CHAPTER 7
ADMINISTERING MICROSOFT WINDOWS 2000 SERVER
Lesson 1:
Using the Microsoft Management Console
One of the primary administrative tools you use to manage Windows 2000 is the MMC. The
MMC provides a standardized method to create, save and open administrative tools.
MMC is a common console framework for management applications. MMC consoles can run
on Windows 2000, Windows NT 4.0, Windows 98, and Windows 95.
The MMC itself does not provide management capability but does provide a common environment
for snap-ins, the tool that support the actual management functionality. Administrators can create
tools that include multiple snap-ins and then save the tools for later use or to share with other
administrators.
The MMC allows you to do the following:
instead of numerous interfaces saves time.
administrative tasks from one computer.
administration, so Windows 2000 prompts you with a dialog box when you can use the
snap-in for remote administration.
consoles containing all or part of multiple snap-in.
NOTE: MMC 1.1 did not support more than one snap-in, while MMC 1.2 in Windows 2000
supports multiple snap-in in a single console window.
The MMC Windows
The MMC resembles Windows Explorer. The components of an MMC console are contained
in the MMC window. This window has several menus and a toolbar that provides commands to
open, create, and save MMC consoles. The menu and toolbar are called the main menu bar and
the main toolbar.
The MMC, can be configured to contain powerful management tools. MMC is also designed to
offer a scaled-down view that is much less complex to less-experienced administrators.
=====================================================================
winser7.html PAGE
2 2002/01/13
MMC Consoles
An MMC console is a set of one or more snap-ins. Consoles are saved as files that use an .msc
extension. Each console file is represented as a child windows in the MMC interface. An MMC
console file contains the console tree, which displays the hierarchical organization of multiple snap-ins
contained within the file.
Console Window
A console window (child window), which is an interface to an MMC console file, offers many
differing views.
The console tree, also referred to as the scope pane, organizes snap-ins that are part of an MMC
console. This organization allows you to locate a specific snap-in easily. Items that you add to the
console tree appear under the console root.
Each detail pane, also referred to as the results pane, displays the results of selecting a node in
the console tree. In many cases, it is a list of a folder’s contents, but in other cases, it is a management-
related view, which can be Web-based or ActiveX control-based.
Types of MMC Consoles
There are two types of MMC consoles: customized and preconfigured.
Customized MMC
consoles:
You can combine one or more snap-ins or parts of snap-ins to create customized MMC consoles,
which can then be used to centralize and combine administrative tasks. MMC allows administrators
to perform the following tasks:
Creating custom MMC consoles allows you to meet your administrative requirements by combining
snap-ins that you use to perform common administrative tasks. By creating a custom MMC console,
you do not have to switch between different programs or different preconfigured MMC consoles
because all the snap-ins you need to perform your job are located in the custom MMC console.
=====================================================================
winser7.html PAGE
3 2002/01/13
By default, Windows 2000 saves customized MMC files in the My Administrative Tools folder with
an .msc file extension.
Preconfigured MMC Consoles
When Windows 2000 is installed, preconfigured MMC consoles are also installed. There MMC
consoles contain commonly used snap-ins that are used to perform administrative tasks. Preconfigured
MMC consoles cannot be modified nor can additional snap-ins be added.
NOTE: To select preconfigured MMC consoles, click the Start button, point to Programs, and then
click Administrative Tools.
Which MMC consoles are installed on a computer varies depending on which Windows 2000 operating
system is running and which Windows 2000 components are installed. Windows 2000 Server and
Windows 2000 Professional have different preconfigured MMC consoles that appear on the
Administrative Tools menu.
Snap-Ins
Each MMC console is made up of a collection of smaller tools called snap-ins. Snap-ins are
applications designed to work in MMC. One snap-in represents on unit of management
functionality. A snap-in is the smallest unit of console extension. There are two types of snap-ins,
stand-alone and extension.
Stand-Alone Snap-Ins
Stand-alone snap-ins are usually referred to simply as snap-ins. Use stand-alone snap-ins to perform
Windows 2000 Administrative tasks. Each snap-in provides one function or a related set of functions.
Windows 2000 Server comes with standard snap-ins. Windows 2000 professional included a smaller
set of standard snap-ins.
Extension Snap-ins
Extension Snap-ins are usually referred to as extensions. When you add an extension, Windows 2000
displays only extensions that are compatible with the stand-alone snap-in. Windows 2000 places the
extensions into the appropriate
location within the stand-alone snap-in.
Some snap-ins, such as
Event Viewer, can act
as a snap-in or an extension.
=====================================================================
winser7.html PAGE
4 2002/01/13
Many snap-ins offer stand-alone functionality while extending the functionality of other snap-ins. For
example, the Event Log snap-in will read the event logs of computers. If the Computer Management
object exists in the console, Event Log automatically extends each instance of a Computer Management
object and provides the event log for the computer.
Console Options
An MMC console holds snap-ins that perform specific tasks. Console options determine how an
MMC console operates. By using console options, you can create MMC consoles for other
administrators to use from their computers to perform specific tasks. There are two available
Console modes: author mode and user mode.
Author Mode
When you save an MMC console in author mode, you enable full access to all MMC functionality,
which includes modifying the MMC console. An MMC console that has been saved in author mode
allows users to do the following:
NOTE: By default, all new MMC consoles are saved in author mode
User Mode
If you plan to distribute an MMC console to other administrators, you should usually save the MMC
console in user mode. When
you set an MMC console to user mode, users cannot add snap-ins
to, remove snap-ins from, or save the MMC console.
There are three types of user modes. Each type provides a different level of access and functionality.
======================================================================
Type of user mode Description
======================================================================
Full Access Allows user to navigate between snap-ins etc.
Limited Access, multiple Prevents user from opening new windows or gaining
Windows access to a portion of the console tree, but allows them
to view multiple windows in the console.
Limited Access, Single Prevents users from opening new windows or
Windows gaining access to a portion of the console tree, and
allows them to view only one window in the console.
=====================================================================
winser7.html PAGE
5 2002/01/13
Lesson Summary:
which provides a standardized method to create, save and open administrative tools.
Lesson 2:
Administering User Accounts
User accounts must be created to give users the ability to log on to a domain to access the network
resources or to log on to a
computer to access resources on that computer.
A user account is a
user’s unique credentials.
Windows 2000 User Accounts
A user account provides the user with the ability to log on to the domain to gain access to network
resources or to log on to a computer to gain access to resources on that computer.
Windows 2000 supports two types of user accounts: domain and local. With a domain user
account, a user can log on to the domain to gain access to network resources. There are built-in user
accounts, which are used to perform administrative tasks or to gain access to network resources.
Domain User Accounts
Domain user accounts allow users to log on to the domain and gain access to resources anywhere on
the network. The user provides his or her password and user name during the logon process.
Windows authenticates the user and builds an access token. The Access token identifies the user to
computers running Windows 2000 on which the user tries to gain access to resources. Windows 2000
provides the access token for the duration of the logon session.
=====================================================================
winser7.html PAGE
6 2002/01/13
You create a domain user account in an organization unit (OU) in a replica of the Active Directory
store (called the directory) on a domain controller. The domain controller replicates the new user
account information to all domain controllers in the domain.
NOTE: Replication can take a few minutes to reach all domain controllers. This delay might prevent
a user from immediately logging on by using the newly created domain user account. Replication of
Active Directory information within a site (Intrasite replication) occurs
automatically every five
minutes.
Local User Accounts
Local user accounts allow users to log on to and gain access to resources on only the computer where
you create the local user account. When you create a local user account, Windows 2000 creates the
account in that computer’s security database only.
Built-in User Accounts
Windows 2000 automatically creates accounts called built-in accounts. Two commonly used built-in
accounts are Administrator and
Guest. You cannot delete built-in accounts, and the built-in
Administrator account
cannot be disabled. However, built-in
accounts can be renamed.
Administrator
Use the built-in Administrator account to manage the overall computer and domain configurations,
such as creating and modifying user accounts, and groups, managing security policies, creating printers,
and assigning permissions and rights to user accounts to gain access to the network.
If you are the administrator, you should create a user account that you use to perform nonadministrative
tasks, as a safety precaution. For convenience use the run command to run in the context of a more
privileged account while logged on with a lesser privileged account.
TIP Rename the built-in Administrator account to provide a greater degree of security. Use a name
that does not identify it as the Administrators account. This makes it difficult for unauthorized users to
break into the Administrators account because they do not know which user account it is. For
additional security, after you rename the built-in Administrators account, create another account
named Administrator that has no rights to the system. This will frustrate hacker’s attempt to
use
the Administrator account to access the system.
=====================================================================
winser7.html PAGE
7 2002/01/13
Guest
Use the built-in Guest account to give occasional users the ability to log on and gain access to resources.
For example, an employee who needs access to resources for a short time can use the Guest account.
NOTE: The Guest account is disabled by default. Enable the Guest account only in low-
security networks and always assign it a password.
Planning New User Accounts
You should plan the following three areas:
account expiration.
Naming Conventions
The naming convention establishes how users are identified in the domain. Keep the naming system
consistent, and easy to remember names.
*** see the chart on
page 322 ***
Password Requirements
To protect access to the domain, all accounts must have passwords. Consider the following guidelines:
=====================================================================
winser7.html PAGE
8 2002/01/13
Account Options
You should assess the hours when a user can log on to the network and the computers they can log on.
You can restrict these two areas.
Logon Hours
Set logon hours to control when a user can log on to the
domain. By default Windows 2000 permits
access for all hours on all days. But you may want to restrict their logon hours to their working day.
Computers from Which Users can Log on
By default, users can log on to the domain by using any computer in the domain. For security,
require users to log on to the domain only from their own computers.
NOTE: If you have disabled NetBIOS over Transmission Control Protocol/Internet Protocol (TCP/IP),
Windows 2000 is unable to determine which computer you are logging on from, and therefore you
cannot restrict users to specific computers. This is because this feature restricts access by computer
name rather than Media Access Control address.
Account Expiration
Determine whether a user account should expire. If so, set an expiration date on the user account to
ensure that the account is disabled when the user should no longer have access to the network.
Temporary user
accounts, should also be disabled when the temporary user leaves.
Creating User Accounts
You can create two types of user accounts: domain
and local
Use the Active Directory Users And Computers snap-in to create a new domain user account.
When you create a domain user account, it is always created on the first available domain controller
contacted by MMC, and then the account is replicated to all domain controllers.
=====================================================================
winser7.html PAGE
9 2002/01/13
TIP You can rapidly create many user accounts by creating and running scripts through the Windows
Script Host (WSH).
Active Directory User and Computers Snap-In
You must select the OU or create the new account in. You can create the domain user account in the
default User OU or in an OU or in OUs that you create to hold domain user accounts.
To create a domain user account, open Active Directory Users And Computers snap-in, select User
OU. Action menu, New, Users.
When you create the domain user account, User Logon Name defaults to the domain in which you are
creating the domain user account.
The following table describes the domain user account options:
=====================================================================
Option Description
=====================================================================
First Name Users first name, initials or last name is required.
Last Name Users last name, initials or first name is required.
Full Name User full name, Windows 2000 displays the name in the
OU where the user account is located in the Directory.
User Logon Name Unique logon name
User Logon Name Logon name used to log on from down-level clients,
(pre-Windows 2000) such as Windows NT 4.0 or Windows NT 3.51.
=====================================================================
winser7.html PAGE
10 2002/01/13
Setting Password Requirements
When you are adding a new user account, you can enter a password for the user. If you don’t
enter a password the user will be able to log onto the domain without one.
The following table describes the password options.
=====================================================================
Option Description
=====================================================================
Password Authenticates user. Password is not visible, it is represented
as asterisks when you type it.
Confirm Password Confirm it a second time.
User Must Change Select this check box if you want the user to change his
Password at Next or her password the first time he or she logs on.
Logon
User cannot Select this check box if you have more than one person
Change Password using the same domain user account (such as Guest) or
to maintain control over user account passwords.
Password Never Select if the password should never change. The
Expires Password Never Expires setting overrides the User Must
Change Password at Net Logon setting.
Account is Prevents use of this user account.
Disabled
=====================================================================
NOTE: Always require new users to change their passwords the first time they log on. This will force
users to use passwords that only they know. For added security on networks, create random initial
passwords for all new user accounts by combining letters and numbers. Creating a random initial
password will help keep the user account secure.
Creating Local User Accounts
A local user account allows a user to log on and access resources only on the computer for which
you create the account. Use the Local Users and Groups snap-in to create local user accounts.
=====================================================================
winser7.html PAGE
11 2002/01/13
You can create local user accounts only on computers running Windows 2000 Professional and on
stand-alone servers running Windows 2000 Server. Local user accounts are not stored in the
directory for the domain; they are stored in the security database of
the computer
where you create them.
Modifying Properties for User Accounts
A set of default properties is associated with each domain user account and local user account created.
Domain user accounts contain more properties than local user accounts. Local user account properties
represent a subset of domain user account properties.
Properties that are defined for a domain user account can be used to search for users in the Active
Directory store. For this reason, detailed property definitions for domain user accounts should be
used. For example, a user knows a person’s first name and telephone number and wants to find
the person’s last name. The user can use the telephone number to search for the last name.
You should configure the following properties for each user account:
One way to modify a domain user account is to open the Active Directory Users And Computer
snap-in and double-click the user object whose properties you want to modify.
One way to modify a local user account is open the Computer Management snap-in and select
Local Users And Groups. Double-click the user object whose properties you want to modify.
The Properties Dialog Box
The Properties dialog box has a set of tabs that allows users to configure various properties for
a specific user. All the tabs described below apply to domain user accounts. Only the General,
Dial-In, Member of, and Profile tabs apply to local user accounts.
=====================================================================
winser7.html PAGE
12 2002/01/13
Personal Properties Tab
The Personal properties tabs include the General, Address, Telephones, and Organization tabs.
Completing the attributes on each of these tabs enables users and administrators to locate other
users in Active Directory services.
The following table describes the personal properties tabs:
======================================================================
Tab Description
======================================================================
General Users name, description, office location, telephone, e-mail,
And home page information.
Address Home address, and postal code, country.
Telephones Users home, pager, mobile, fax and IP telephone number
Organization Users title, department, company manager, and direct reports.
======================================================================
Account Tab
The Account tab allows you to define a user’s logon name and set other account options.
Profile Tab
Users profile tab automatically create and maintain the desktop settings for each user’s work
environment on the local computer. You can set a path to the network share.
Published Certificates Tab
A certificate is a collection of data used for authentication and secure exchange of information on
nonsecured networks, such as the Internet.
Member of Tab
Groups are used to consolidate administrative tasks. Each group member is affected by the rights
assignment.
=====================================================================
winser7.html PAGE 13 2002/01/13
Dial-In Tab
The Dial-in tab allows you to control how a user can make a dial-in connection to the network
from a remote location. The user dial into the computer running RAS.
NOTE: In addition to configuring dial-in settings and having RAS on the server the user is
dialing in to, you must also set up a dial-up connections for the server on the client computer.
Set up a dial-up connection by using the Network Connection wizard, which you can access
from Network Connections in My Computer.
======================================================================
Option Description
======================================================================
Allow Access Option to enable dial-in settings
Deny Access Option to disable dial-in settings
Verify Caller-ID The phone number that the user must dial-in from.
No Callback The RAS server will not call the user back.
Set by Caller Specifies that the user provide the telephone
number for the RAS server to call back.
Always Callback to Specifies that the RAS server calls back the user.
The RAS server uses the specified telephone
number.
=====================================================================
Object Tab
The Object tab provide the fully qualified domain name of the object. It also provides additional
information such as USN. The USNs are used to track changes to objects in the Active Directory store.
Security Tab
Sets permissions on the user object in the Active Directory store. You can allow or deny specific
permissions, and you can prevent inheritance or permissions from the parent.
=====================================================================
winser7.html PAGE
14 2002/01/13
Terminal Service Tab
The Terminal Services tabs contain information about the user that is specific to Terminal services.
Terminal Services allows a user to log on from a computer terminal and run a Windows 2000
session on the terminal. The Terminal Services tabs are the Environment, Sessions, Remote
Control, and Terminal Service Profile tabs.
Environment Tab
This will have the settings such as user profile, and display settings. When the client logs on to
the server, the local drives and printers are detected and the appropriate printer driver is installed
on the Terminal server.
Sessions Tab
You can determine the sessions, active, idle or disconnected.
=====================================================================
Time-out setting Description
=====================================================================
End a Disconnect The maximum duration that a disconnected session
Session is retained.
Active Session Limit The maximum connection duration. When the time
limit is reached, the session will be either
disconnected, leaving the session active on the
server, or reset.
Idle Session Limit Specifies the maximum idle time before the
Session is disconnected or reset.
======================================================================
Remote Control Tab
You can warn a client when you are remotely accessing the session by displaying a message. You can
use either Local Users And Groups (for local users) or Active Directory Users And Computers (for
domain users) to enable remote control for a user account.
Terminal Services Profile Tab
You can assign a profile to a user to apply Terminal sessions. You can restrict access to applications
by removing them from the user’s Start Menu.
You can also specify a path to a home directory to be used for Terminal sessions.
=====================================================================
winser7.html PAGE
15 2002/01/13
Managing User Profiles
User profiles maintain consistency in your desktop environment by providing the same desktop
environment where-ever you log onto the network.
User profiles operate in the following manner:
individual desktop settings and connections, regardless of how many users share your computer.
where user_logon_name is your Windows 2000 user account name.If the computer where
you are logging on was updated from Windows 95 or Windows 98 with
profiles enabled or from Windows NT to Windows 2000 Professional, the profile folder
remains in %systemroot%\profiles rather than being created in the Documents and Settings folder.
documents is the location to store all personal files.
when you establish a new network connection or add a file to My Documents.
NOTE: You should have user store their documents in My Documents rather than in home directories.
Windows 2000 automatically sets up My Documents, and it is the default location for storing data for
Microsoft applications.
Roaming User Profile
A roaming profile supports users who work at several computers or RUPs. You set this up on a
network server, therefore the profile is available to you no matter where you log onto the domain.
When a user logs off, Windows 2000 copies changes that were made to the local copy of the RUP
back to the server where it is stored.
=====================================================================
winser7.html PAGE
16 2002/01/13
Creating Customized roaming User Profiles
You can customize and assign a preconfigured RUP that you assign to all user accounts, as well as
make roaming user profiles read-only. You can create a customized RUP by configuring the desktop
environment for the user and then copying the customized profile to the user’s RUP location.
You can customize RUPs for the
following reasons:
remove connections and applications that the user does not require.
responsibilities. Simplify troubleshooting.
Don’t forget when you customize local user profiles it is inefficient, because when the user logs
on to the local machine, that is the only location the user will have this profile. If it is made into a
roaming profile, then it will follow the user around, wherever the user logs on.
Using Mandatory Profile
A mandatory profile is read-only RUP. Any changes the user made during the session are not
saved, and they will not be reflected when the user logs on the next time.
The hidden file called Ntuser.dat contains that section of the Windows 2000 system settings that
applies to the individual user account and contains the user environment settings, such as desktop
appearance. This is the file you make read-only by
changing its name to Ntuser.man.
Setting up a Roaming User Profile
When you set up a RUP on a server, the next time that the user logs on to a computer in the
domain, Windows 2000 copies the local user profile to the RUP Path on the server.
Copying RUPs between the server and client computers can use a lot of system resources,
such as bandwidth and computer processing. If the profiles are on the domain controller, this
can delay the authentication of users by the domain controller.
=====================================================================
winser7.html PAGE
17 2002/01/13
TIP To further improve performance and profile availability, consider configuring a Domain
Dfs root for user profiles and configuring FRS so that the profiles are replicated to multiple
available locations on the network.
On the Profile tab in Properties dialog box for the user account, provide the path to the shared
folder in the Profile Path box (\\<server>\<share>\<logon_name>).
You can also type a variable %username% instead of the user’s logon name. When you use the
variable, Windows 2000 automatically replaces the variable with the user account name for the
RUP.
Assigning a Customized Roaming User Profile
You can customize an RUP and assign it to multiple users, who will then have the same settings
and connections when they log on. First you must create the user profile template, which contains
the customized desktop settings that you want the users to have. A template is created by
configuring a desktop exactly as you want it to appear for the users who will be assigned this
profile.
Once the template is created, log on as the Administrator, and copy the user profile template to
an RUP folder on the server. The folder must be accessible to all users, who will be assigned
this profile. The Control Panel System application can be used to copy the profile template to
a shared network location.
Finally, assign the profile the appropriate users by using the Active Directory Users And
Computer snap-in.
Since changes to the template profile affect all users who are assigned the profile, you should
make the profile mandatory. To make the profile a mandatory, you need to change the name
from Ntuser.dat to Ntuser.man.
NOTE: The Ntuser.dat is a hidden file. You must either use the attrib command line utility to
remove the hidden attribute or enable viewing of hidden files through Windows 20000 Explorer.
Modifying User Accounts
Company needs and changes might require you to modify user accounts. You might also need
to reset a user’s password or unlock a user account.
NOTE: You can modify a user account by changing the user account object in the Active
Directory store. To complete the tasks for modifying user accounts successfully, creating
roaming user profiles and assigning home directories, you must have permission to administer
the OU in which the user accounts reside.
=====================================================================
winser7.html PAGE
18 2002/01/13
Disabling, Enabling Renaming, and Deleting User Accounts
You can make the following modifications to user accounts that will affect the way the account
operates:
Disabling and enabling a user account. You can disable, in the example of Temporary
workers.
Renaming a user account. You rename a user account when you want to retain all
rights and permissions, group membership and most properties for the user account and
reassign it to a different user. For example, if you have a new company, you can just
rename, instead of creating a new account from scratch.
Deleting a user account. Delete a user account when an employee leaves the
company and you are not going to rename the user account.
The procedures for disabling, enabling, renaming and deleting user accounts are similar for
domain and local accounts.
Resetting Passwords and Unlocking User Accounts
If a user forgets her or his password, you need to reset the password. You do not need to
know the old password to reset a password.
Creating Home Folders
In addition to the My Documents folder, Windows 2000 provides you with the means to
create a home folder for the user. A home folder is an additional one that you can provide
for users to store personal documents, and for older applications, it is sometimes the default
folder for saving documents.
Storing all home
folders on a file server provides the following advantages:
(including MS-DOS, Windows 95, Windows 98, and Windows 2000).
=====================================================================
winser7.html PAGE
19 2002/01/13
NOTE: You should store home folders on an NT files system or NTFS so you can take
advantage of the NTFS file system.
To create a home folder on a network file server, you must perform the following three tasks:
Creating and sharing a folder. Create and share a folder in which to store all home
folders on a network server.
Changing the Full Control permission. For the shared folder, remove the default
permission Full Control from the Everyone Group and assign Full Control to the Users
Group.
Providing the home folder path. Provide the path to the user’s home folder in the
Home folder section on the Profile tab of the Properties.
NOTE: If you use %username% to name a folder on an NTFS volume, the user and the
built-in local Administrators group is assigned the NTFS Full Control permission. All other
permissions are removed for the folder, including those for the Everyone Special Group.
Lesson Summary:
network resources.
environment and application settings as well as personal data.
Lesson 3:
Administering Group Accounts
A group is a collection of user accounts. Groups simplify administration by allowing you to
assign permissions and rights to a group of users rather than having to assign permissions to
each individual user account.
When you assign permissions, you give users the capability to gain access to specific resources
and you define the type of access they have.
In addition to user accounts, you can add contacts, computers, and other groups to a group.
TRY at Home: Right Click My Computer/Properties/User Profiles
=====================================================================
winser7.html PAGE
20 2002/01/13
STILL APPLIES: AGLP (Account created, into Groups, Groups into Local, then assign
permissions)
Types of Groups
Sometimes you create groups for security, such as assigning permissions. At other times you
use them for reasons unrelated to security, such as sending e-mail messages. There are two
types of groups: security and distribution.
Security Groups
The Windows 2000 operating system uses only security groups, which you use to assign
permissions to gain access to resources.
Distribution Groups
Applications use distribution groups as lists for functions related to security. Use distribution
groups when the only function to the group isn’t security related, such as e-mail messages to
a group of users at the same time. You cannot use distribution groups to assign permissions.
NOTE: Only programs that are designed to work with Active Directory services can use
distribution groups. For example, future versions of Microsoft Exchange Server will be able to
use distribution groups as distribution lists for sending e-mail messages.
Group Scopes
When you use a group scope you can assign permissions in a different way. The scope of a
group determines where in the network, you are able to use the group. The three group
scopes are domain local, global, and universal.
Domain Local Groups
Domain local groups are most often used to assign permissions to resources. A domain local
group has the following characteristics:
permissions to gain access only to resources that are located in the same domain
where you create the domain local group.
=====================================================================
winser7.html PAGE
21 2002/01/13
Global Groups ( I thought there were no global groups in Windows 2000 Server)
Global groups are most often used to organize users who share similar network access
requirements. A global groups has the following characteristics:
Limited membership. You can add members only from the domain in which you create
the global group.
Access to resources in any domain. You can use a global group to assign permissions to
gain access to resources that are located in any domain.
Universal Groups
Universal groups are most often used to assign permissions to related resources in multiple
domains. The have the following characteristics:
Open membership. You can add members from any domain.
Access to resources in any domain. You can use a universal group to assign permission to
gain access to resources that are located in any domain.
Available in Native mode only. Mixed mode is not available.
Group Membership
=====================================================================
Mixed-mode scope Native-mode
scope
Group scope can
contain can contain
=====================================================================
Domain local User account, computer accounts, User accounts, computer
and global groups from any accounts, global groups
Domain. from any domain as other domain local
groups from the same domain.
Global User accounts from the same User accounts, computer
Domain, and computer accounts. accounts, and global groups
from the same domain.
Universal Not available in Mixed mode, User accounts, computer
accounts, global groups,
and universal groups from
any domain.
=====================================================================
winser7.html PAGE
22 2002/01/13
Domain Local groups and global groups can be converted to Universal groups. For this to happen,
Active Directory must be operating in Native mode, but the global or local groups cannot contain
other groups of similar scope. For instance, a global groups containing another global group cannot
be converted to a universal group.
Group Nesting
It is similar to creating groups of similar departments, for example Sales and Marketing. Then these
groups are added to another larger geographical group. This is called Nesting In Windows 2000 Server.
Effectively nesting groups in a multiple domain environment will reduce network traffic between
domains and simplify administration in a domain tree. To efficiently use nesting, you need to
understand the membership rules of groups.
You also need to consider the Domain Operations mode of your domain tree:
domain can be members of domain local groups. Universal security groups do not
exist in Mixed Mode.
permits multiple levels of nesting.
Group Strategies
Use the following guidelines in determining the group members:
In addition, placing user accounts in domain local groups and assigning permissions to the domain
local groups does not allow you to assign permissions for resources outside of the domain.
=====================================================================
winser7.html PAGE
23 2002/01/13
Using Universal Groups:
Unlike domain local groups, you can assign permissions to universal groups for resources in any
domain in your network.
access to a resource to the universal group. This allows you to use a universal group in the same
way as domain local groups to assign permissions for resources.
Implementing Groups
Before you implement your group strategy, consider the following guidelines:
will increase replication traffic.
other domains search for it in Active Directory services.
Creating Groups
Use the Active Directory Users And Computers snap-in to create and delete groups. When
you create groups, create them in the Users OU or in an OU that you have created specifically
for groups.
Administering Groups
You can user the Active Directory Users And Computers snap-in. You can add members to
the group, change the group scope, or delete the group.
Adding Members to a Group
After you create a group you add members. They can be user accounts, contacts, other
groups or computers.
NOTE: If your domain is in Mixed mode, you will now always be able to add groups to
your new group, depending on the group scope you are creating.
=====================================================================
winser7.html PAGE
24 2002/01/13
NOTE: If there are multiple user accounts or groups that you want to add, you can repeat
the process of selecting them one at a time and then click Add, or you can hold down the
Shift or Ctrl key to select multiple user accounts or groups all at once. The Shift key
allows you to select a consecutive range of accounts, while the Ctrl key allows you to
pick some accounts and skip others. Click Add after you have selected all the accounts
you wish to add.
Changing the Group Scope
As your network changes, you might need to change a group scope. For example, you
might want to change an existing domain local group to a universal group when you need
to allow users to gain access to resources in other domains.
NOTE: You can change the scope of a group only in Native-mode domains. Changing
a group scope is not allowed in Mixed-mode domains. In addition, Windows 2000 does
not permit changing the scope of a universal group because all other groups have more
restrictive membership and scope than universal groups.
You can make the following changes to a group scope:
is not a member of another global group.
local group you are converting does not contain another domain local group.
Deleting a Group
Each group you create has a unique, nonreusable identifier, called the security ID (SID).
Windows 2000 uses the SID to identify the group and the permissions that are assigned
to it. When you delete a group, Windows 2000 does not use the SID again, even if you
create a new group with the same name as the group you deleted.
When you delete a group, you delete only the group and remove the permissions and rights
that are assigned with it. Deleting a group does not delete the user account that are members
of the group. To delete a group, right-click the group, and then click Delete.
Implementing Local Groups.
Follow these guidelines:
controllers within the domain.
=====================================================================
winser7.html PAGE
25 2002/01/13
computers running Windows 2000 Professional.
in the computer where you create the local groups.
Creating Local Groups
Use Computer Management snap-in to create non-domain local groups. You create local
groups in the Groups folder.
You can add members to a local group while you create the group or after you create the
local group.
Built-in Groups
There are four categories of built-in groups: global, domain local, local, and system. Built-in
groups have predetermined set of user rights or group membership.
Built-in Global Groups
By default Windows 2000 automatically adds members to some built-in global groups. You
can add user accounts to these built-in groups to provide additional users with the privileges
and permissions that you assign to the built-in group.
When you create a domain, Windows 2000 creates built-in global groups in the Active Directory
store. You assign rights by either adding the global groups to domain local groups or explicitly
assigning user rights or permissions to the built-in global groups.
====================================================================
Built-in Global
Groups
Global Group Description
====================================================================
Domain Users Windows 2000 automatically adds Domain Users to the Users
Built-in local groups. By default, the Administrator account
Is initially a member, and Windows 2000 automatically
Makes each new domain user account a members.
Domain Admins Windows 2000 adds Domain Admins to the Administrators
Domain local group so that members of Domain Admins can
Perform administrative tasks on any computer in the domain.
By default, the Administrator account is a member.
Domain Guests Windows 2000 automatically adds Domain Guests to the
Guests domain local group.
Who should have administrative control for the entire
Network. By default, The Enterprise Admins global group is
A member of the Administrators built-in local group. By
default, the Administrator account is a member.
=====================================================================
winser7.html PAGE
26 2002/01/13
Note: Members of a group and groups with which a group is a member are viewable from the
Members and Members of tabs in the properties of each group.
Built-in Domain Local Groups
A built-in local group performs the same way that a domain local group functions. The only
difference is that a built-in local group cannot be deleted.
Built-in local groups in the domain give predefined rights and permissions to user accounts when
you add user accounts or global groups as members.
=====================================================================
Global Group Description
=====================================================================
Account Operators Members can create, delete, modify user accounts, they
Cannot modify the Administrators group or any of the
Operators groups.
Server Operators Members can share disk resources and backup and restore
files in the domain controller.
Print Operators Members can set up and manage network printers on
Domain controllers.
Administrators Members can perform all administrative tasks on all
Domain controllers and the domain itself. By default,
the Administrator user account, the Domain Admins
Domain local group, and the Enterprise Admins
Local group are members.
Guests Members can perform only tasks for which you have
granted rights and gain access only to resources for which
you have assigned permissions; members cannot make
permanent changes to the desktop. By default, the
guest user account and the Domain Guests domain local
group are members.
Backup Operators Backup and restore on the domain controller.
Users By default, the domain Users group, the Authenticated
Users special group, and the INTERACTIVE special
Groups are members.
=====================================================================
winser7.html PAGE
27 2002/01/13
Built-in Local Groups
All stand-alone servers, member servers, and computers running Windows 2000 Professional
have built-in local groups. Built-in local groups give rights to perform system tasks on a single
computer, such as backing up and restoring files, changing the system time, and administering
system resources.
===================================================================
Local group Description
===================================================================
Users Users can only perform tasks they have permissions.
Administrators Full Control, by default Administrator user account for the
Computer is a member.
Guests This account is disabled at install by default. By default,
The built-in guest account for the computer is a member.
Backup Operators Members can user windows Backup to backup and restore
Power Users Members can create and modify local user accounts on the
Computer and share resources.
Replicator Members can use this to configure file replication services.
====================================================================
Built-in System Groups
Built-in system groups are special groups in Windows NT, exist on all computers running
windows 2000. System groups do not have specific memberships you can modify, but they
can represent different users at different time, depending on how a user gain access to a
computer or resource.
=====================================================================
winser7.html PAGE
28 2002/01/13
=====================================================================
System Group Description
=====================================================================
Everyone Be careful if you assign permissions to the Everyone group
and enable the guest account. Windows 2000 will authen-
ticate a user who does not have a valid user account as
Guest.
Authenticated Users Includes all users, this can be used instead of the Everyone
Group to ensure they are authenticated users.
Creator Owner Includes the user account for the user who created or took
Ownership of a resource.
Network Includes any user with a current connection from another
computer on the network to a shared resource on the
computer.
Interactive Members of the Interactive group gain access to resources on
The computer at which they are physically located.
Anonymous Logon Includes any user account that Windows 200 did not
Authenticate.
Dialup Includes any user who currently has a dial-up connection.
======================================================================
Lesson Summary:
Lesson 4:
Administering Group Policies
Group policies provide a facility for further refining and centralizing management of a user’s
desktop environment. Group policies can be used to control the programs that are available
to users, the programs that appear on a user’s desktop, and the Start menu options.
=====================================================================
winser7.html PAGE
29 2002/01/13
Group policies can also control the work environment of users with accounts that are located
in a specific OU. In addition, group policies can be set at the site level, using the Active
Directory Sites And Services snap-in.
Benefits of Group Policy
The TCO or Total Cost of Ownership is the cost involved in administering distributed personal
computer networks.
You can lower your network’s TCO by using group policies to create a managed desktop
environment tailored to the user’s job responsibilities and experience level.
Securing a User’s Environment
As an administrator in a high-security network, you might want to create a locked down
environment on a computer. By implementing appropriate group policy settings for specific
users, combined with NTFS permissions, mandatory profiles, and other Windows 2000
security feature, you can prevent users from installing software and accessing unauthorized
programs or data.
Types of Group Policies
Group Policy Objects
A GPO contains group policy settings for sites, domains, and OUs. Group policy objects
contain properties that are written to the Active Directory store in an object called the Group
policy container (GPC).
Local Group Policy Objects
A local GPO exists on every Windows 2000 computer and, by default, only security settings
are configured. The local GPO is stored in the %systemroot%\System32\GroupPolicy folder,
and has the following ACL permissions:
=====================================================================
winser7.html PAGE
30 2002/01/13
NOTE: SYSTEM and Authenticated Users are system groups.
GPO Permissions
The Authenticated Users system group is given Read and Apply Group Policy access.
Note that by default, on the Authenticated Users group is granted the Apply Group Policy
attribute.
Administrators are also authenticated users, which means that they have the Apply Group
Policy attribute set.
To edit a GPO, the
user must be one of the following: