Best Practice
Domainlocalgroupsarewellsuitedfordefiningbusinessmanagementrules,suchas resourceaccessrules,becausethegroupcanbeappliedanywhereinthedomain,and itcanincludemembersofanytypewithinthedomain,andmembersfromtrusted domains. Forexample,adomainlocalsecuritygroupnamedACL_SalesFolders_Readmightbe usedtomanageReadaccesstoacollectionoffoldersthatcontainsalesinformation ononeormoreservers.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 19/88
07/06/13
Global Groups
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
20/88
07/06/13
Best Practice
Globalgroupsarewellsuitedtodefiningroles,becauserolesaregenerallycollections ofobjectsfromthesamedirectory. Forexample,globalsecuritygroupsnamedConsultantsandSalesmightbeusedto defineuserswhoareconsultantsandsalespeople,respectively.
Universal Groups
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 21/88
07/06/13
07/06/13
Universalgroupsareusefulinmultidomainforests.Theyallowyoutodefinerolesor tomanageresourcesthatspanmorethanonedomain.Thebestwaytounderstand universalgroupsisthroughanexample:TreyResearchhasaforestwiththree domains:Americas,Asia,andEurope.Eachdomainhasuseraccountsandaglobal groupcalled,RegionalManagers,whichincludesthemanagersofthatregion. Rememberthatglobalgroupscancontainonlyusersfromthesamedomain.A universalgroupcalled,TreyResearchRegionalManagers,iscreated,andthethree RegionalManagersgroupsareaddedasmembers.TheTreyResearchRegional Managersgroupthereforedefinesarolefortheentireforest.Asusersareaddedto anyoneoftheRegionalManagersgroups,theywill,throughgroupnesting,be membersoftheTreyResearchRegionalManagers. TreyResearchisplanningtoreleaseanewproductthatrequirescollaborationacross itsregions. Resourcesrelatedtotheprojectarestoredonfileserversineachdomain.Todefine whohastheabilitytomodifyfilesrelatedtothenewproduct,auniversalgroupis createdcalledACL_NewProduct_Modify.ThatgroupisassignedtheAllowModify permissiontothesharedfoldersoneachofthefileserversineachofthedomains.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 23/88
07/06/13
Indaytodayadministration,itisimportantthatyoubecompletelyfamiliarwiththe membershipcharacteristicsofeachgroupscope.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 24/88
07/06/13
Thefollowingtablesummarizestheobjectsthatcanbemembersofeachgroup scope.
Group Scope
Local
DomainLocal
Users Computers
Users Computers
Users Computers
25/88
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
07/06/13
Globalgroups Universalgroups
Globalgroups
Universal
N/A
Global
Users Globalgroups
N/A
N/A
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
26/88
07/06/13
07/06/13
NoteThisapproachofgroupsnestingwasearlierknownasAGDLP,thatis, Accounts,
07/06/13
IGDLP Example
Thisbestpracticeforimplementinggroupnestingtranslateswelleveninmultidomain scenarios.Considerthefigurebelow,whichdescribesusageofIGDLPscenario:
07/06/13
stepsarerequiredtoimplementthesecurityrequiredbythisscenario: 1. Assignuserswithcommonjobresponsibilitiesorotherbusinesscharacteristicsto rolegroupsimplementedasglobalsecuritygroups.Thishappensseparatelyin eachdomain.SalespeopleatContosoareaddedtoaSalesrolegroup.Auditors atWoodgroveBankareaddedtoanAuditorsrolegroup. 2. CreateagrouptomanageaccesstotheSalesfolderswithReadpermission.This isimplementedinthedomaincontainingtheresourcethatisbeingmanaged.In thiscase,itistheContosodomaininwhichtheSalesfoldersreside.The resourceaccessmanagementrulegroupiscreatedasadomainlocalgroup, ACL_SalesFolders_Read. 3. Addtherolegroupstotheresourceaccessmanagementrulegrouptorepresent themanagementrule.Thesegroupscancomefromanydomainintheforestor fromatrusteddomainsuchasWoodgroveBank.Globalgroupsfromtrusted externaldomains,orfromanydomaininthesameforest,canbemembersofa domainlocalgroup. 4. Assignthepermissionthatimplementstherequiredlevelofaccess.Inthiscase, granttheAllowReadpermissiontothedomainlocalgroup.
07/06/13
Default Groups
07/06/13
07/06/13
07/06/13
07/06/13
passwordsintheEmployeesOU,cannotresetJeffFordspassword. Forthesereasonsofoverdelegationandprotection,youshouldstrivetoavoidadding userstothegroupslistedabovethatdonothavemembersbydefault:Account Operators,BackupOperators,ServerOperators,andPrintOperators.Instead,create customgroupstowhichyouassignpermissionsanduserrightsthatachieveyour businessandadministrativerequirements. Forexample,ifScottMitchellshouldbeabletoperformbackupoperationsona domaincontroller,butshouldnotbeabletoperformrestoreoperationsthatcould leadtodatabaserollbackorcorruption,andshouldnotbeabletoshutdowna domaincontroller,donotputScottintheBackupOperatorsgroup.Instead,createa groupandassignitonlytheBackupFilesAndDirectoriesuserright,thenaddScottas amember.
Special Identities
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
35/88
07/06/13
WindowsandActiveDirectoryalsosupportspecialidentities,groupsforwhich membershipiscontrolledbytheoperatingsystem.Youcannotviewthegroupsinany list(intheActiveDirectoryUsersandComputerssnapin,forexample),youcannot viewormodifythemembershipofthesespecialidentities,andyoucannotaddthem toothergroups.Youcan,however,usethesegroupstoassignrightsand permissions.Themostimportantspecialidentities,oftenreferredtoasgroups,for convenience,aredescribedinthefollowinglist: AnonymousLogon.Thisidentityrepresentsconnectionstoacomputerandits resourcesthataremadewithoutsupplyingausernameandpassword.Priorto WindowsServer2003,thisgroupwasamemberoftheEveryonegroup.Beginning withWindowsServer2003,thisgroupisnolongeradefaultmemberofthe
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 36/88
07/06/13
Everyonegroup. AuthenticatedUsers.Thisrepresentsidentitiesthathavebeenauthenticated.This groupdoesnotincludeGuest,eveniftheGuestaccounthasapassword. Everyone.ThisidentityincludesAuthenticatedUsersandtheGuestaccount.On computersrunningversionsofWindowsearlierthanWindowsServer2003,this groupincludesAnonymousLogon. Interactive.Thisrepresentsusersaccessingaresourcewhileloggedonlocallyto thecomputerthatishostingtheresource,asopposedtoaccessingtheresource overthenetwork.Whenauseraccessesanygivenresourceonacomputerto whichtheuserisloggedonlocally,theuserisautomaticallyaddedtothe Interactivegroupforthatresource.Interactivealsoincludesusersloggedon throughaRemoteDesktopconnection. Network.Thisrepresentsusersaccessingaresourceoverthenetwork,asopposed touserswhoareloggedonlocallyatthecomputerthatishostingtheresource. Whenauseraccessesanygivenresourceoverthenetwork,theuseris automaticallyaddedtotheNetworkgroupforthatresource.
07/06/13
thesameuserstoviewthecontentsfromamappeddriveoverthenetwork.This wouldbeachievedbyassigningpermissionstotheInteractivespecialidentity.
Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 38/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
39/88
07/06/13
07/06/13
R2.
07/06/13
07/06/13
Ifyouwanttoviewthedirectmembersofthegroup,ITAdmins,inthecontoso.com domain,youcanusefollowingsyntax.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 43/88
07/06/13
G e t A D G r o u p M e m b e rI T A d m i n s|F TN a m e , O b j e c t C l a s sA
ThefollowingexampledemonstrateshowtomovethegroupSvcAccPSOGroupfrom theOUManagedtotheOUManagedGroupsinthecontoso.comdomain.
Thefollowingexampledemonstrateshowtoaddtheuser,SaraDavis,tothegroup, SvcAccPSOGroup.
A d d A D G r o u p M e m b e rI d e n t i t yS v c A c c P S O G r o u pM e m b e r S a r a D a v i s
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
44/88
07/06/13
DS commands
InpreviousversionsofWindowsServer,suchasWindowsServer2003,where PowerShellwasnotincluded,othertypeofcommandlineutilitieswereusedto manageActiveDirectoryobjects. Thesecommandlinetoolswereprovidedwithserveroperatingsystemstoallow betterandmoreproductivemanagementofthedirectoryservice.Thesetoolsare calledDScommands. ThefollowingisalistofDScommandsandtheirfunctionality: DSGet.Returnsthecurrentvalueofthespecifieddirectoryobjectproperty DSQuery.Allowsthedirectoryservicetobesearchedforanobjectorallobjects withlikeproperties DSMod.Helpsanadministratorchangepropertiesforexistingdirectoryobjects DSrm.Removesobjectsfromthedirectory DSAdd.Allowsadministratorstoaddnewdirectoryobjects DSMove.AllowsobjectstobemovedfromoneOUtoanother
ThesecommandscanbealsousedinWindowsServer2008R2tomanagegroups.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 45/88
07/06/13
d s a d dg r o u p " C N = M a r k e t i n g , O U = R o l e , O U = G r o u p s , D C = c o n t o s o , D C = c o m " s a m i d M a r k e t i n g s e c g r py e s s c o p eg
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
46/88
07/06/13
Demonstration steps:
CreateagroupbyusingActiveDirectoryUsersandComputers.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 47/88
07/06/13
Configuregroupproperties. ChangegroupscopebyusingWindowsPowerShellwithActiveDirectoryModule.
07/06/13
Thereareseveraltipsworthmentioningaboutthisprocess:
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 49/88
07/06/13
IntheSelectdialogbox,intheEnterTheObjectNamesbox,youcantype multipleaccountsseparatedbysemicolons.Forexample,inthescreenshotshown above,bothsalesandfinancewereentered.Theyareseparatedbyasemicolon. Youcantypepartialnamesofaccountsyoudonotneedtotypethefullname. WindowssearchesActiveDirectoryforaccountsthatbeginwiththenameyou entered.Ifthereisonlyonematch,Windowsselectsitautomatically.Ifthereare multipleaccountsthatmatch,theMultipleNamesFounddialogboxappears, allowingyoutoselectthespecificobjectyouwant.Thisshortcuttypingpartial namescansavetimewhenyouareaddingmemberstogroupsandcanhelpwhen youdontremembertheexactnameofamember. Bydefault,Windowssearchesonlyforusersandgroupsthatmatchthenamesyou enterintheSelectdialogbox.Ifyouwanttoaddcomputerstoagroup,youmust clicktheOptionsbuttonandselectComputers. Bydefault,Windowssearchesonlydomaingroups.Ifyouwanttoaddlocal accounts,clicktheLocationsbuttonontheSelectdialogbox. Ifyoucannotfindthememberyouwanttoadd,clicktheAdvancedbuttonon theSelectdialogbox.Amorepowerfulquerywindowwillappear,givingyoumore optionsforsearchingActiveDirectory.
07/06/13
1. 2.
3.
Toaddtheobjecttoagroup,clicktheAddbutton,andthenselectthegroup.
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
52/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
53/88
07/06/13
YoucanconvertthegrouptypeatanytimebychangingtheselectionintheGroup TypesectionoftheGeneraltab.Becautious,howeverwhenyouconvertagroup fromsecuritytodistribution,anyresourcestowhichthegrouphadbeenassigned permissionwillnolongerbeaccessibleinthesameway.Afterthegroupbecomesa distributiongroup,userswhologontothedomainwillnolongerincludethegroups SIDintheirsecurityaccesstokens. Youcanchangethegroupscopeinoneofthefollowingways: GlobaltoUniversal DomainlocaltoUniversal UniversaltoGlobal
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 54/88
07/06/13
UniversaltoDomainlocal
Theonlyscopechangesthatyoucannotmakedirectlyarefromglobaltodomain localordomainlocaltoglobal.However,youcanmakethesechangesindirectlyby firstconvertingtouniversalscope,thenconvertingtothedesiredscope.So,allscope changesarepossible. Remember,however,thatagroupsscopedeterminesthetypesofobjectsthatcan bemembersofthegroup.Ifagroupalreadycontainsmembers,orisamemberof anothergroup,youwillbepreventedfromchangingthescope.Forexample,ifa globalgroupisamemberofanotherglobalgroup,youcannotchangethefirstgroup touniversalscope,becauseauniversalgroupcannotbeamemberofaglobalgroup. Youwillbegivenanexplanatoryerrormessage,suchasthatshownbelow.Youmust correctthemembershipconflictsbeforeyoucanchangethegroupsscope.
TheDSModcommandcanbeusedtochangegrouptypeandscopebyusingthe followingsyntax.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
55/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
56/88
07/06/13
Noticetheuseofpiping.The"output"ofDSGet(distinguishednamesofmembersof
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 57/88
07/06/13
Delete Groups
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
58/88
07/06/13
d s r mO b j e c t D N. . .[ s u b t r e e[ e x c l u d e ] ][ n o p r o m p t ][ c ]
subtreeexcludeoptionwilldeleteallchildobjects,butnottheobjectitself.
TodeletethePublicRelationsgroup,typethefollowingcommand.
d s r m" C N = P u b l i c R e l a t i o n s , O U = R o l e , O U = G r o u p s , D C = c o n t o s o , D C = c o m "
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
59/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
60/88
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
61/88
07/06/13
4.
5. 6.
7. 8.
Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab04a.
Lab Scenario
ToimprovethemanageabilityofresourceaccessatContoso,Ltd.,youhavedecided toimplementrolebasedmanagement.Thefirstapplicationofrolebased managementwillbetomanagewhocanaccessthefolderscontainingsales information.Youmustcreategroupsthatmanageaccesstothatsensitive information.BusinessrulesarethatSalesandMarketingemployees,andateamof Consultants,shouldbeabletoreadtheSalesfolders.Additionally,BobbyMoore requiresReadaccess.Finally,youhavebeenaskedtodiscoverawaytoproducealist ofgroupmembers,includingthosewhoareinnestedgroupsandalistofauser's groupmembership,includingindirectornestedmembership.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 62/88
07/06/13
Task 1: Create role groups with Active Directory Users and Computers.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
63/88
07/06/13
1.
RunActiveDirectoryUsersandComputerswithadministrativecredentials. UsetheaccountPat.Coleman_Admin,withthepassword,Pa$$w0rd.
2.
Createglobalsecuritygroupscalled,SalesandConsultants,inthe Groups\RoleOU.
1.
Runcommandpromptwithadministrativecredentials.Usetheaccount, Pat.Coleman_Admin,withthepassword,Pa$$w0rd.
2.
UsingtheDSAddcommand,createaglobalsecuritygroupnamed,Auditors,in theGroups\RoleOU.
3.
InActiveDirectoryUsersandComputers,confirmthattheobjecthasbeen created.
1.
AddTonyKrijnentotheSalesgroupbyusingtheMemberstaboftheSales group.
2.
AddLindaMitchelltotheSalesgroupbyrightclickingLindaMitchelland choosingAddtoagroup.
64/88
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
07/06/13
Task 4: Implement a role hierarchy in which Sales Managers are also part of the Sales role. AddtheSalesManagersgroupasamemberoftheSalesgroupbyusingthe MemberOftaboftheSalesManagersgroup.
Createadomainlocalsecuritygroupnamed,ACL_SalesFolders_Read,inthe Groups\AccessOU.
1. 2. 3. 4.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
65/88
07/06/13
Task 7: Define the roles and users that have access to a resource.
AddSales,Consultants,Auditors,andBobbyMooretotheACL_Sales Folders_Readgroup.
Results:Inthisexercise,youimplementedsimplerolebasedmanagementto manageReadaccesstotheSalesfolder.
07/06/13
Themaintasksforthisexerciseareasfollows:
1.
OpenD:\AdminTools\Members_Report.hta.Enterthenameofagroup, andthenclickSHOWMEMBERS.
2.
OpenD:\AdminTools\MemberOf_Report.hta.Enterthenameofauser, computer,orgroup,andthenclickReport.
Themaintasksforthisexerciseareasfollows:
1. 2. 3.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
67/88
07/06/13
4.
NoteDonotshutdownthevirtualmachinesafteryoufinishthislab becausethesettings
youhaveconfiguredherewillbeusedinLabB.
Lab Review Questions Question:Describethepurposeofglobalgroupsintermsofrolebased management. Question:Whattypesofobjectscanbemembersofglobalgroups? Question:Describethepurposeofdomainlocalgroupsintermsofrolebased management ofresourceaccess. Question:Whattypesofobjectscanbemembersofdomainlocalgroups?
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 68/88
07/06/13
07/06/13
Objectives
Aftercompletingthislesson,youwillbeableto: Describethebestpracticesforgroupdocumentation. Protectagroupfromaccidentaldeletion. DelegategroupmembershipmanagementbyusingtheManagedBytab.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
70/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
71/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
72/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
73/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
07/06/13
checkbox. 4. ClickOK.
ThisisoneofthefewplacesinWindowsinwhichyouactuallyhavetoclickOK. ClickingApplydoesnotmodifytheACLbasedonyourselection. TheProtectObjectFromAccidentalDeletionoptionappliesanaccesscontrol entry(ACE)totheACLoftheobjectthatexplicitlydeniestheEveryonegroupboth theDeletepermissionandtheDeleteSubtreepermission.Ifyoureallydowantto deletethegroup,youcanreturntotheObjecttabofthePropertiesdialogboxand cleartheProtectObjectFromAccidentalDeletioncheckbox. Deletingagrouphasahighimpactonadministrators,andpotentially,onsecurity. Consideragroupthathasbeenusedtomanageaccesstoresources.Ifthegroupis deleted,accesstothatresourceischanged.Eitheruserswhoshouldbeabletoaccess theresourcearesuddenlypreventedfromaccess,creatingadenialofservice scenario,orifyouhadusedthegrouptodenyaccesstoaresourcewithaDeny permission,inappropriateaccesstotheresourcebecomespossible. Additionally,ifyourecreatethegroup,thenewgroupobjectwillhaveanewSID, whichwillnotmatchtheSIDsonACLsofresources.Soyoumustinsteadperform objectrecoverytoreanimatethedeletedgroupbeforethetombstoneintervalis reached.Whenagrouphasbeendeletedforthetombstoneinterval60days,by
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 75/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
76/88
07/06/13
Afteragrouphasbeencreated,youmightwanttodelegatethemanagementofthe groupsmembershiptoateamoranindividualwhohasthebusinessresponsibilityfor theresourcethatthegroupmanages.Forexample,letsassumethatyourfinance managerisresponsibleforcreatingnextyearsbudget.Youcreateasharedfolderfor thebudgetandassignWritepermissiontoagroupnamed,ACL_Budget_Edit.If someoneneedsaccesstothebudgetfolder,heorshecontactsthehelpdesktoenter arequest,thehelpdeskcontactsthefinancemanagerforbusinessapproval,and thenthehelpdeskaddstheusertotheACL_Budget_Editgroup.Youcanimprove theresponsivenessandaccountabilityoftheprocessbyallowingthefinancemanager tochangethegroupsmembership.Then,userswhoneedaccesscanrequestaccess directlyfromthefinancemanager,whocanmakethechange,thusremovingthe intermediatestepofcontactingthehelpdesk.Todelegatethemanagementofa
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 77/88
07/06/13
07/06/13
theACLonthegroup. ItisnotquitesoeasytoinsertagroupintotheManagedBytabofanothergroup. WhenyouclicktheChangebutton,theSelectUser,Contact,OrGroupdialog boxappears.IfyouenterthenameofagroupandclickOK,anerroroccurs.Thatis becausethisdialogboxisnotconfiguredtoacceptgroupsasvalidobjecttypes,even thoughGroupisinthenameofthedialogboxitself.Toworkaroundthisodd limitation,clicktheObjectTypesbutton,andthenselectthecheckboxnextto Groups.ClickOKtocloseboththeObjectTypesandSelectdialogboxes.Ensure toselecttheManagerCanUpdateMembershipListcheckboxifyouwantto assigntheAllowWriteMemberpermissiontothegroup.Whenagroupisusedonthe ManagedBytab,nocontactinformationisvisible,becausegroupsdonotmaintain contactrelatedattributes.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
79/88
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
80/88
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 81/88
07/06/13
3. 4.
Lab Scenario
YourimplementationofrolebasedmanagementatContoso,Ltd.hasbeenhighly successful.Asthenumberofgroupsinthedomainhasincreased,you'vecometo realizethatitisimportanttorecordthegroupsandpreventadministratorsfrom accidentallydeletingagroup.Finally,youwanttoallowthebusinessownersof resourcestomanageaccesstothoseresourcesbydelegatingtothoseownersthe righttomodifythemembershipofappropriategroups.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
07/06/13
3. 4.
Delegategroupmembershipmanagement. Validatethedelegationofgroupmembershipmanagement.
1.
RunActiveDirectoryUsersandComputerswithadministrativecredentials. Usetheaccount,Pat.Coleman_Admin,withthepassword,Pa$$w0rd.
2.
07/06/13
1.
EnabletheAdvancedFeaturesviewoftheActiveDirectoryUsersand Computerssnapin.
2. 3.
ConfiguretheManagedByattributeofAuditorstorefertoMikeDanseglio.
1.
LogofffromNYCDC1,thenlogonwithusername,Mike.Danseglio,andthe password,Pa$$w0rd.
2.
OpentheNetworkwindowanduseSearchActiveDirectorytolocatethe Auditorsgroup.
3. 4.
AddtheExecutivesgrouptotheAuditorsgroup. LogofffromNYCDC1.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
84/88
07/06/13
Results:Inthisexercise,youcreatedawelldocumentedgroup,protecteditfrom accidentaldeletion,anddelegatedgroupmembershipmanagement.
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
3.
IntheRevertVirtualMachinedialogbox,clickRevert.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe
85/88
07/06/13
Review Questions
1. MembersofaSalesdepartmentinacompanythathasbranchesinmultiplecities travelfrequentlybetweendomains.Howwillyouprovidethesememberswith accesstoprintersonvariousdomainsthataremanagedbyusingdomainlocal groups? 2. Youareresponsibleformanagingaccountsandaccesstoresourcesforyour groupmembers.Auserinyourgrouptransfersintoanotherdepartmentwithin
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe 86/88
07/06/13
thecompany.Whatshouldyoudowiththeusersaccount? 3. Whichgroupscopecanbeassignedpermissionsinanydomainorforest?
Troubleshootingtip
07/06/13
Tools
Tool
ActiveDirectoryUsersand Computers WindowsPowerShellwith ActiveDirectoryModule DSutilities
Use
Managegroups
Wheretofindit
AdministrativeTools
Managegroups
InstalledasWindowsFeature
Managegroups
Commandline
Description
NewadministrationutilityforActiveDirectory,basedonWindows PowerShell
88/88
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=6&FontSize=3&FontType=segoe