CHAPTER 8
GROUP ACCOUNT ADMINISTRATION
Groups and Permissions
A group is a collection of user accounts. Groups simplify administration by allowing you to assign
permissions and rights to a group of users rather than having to assign permissions and rights to each
individual user account.
Permissions control what users can do with a resource, such a folder, file, or pointer.
When you assign permissions, you give users the capability to gain access to a resource and define the
type of access that they have.
Rights allow users to perform system tasks, such as changing the time on a computer, backing up or
restoring files, or logging on locally.
In addition to user accounts, you can add other groups, contacts and computers to groups. You
add groups to other groups to create a consolidated group and reduce the number of times that
you need to assign permissions. You add computers to groups to simplify giving a system task on
one computer access to a resource on another computer.
Group Types
Sometimes you create groups for security-related purposes, such as assigning permissions. Other
times you use them for nonsecurity purposes, such as sending e-mail messages. To facilitate this,
Windows 2000 includes two group types: security and distribution.
In addition to users account, you can add other groups, contacts, and computers to groups. You
add groups to other groups to create a consolidated groups and reduce the number of times that
you need to assign permissions.
Group Types:
There are two groups security and distribution. The group type determines how you use the group.
Both types of groups are stored in the database component of Active Directory, which allows you
to use them anywhere in your network.
Security Group. Programs that are designed to search Active Directory can also use security
groups for nonsecurity-related purposes, such as retrieving user information for use in a Web
application.
=====================================================================
winads8.html PAGE 2 2002/02/21
Distribution Groups. Use a distribution group when you are performing a nonsecurity-related
function such as sending e-mail messages to a group of users at the same time. You cannot use
distribution groups to assign permissions.
NOTE: Only programs that are designed to work with Active Directory can use distribution
groups. For example, future versions of Microsoft Exchange server will be able to use
distribution groups as distribution lists for sending e-mail messages.
Group Scopes
When you create a group you must select a group type and a group scope. Group scopes
allow you to use groups in different ways to assign permissions. The scope of a group determines
where in the network you are able to use the group to assign permissions to the group. The
three group scopes are global, domain local, and universal.
Global Groups ** AGULP ***
Global security groups are most often used to organize users who share similar network
access requirements:
Limited membership. You can add members only from the domain in which you create the
global group.
Access to resources in any domain. You can use a global group to assign permissions to
gain access to resources that are located in any domain in the
domain tree or forest.
Domain Local Groups
Domain Local security groups are most often used to assign permissions to resources. A
domain local group has the following characteristics:
Open membership. You can add members from any domain.
Access to resources in one domain. You can use a domain local group to assign permissions
to gain access to resources that are located only in the same domain where you create the
domain local group.
=====================================================================
winads8.html PAGE 3 2002/02/21
Universal Groups:
Universal security groups are most often used to assign permissions to related resources in
multiple domains. A universal security groups has the following characteristics:
Open membership. You can add members from any domain.
Access to resources in any domain. You can use a universal group to assign
permissions to gain access to resources that are located in any domain.
Only available in native mode. Universal security groups are not available in
mixed mode. Do not put in individual users, put the users into an Organizational
Unit, and then put in the associated group, and assign them permissions.
Group Nesting:
Adding groups to other groups, or nesting, creates a consolidated group and can reduce
network traffic between domains and simplify administration in a domain tree.
Minimize levels of nesting. Do not nest more levels than three, will get
complicated. One level of nesting is the most effective to use.
Document group membership to keep track
of permissions assignments.
Local Groups
A local group is a collection of user accounts on a computer. Use local groups to assign
permissions to resources residing on the computer on which the local group is created.
CAUTION: Because Active Directory groups with a “domain local” scope are sometimes
referred to as “local groups,” it is important to distinguish between a local group and a group
with a domain local scope.
*** There are 19
built-in Groups ***
Using Local Groups
The following are guidelines for using local groups:
=====================================================================
winads8.html PAGE 4 2002/02/21
member servers running Windows 2000 Server.
resources without creating domain groups, such as the Internet Information Server environment.
Membership rules for
local groups include the following:
the local group.
Lesson Summary:
of users rather than having to assign permissions to each individual user account.
security groups.
for nonsecurity-related functions, such as e-mail.
security group, and a universal security group can contain.
Lesson 2:
Planning a Group Strategy
Planning Global and Domain Local Groups
It is important to have a group strategy in place before you create groups. The recommended
method is to use global and domain local groups.
Assign users with common job responsibilities to global groups. For example,
Sales, Accounting etc.
Create a domain local group for resources to be shared. Identify the resources
or group of resources, such as related files or printers, to which users need access and
then create a domain local group for that resource.
Add Global groups that need access to the resources to the domain local group.
You can still create a global group for Accounting, Sales etc.
Assign resource permissions to the domain local group. Assign the required
permissions
for the resource to the domain local group.
=====================================================================
winads8.html PAGE 5 2002/02/21
Strategy:
be shared in common, place the global group into the domain local group, and then assign
permissions to the domain local group.
Some of the possible limitations of other strategies include the following:
local groups. The resource must be assigned within the domain.
This strategy can complicate administration when you are using multiple domains. If
global groups from multiple domains require the same permissions, you have to assign
permissions for each global group.
When Using Universal Groups:
Use universal groups to give users access to resources that are located in more than one domain.
Unlike domain local groups, you can assign permissions to universal groups for resources in any
domain in your network.
Use universal groups only when their membership is static. In a domain tree, universal groups
can cause excessive network traffic between domain controllers whenever you change membership
for the universal group because changes to the membership of universal groups may be replicated to
a larger number of domain controllers. Add global groups from several domains to a universal group,
and then assign permissions for access to a resource to the universal group.
Lesson Summary:
In a single domain, the best strategy is to use global and domain local groups to assign
permissions to network resources, and this is Microsoft’s recommendation for most
Windows 2000 Installations.
=====================================================================
winads8.html PAGE 6 2002/02/21
Lesson 3:
Creating Groups
Creating and Deleting Groups
Use the Active Directory Users and Computers console to create and delete groups. When you
create groups, create them in the Users container or in another container or an organizational unit
(OU) that you have created specifically for groups
Deleting a Group
Each group that you create has a unique, nonreusable identifier called the security identifier (SID).
Windows 2000 uses the SID to identify the group and the permissions that are assigned to it. When
you delete a group, Windows 2000 does not use the SID for that group again, even if you create a
new group with the same name as the group that you deleted. Therefore, you cannot restore access
to resources by recreating a group.
When you delete a group, you delete only the group and remove the permissions and rights that are
associated with it. Deleting a group does not delete the user accounts that are members of the group.
NOTE: You cannot delete a group if one of the group’s members has the group set as his or her
primary group.
Adding Members to a Group
After you create a group, you add members. Members of groups can include user accounts, contacts,
other groups and computers. You can add a computer to a groups to give one computer access to a
shared resource on another computer, for example, for remote backup. To add members, use the
Active Directory Users and Computers console.
NOTE: If there are multiple user accounts or groups that you want to add, you can repeat the process
of selecting them one at a time and then click Add, or you can hold down the Shift or Ctrl key to select
multiple user accounts or groups at a time. The Shift key allows you to select a consecutive range of
accounts and the Ctrl key allows you to select specific accounts that you wish to add.
=====================================================================
winads8.html PAGE 7 2002/02/21
Changing the Group Type
As group functions change, you may need to change a group type. For example, suppose a
distribution group contains members from multiple departments working on the same project for
the purpose of sending e-mail.
By converting the distribution group to a security group and assigning permissions to the group, you
can provide the project members with access to the common database. Group types may be
changed only when Windows 2000 is
operating in native mode.
Changing the Group Scope to Universal
As your network changes, you may need to change the global or domain local group scope to
universal. Group scopes may be changed to universal only when Windows 2000 is operating in
native mode. The following group scopes can be changes:
A global group to a universal group, but only if the global group is not a member of another
global group. A domain local group to a universal group, but only if the domain local group
does not contain another domain local group.
NOTE: Windows 2000 does not allow changing the scope of a universal group because
usage and membership rules for other groups are more restrictive.
Lesson Summary:
group have the necessary permissions to create groups.
delete and add members to and change the group scope and type for global, domain local,
and universal group.
Lesson 4:
Understanding Default Groups
Windows 2000 has four categories of default groups: predefined, built-in, built-in local, and
special identity. Default groups have a predetermined set of user rights or group membership.
=====================================================================
winads8.html PAGE 8 2002/02/21
Predefined Groups
Windows 2000 creates predefined groups with a global scope to group common types of user
accounts. By default, Windows 2000 automatically adds members to some predefined global groups.
When you create a domain, Windows 2000 creates predefined global groups in the Users folder in
Active Directory. By default, these predefined groups do not have any inherent rights. You assign
rights either by adding the global groups to domain local groups or explicitly assigning user rights or
permissions to the predefined global groups.
**** See the chart I made up, review the
book pages 250-254 ****
Built-in Groups (19 in total)
Windows 2000 creates built-in groups with a domain local scope in the Built-in folder in Active
Directory. These groups provide users with user rights and permissions to perform tasks on
domain controllers and in Active Directory. Built-in domain local groups give predefined rights
and permissions to user accounts when you add user accounts or global groups a members.
Built-in Local Groups
All stand-alone servers, member servers, and computers running Windows 2000 Professional
have built-in local groups. Built-in groups give users the rights to perform system tasks on a
single computer, such as backing up and restoring files, changing the system time, and
administering system resources.
Special Identity Groups
Special identity groups exist on all computers running Windows 2000. These groups do not
have specific memberships that you can modify, but they can represent different users at
different times, depending on how a user gain access to a computer or resource.
=====================================================================
winads8.html PAGE 9 2002/02/21
Lesson Summary:
and specialty identity.
Lesson 5:
Groups for Administrators
For optimum security, Microsoft recommends that you do not assign administrators to the
Administrators group and that you avoid running your computer while logged on as an
administrator.
Why you should not Run Your computer as an Administrator
Running Windows 2000 as an administrator or a member of one of the administrative groups
makes the network vulnerable to Trojan horse attacks and other security tasks. The simple act
of visiting an Internet site can be extremely damaging to the system. An unfamiliar Internet Site
may contain Trojan horse code that can be downloaded to the system and executed. If you are
logged on with administrator privileges, a Trojan horse could possibly reformat your hard drive,
delete all files, create a new user account with administrative access, and so on.
For most computer activity, you should assign yourself to the Users or Power Users group. Then,
if you need to perform an administrator-only tasks, you should log on as an administrator, or run
the program as the administrator, perform the task, and then log off.
Administrators ad Members of the Users and Power Users Group
When you log on as a member of the Users group, you can perform routine tasks, including
running programs and visiting Internet sties, without exposing your computer to unnecessary risk.
=====================================================================
winads8.html PAGE 10 2002/02/21
Using Run as to Start a Program
The Run as program can be used to start any program, program shortcut, saved MMC
console, or Control Panel item, as long as:
and the user account.
RUNAS Command
The RUNAS command performs the same functions as the Run As program. The syntax for
the RUNAS command is as follows:
/profile specifies the name of the user’s profile, if it needs to be loaded.
/env specifies that the current network environment be used instead of the user’s local environment.
/netonly indicates that the user information specified is for remote access only.
/user:UserAccountName for example user@domain or domain\user.
/program specifies the program or command to run using the account specified in /user.
Lesson Summary:
and other security risks. If you are going out on the Internet, use a regular user account or Power
local or domain administrator rights and permissions while logged on as a normal user.