40
1 Chapter 7: Chapter 7: WORKING WITH WORKING WITH GROUPS GROUPS Course 290:

Chapter 7: WORKING WITH GROUPS

Embed Size (px)

DESCRIPTION

Course 290:. Chapter 7: WORKING WITH GROUPS. Assigning Permissions in Server 2003. For users to be able to access resources on an Active Directory network, they must have the appropriate permissions. - PowerPoint PPT Presentation

Citation preview

Page 1: Chapter 7: WORKING WITH GROUPS

11

Chapter 7:Chapter 7: WORKING WITH WORKING WITH GROUPSGROUPS

Course 290:

Page 2: Chapter 7: WORKING WITH GROUPS

Assigning Permissions in Server Assigning Permissions in Server 20032003 For users to be able to access resources on

an Active Directory network, they must have the appropriate permissions.

Shared folders and drives, printers, and virtually all other resources on a network have an access control list (ACL).

An ACL is a list of objects that are permitted to access the resource, along with the degree of access that each object is permitted.

The objects in an ACL are referred to as security principals

Page 3: Chapter 7: WORKING WITH GROUPS

Using Groups for permissionsUsing Groups for permissions

A group is simply a list of users that functions as a security principal.

In Active Directory, group objects can contain user objects, computers, contacts, and, under certain conditions, even other groups.

When you use a group object as a security principal by adding it to an ACL, all of the group’s members receive the permissions that you assigned to the group

Page 4: Chapter 7: WORKING WITH GROUPS

UNDERSTANDING GROUPSUNDERSTANDING GROUPS

Page 5: Chapter 7: WORKING WITH GROUPS

User RightsUser Rights

Groups also make it possible to assign user rights to multiple users at once.

In Windows Server 2003, rights are distinctly different from permissions.

A user right grants a user or group the ability to perform a particular system task, such as access the computer from the network, change the system time, or take ownership of files and other objects.

Page 6: Chapter 7: WORKING WITH GROUPS

Groups vs. Group PoliciesGroups vs. Group Policies The structure of the Active Directory hierarchy

is a critical part of the domain user account creation process because rights and permissions granted to a container object are inherited by the objects they contain, including user objects

Group inheritance works the same: the members receive the settings assigned to the group.

The main difference between a group and a container is that the group is not restricted by the structure of the Active Directory tree. You can create groups with members

anywhere in the domain, and even in other domains, and grant them all privileges in one quick step.

Page 7: Chapter 7: WORKING WITH GROUPS

GROUP POLICIESGROUP POLICIES

Group policies and groups are not related.

Group policies cannot be directly applied to a group.

A Group policy can only be applied to an Active Directory site, domain, or OU

Page 8: Chapter 7: WORKING WITH GROUPS

DOMAIN FUNCTIONAL LEVELSDOMAIN FUNCTIONAL LEVELS

The Domain Functional Level determines the level of functionality used by Active Directory

The different versions of Windows have slightly different capabilities built into their Active Directory implementations. Each successive version has some new

features that are not usable when some of the domain controllers in a domain are running older versions of Windows

Changing the domain functional level informs the operating system that all of the domain controllers are compatible and that it is safe to activate the version-specific features The Functional level can be raised but not

lowered

Page 9: Chapter 7: WORKING WITH GROUPS

DOMAIN FUNCTIONAL LEVELSDOMAIN FUNCTIONAL LEVELS Windows 2000 mixed

default functional level of a domain controller Supports universal distribution groups but not universal

security groups Global groups cannot have other groups as members

(group nesting). Windows 2000 native

Supports Server 2000 and 2003 Supports universal security and distribution groups. Allows groups to be members of other groups. Allows conversions between security groups and

distribution groups. Windows Server 2003 interim

Used only when upgrading domain controllers in Windows NT 4 domains to Windows Server 2003 domain controllers.

Windows Server 2003 Same as Server 2000 native, but only supports Server

2003

Page 10: Chapter 7: WORKING WITH GROUPS

Managing the Functional Domain Managing the Functional Domain LevelLevel Use the Active Directory Domains And Trusts

console You cannot lower the functional level after you

raise it, except by reinstalling Active Directory on all of your domain controllers

Once the functional level is raised on that one domain controller, the change is replicated to all of the other domain controllers in the domain.

Page 11: Chapter 7: WORKING WITH GROUPS

Local vs. Domain groupsLocal vs. Domain groups Windows Server 2003 supports local groups

and domain groups. A local group is a collection of local user

accounts on a particular computer. Local groups perform the same basic function

as all groups: they enable you to assign permissions to multiple users in one step.

Local groups are created using the Local Users And Groups snap-in, which is integrated into the Computer Management console

When you create a local group, the system stores it in the local Security Accounts Manager (SAM) database

Page 12: Chapter 7: WORKING WITH GROUPS

Restrictions on LOCAL GROUPSRestrictions on LOCAL GROUPS You can use local groups only on the computer where

you create them.

Only local users from the same computer can be members of local groups.

When the computer is a member of a domain, local group members can include users and global groups from the domain or any trusted domain.

Local groups cannot have other local groups as members.

Local group permissions provide access only to resources on the computer where you created the local group.

You cannot create local groups on a Windows Server 2003 computer that is functioning as a domain controller.

Page 13: Chapter 7: WORKING WITH GROUPS

ACTIVE DIRECTORY GROUPSACTIVE DIRECTORY GROUPS

Active Directory groups are characterized by their type and their scope

Types Security

Distribution

Scopes Local

Global

Universal

Page 14: Chapter 7: WORKING WITH GROUPS

ACTIVE DIRECTORY GROUP TYPESACTIVE DIRECTORY GROUP TYPES Security Groups: used to assign access permissions

for network resources Membership depends on the type of security group

and the domain functional level.

Can also be used as a distribution group.

The most common type of group created and used in Active Directory.

Distribution Groups: Used to group users together for use by applications in non-security-related functions You use distribution groups when the only function of

the group is not security-related, such as sending e-mail messages to a group of users at the same time.

Can be used only by directory-aware applications

Can be converted to a security group

Page 15: Chapter 7: WORKING WITH GROUPS

ACTIVE DIRECTORY GROUP SCOPESACTIVE DIRECTORY GROUP SCOPES

Group scopes define how permissions are assigned to the group members

The 3 Scope Levels are: Domain local

Global

Universal

Page 16: Chapter 7: WORKING WITH GROUPS

DOMAIN LOCAL GROUPSDOMAIN LOCAL GROUPS Domain local groups are most often used to assign

access permissions to network resources, like printers or shared folders, in a single domain Available in all domain functional levels

Can only be used to assign permissions to resources in the domain where they are created

Permitted membership depends on domain functional level

In Windows 2000 mixed or Windows 2003 interim functional level, members can include user and computer accounts and global groups from any domain in the forest.

In Windows 2000 native or Windows Server 2003 functional

level, members can include user and computer accounts, global and universal groups from any domain in the forest, and other domain local groups from the same domain

Page 17: Chapter 7: WORKING WITH GROUPS

GLOBAL GROUPSGLOBAL GROUPS Used to collect users or computers in the same domain

that share the same job, role, or function Global Groups are given access to network resources by

making the group a member of a Domain Local group Most commonly used to manage permissions for

directory objects, such as user and computer accounts, that require frequent maintenance.

More efficient than using Universal groups because they are not replicated outside of their domain. This minimizes the amount of replication traffic to the global catalog, Available in all functional levels Can include only members from within their domain Actual membership depends on domain functional level Can be granted access permissions to resources in any

domain in the forest, and in domains in other trusted forests

Page 18: Chapter 7: WORKING WITH GROUPS

UNIVERSAL GROUPSUNIVERSAL GROUPS Used primarily to grant access to related resources in

multiple domains.

Generally used to consolidate groups that span multiple domains

To use universal groups effectively, the best practice is to create a global group in each domain, with user or computer accounts as members, and then make the global groups members of a universal group Available only in the Windows 2000 native and

Windows Server 2003 domain functional levels

Can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests

Can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members

Page 19: Chapter 7: WORKING WITH GROUPS

NESTING GROUPSNESTING GROUPS

MMeemmbbeerrss AAlllloowweedd iinn WWiinnddoowwss 22000000MMiixxeedd oorr WWiinnddoowwss SSeerrvveerr 22000033IInntteerriimm FFuunnccttiioonnaall LLeevveell

MMeemmbbeerrss AAlllloowweedd iinn WWiinnddoowwss 22000000NNaattiivvee oorr WWiinnddoowwss SSeerrvveerr 22000033FFuunnccttiioonnaall LLeevveell

DomainLocal

User and computer accountsand global groups fromany domain

User and computer accounts,universal groups, and global groups

from any domain; other domainlocal groups from the same domain

Global User and computer accountsfrom the same domain

User and computer accounts andother global groups from the same

domain

Universal Not available User and computer accounts, otheruniversal groups, and global groups

from any domain

GGrroouupp SSccooppee

•Nesting Groups is the ability to make groups membersof other groups•a single level of nesting is sufficient for most networks

Page 20: Chapter 7: WORKING WITH GROUPS

CONVERTING GROUPSCONVERTING GROUPS

TToo DDoommaaiinn LLooccaall TToo GGlloobbaall TToo UUnniivveerrssaall

FFrroomm DDoommaaiinnLLooccaall

Not applicable Not permitted Permitted only when thedomain local group does not

have other domain localgroups as members

FFrroomm GGlloobbaallNot permitted Not applicable Permitted only when the

global group is not a memberof another global group

FFrroomm UUnniivveerrssaallNo restrictions Permitted only when

the universal groupdoes not have otheruniversal groups asmembers

Not applicable

• In a domain using the Windows 2000 native or Windows Server 2003 functional level, you can convert groups to different scopes at any time

Page 21: Chapter 7: WORKING WITH GROUPS

PLANNING GLOBAL AND DOMAIN PLANNING GLOBAL AND DOMAIN LOCAL GROUPSLOCAL GROUPS Step 1—Create domain local groups for

resources to be shared.

Step 2—Assign resource permissions to the domain local group.

Step 3—Create global groups for users with common job responsibilities.

Step 4—Add global groups that need access to resources to the appropriate domain local group.

Page 22: Chapter 7: WORKING WITH GROUPS

WINDOWS SERVER 2003 DEFAULT WINDOWS SERVER 2003 DEFAULT GROUPSGROUPS1. Built-in local groups

2. Predefined Active Directory groups

3. Built-in Active Directory groups

4. Special identities

Page 23: Chapter 7: WORKING WITH GROUPS

BUILT-IN LOCAL GROUPSBUILT-IN LOCAL GROUPS Built-in local groups give users the rights to perform

system tasks on a single computer backing up and restoring files, changing the system

time, and administering system resources

Some of these groups have default privileges granted to them through the assignment of user rights to the group Administrators, Backup Operators, Users, Power User,

Remote Desktop Users

Only on Windows Server 2003 standalone servers and member servers. Domain controllers do not have local groups (or local

users) because their SAM is converted for Active Directory use.

Located in the Groups folder in the Local Users And Groups snap-in.

Page 24: Chapter 7: WORKING WITH GROUPS

BUILT-IN LOCAL GROUPSBUILT-IN LOCAL GROUPS

Page 25: Chapter 7: WORKING WITH GROUPS

PREDEFINED ACTIVE DIRECTORY PREDEFINED ACTIVE DIRECTORY GROUPSGROUPS Predefined groups: security groups, most with a global scope,

that are intended to group together common types of domain user accounts.

By default, Windows Server 2003 automatically adds members to some predefined global groups. You can add user objects to these predefined groups to

provide additional users with the privileges and permissions assigned to the group

Created in the domain’s Users container Domain Admins, Domain Controllers, Domain Computers,

Domain users By default, they do not have any inherent rights or permissions

You can assign rights or permissions to them by adding the predefined global groups to domain local groups or by explicitly assigning rights or permissions to the predefined global groups.

By default some of the predefined Active Directory groups have privileges granted to them through the assignment of user rights. Domain Admins and Enterprise Admins ONLY

Page 26: Chapter 7: WORKING WITH GROUPS

PREDEFINED ACTIVE DIRECTORY PREDEFINED ACTIVE DIRECTORY GROUPSGROUPS

Page 27: Chapter 7: WORKING WITH GROUPS

BUILT-IN ACTIVE DIRECTORY BUILT-IN ACTIVE DIRECTORY GROUPSGROUPS Every Active Directory domain has a Built-in

container in which the system creates a series of security groups, all of which have a domain local scope.

The Built-In groups provide users with user rights and permissions to perform tasks on domain controllers and in the Active Directory tree.

Built-in domain local groups provide predefined rights and permissions to user accounts when you add user objects or global groups as members. Account Operators, Administrators, Users,

Guests

Page 28: Chapter 7: WORKING WITH GROUPS

BUILT-IN ACTIVE DIRECTORY BUILT-IN ACTIVE DIRECTORY GROUPSGROUPS

Page 29: Chapter 7: WORKING WITH GROUPS

SPECIAL IDENTITIESSPECIAL IDENTITIES Special identities exist on all computers

running Windows Server 2003. These are not really groups because you

cannot create them, delete them, or directly modify their memberships.

They are like placeholders for one or more users Special identities do not appear in the Local

Users And Groups snap-in or the Active Directory Users and Computers console

You can use them like groups, by adding them to the ACLs of system and network resources

Examples: Everyone, Authenticated Users, Creator Owner

Page 30: Chapter 7: WORKING WITH GROUPS

SPECIAL IDENTITIESSPECIAL IDENTITIES

Page 31: Chapter 7: WORKING WITH GROUPS

CREATING LOCAL GROUPSCREATING LOCAL GROUPS

Page 32: Chapter 7: WORKING WITH GROUPS

WORKING WITH ACTIVE DIRECTORY WORKING WITH ACTIVE DIRECTORY GROUPSGROUPS Active Directory Users and Computers

console: Create security groups

Manage group membership

Nest groups

Change group types and scopes

Delete a group

Page 33: Chapter 7: WORKING WITH GROUPS

CREATING SECURITY GROUPSCREATING SECURITY GROUPS

•The Active Directory Users and Groups console letsyou create group objects anywhere you want•Groups should always be created in an OU so that you can assign user rights to them

Page 34: Chapter 7: WORKING WITH GROUPS

NESTING GROUPSNESTING GROUPS

Both groups must be created separately, and then one is made a member of the other.

Possible nestings depend on the domain functional level and scope type.

Observe rules on group nesting.

Page 35: Chapter 7: WORKING WITH GROUPS

CHANGING GROUP TYPES AND CHANGING GROUP TYPES AND SCOPESSCOPES

Page 36: Chapter 7: WORKING WITH GROUPS

DELETING A GROUPDELETING A GROUP

Deletes only the group object, not the members of the group.

Deletes the SID for the group. The SID cannot be re-created.

Removes ACL entries for the group – all permissions for that group are deleted and are NOT restore even if you make a new group with the same name

Page 37: Chapter 7: WORKING WITH GROUPS

AUTOMATING GROUP AUTOMATING GROUP MANAGEMENTMANAGEMENT

The following command-line utilities can be used in scripts and batch files to automate group management: Dsadd.exe: Used to create new group

objects

Dsmod.exe: Used to configure existing group objects

Dsget.exe: Used to locate groups in Active Directory

Page 38: Chapter 7: WORKING WITH GROUPS

CREATING GROUP OBJECTS WITH CREATING GROUP OBJECTS WITH DSADD.EXEDSADD.EXE Allows groups to be created from a command

line Useful when scripting group creation for large

numbers of groups Can be used only to create new groups, not

modify existing groups Syntax:

dsadd group GroupDN [parameters] Ex: Create a new group called Sales in the

Users container and make the Administrator user a member dsadd group "CN=Sales,CN=Users,DC=contoso,DC=com" –

member "CN=Administrator,CN=Users,DC=contoso,DC=com"

Page 39: Chapter 7: WORKING WITH GROUPS

MANAGING GROUP OBJECTS WITH MANAGING GROUP OBJECTS WITH DSMOD.EXEDSMOD.EXE

Can be used to configure group objects, including: Setting the group scope

Adding and removing individual group members

Replacing the entire group membership

Syntax: dsmod group GroupDN [parameters]

Example: Add the Administrator user to the Guests group dsmod group

"CN=Guests,CN=Builtin,DC=contoso,DC=com" –addmbr "CN=Administrator,CN=Users,DC=contoso,DC=com"

Page 40: Chapter 7: WORKING WITH GROUPS

FINDING OBJECTS WITH DSGET.EXEFINDING OBJECTS WITH DSGET.EXE

Command-line utility

Used to locate and show information on an object

Cannot be used to create, modify, or delete an object

Syntax: dsget objectclass ObjectDN [parameters]

Example: Display a list of the groups of which a user is a member dsget user

"CN=Administrator,CN=Users,DC=contoso,DC=com" -memberof