1 / 91

Goals

Goals. Identify the types of group accounts Create local groups Examine built-in groups Create and modify groups using the Active Directory Users and Computers MMC snap-in Find domain groups Create Group Policy Objects (GPOs) Identify the types of Group Policies

kemp
Télécharger la présentation

Goals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Goals • Identify the types of group accounts • Create local groups • Examine built-in groups • Create and modify groups using the Active Directory Users and Computers MMC snap-in • Find domain groups • Create Group Policy Objects (GPOs) • Identify the types of Group Policies • Modify software settings using GPO software policies • Redirect folders using GPOs

  2. (Skill 1) Identifying the Types of Group Accounts • A group is a collection of user accounts or computers with similar rights and permissions • The users in a group are called members • Administrators can categorize users into groups based on the functions they perform and the requirements of their jobs so that they can easily manage multiple users as a single entity

  3. (Skill 1) Identifying the Types of Group Accounts (2) Two main types of groups • Security groups • Used to define the rights and permissions users will have to access resources on a computer or a network • Are listed in Discretionary Access Control Lists (DACLs) • Distribution groups • Used only for the distribution of messages by applications such as Microsoft Exchange Server • Cannot be used to assign permissions to users

  4. (Skill 1) Identifying the Types of Group Accounts (3) Group scope • When you create a group, you must specify the group scope • The group scope determines whether the group can be used to access resources in a specific domain or across domains in a network • There are three group scopes in a Windows Server 2003 environment • Domain local scope • Global scope • Universal group scope

  5. (Skill 1) Identifying the Types of Group Accounts (4) Domain local scope • A domain local group is created in Active Directory on a domain controller • The scope of a domain local group is the domain in which the group was created • You can add members to a domain local group from any domain

  6. (Skill 1) Identifying the Types of Group Accounts (5) Global scope • A global group has members with common network access requirements • Members can be drawn only from the domain where the global group was created • Permissions can be assigned to members for resources in any domain

  7. (Skill 1) Figure 7-1 Group types and group scopes

  8. (Skill 1) Identifying the Types of Group Accounts (6) Universal group scope • A universal group is used when there are multiple domains in a forest • Members can be drawn from many different domains • Permissions can be assigned for resources in any domain • Universal groups are available only when Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode

  9. (Skill 1) Identifying the Types of Group Accounts (7) Group nesting • Process of adding groups to other groups is called group nesting • Group nesting minimizes the number of times you need to assign permissions to multiple groups

  10. (Skill 1) Figure 7-2 Nested groups

  11. (Skill 2) Creating Local Groups Types of local groups • Domain local groups • A domain local group is created and stored in Active Directory on a domain controller • It is used to manage and access resources in a domain • Local groups • A local group is formed to group local user accounts on stand-alone servers, member servers, and Windows 2000 or XP Professional workstations • You use them to assign permissions to resources only on the local computer

  12. (Skill 2) Figure 7-3 Selecting users in the Select Users, Computers, or Groups dialog box

  13. (Skill 2) To create a local group, select the name of your member server Figure 7-4 The Locations dialog box

  14. (Skill 2) Figure 7-5 Adding members to the new group

  15. (Skill 2) Creating Local Groups (2) • The Computer Management console combines various administration utilities into a single console tree • View the list of users connected to a local or remote computer • Manage the local or remote computer • The Computer Management console has three nodes • System Tools node is used to monitor system events, view system information, view the hardware configuration, as well as manage shared folders, local users and groups • Storage node is used to view and manage the properties of a storage device such as a hard disk • Services and Applications node is used to view and manage the properties of a service, such as WINS, or an application running on your computer

  16. (Skill 2) Figure 7-6 The new group displayed in the Computer Management console

  17. (Skill 2) Used to monitor system events, view system information, view the hardware configuration, and manage shared folders and local users and groups Figure 7-7 Nodes in the Computer Management console

  18. (Skill 3) Introducing Built-in Groups • Windows Server 2003 includes default groups called built-in groups that have a preset collection of rights and permissions • Built-in groups can be used to manage common tasks performed by users • There are four types of built-in groups • Built-in local groups • Built-in domain local groups • Built-in global groups • Built-in system groups

  19. (Skill 3) Introducing Built-in Groups (2) Built-in local groups • Are created on all Windows Server 2003 computers • Are stored in the Builtin container in the Active Directory Users and Computers console • Account Operators • Administrators • Backup Operators • Guests • Incoming Forest Trust Builders • Network Configuration Operators • Performance Log Users • Performance Monitor Users • Pre-Windows 2000 Compatible Access • Print Operators • Remote Desktop Users • Replicator • Server Operators • Users

  20. (Skill 3) Introducing Built-in Groups (3) Built-in domain local groups • Are automatically created only on domain controllers • Cannot be deleted • Are stored in the Users container in the Active Directory Users and Computers console • The number of domain local groups is different on each domain controller, depending on the type of services the domain controller is running • IIS_WPG (installed with IIS) • RAS and IAS Servers • TelnetClients • WINS Users • Cert Publishers • DHCP Administrators • DHCP Users • DnsAdmins • HelpServicesGroup

  21. (Skill 3) Introducing Built-in Groups (4) Built-in global groups • Are automatically created on all domain controllers • Are stored in the Users container in the Active Directory Users and Computers console • DnsUpdateProxy • Domain Admins • Domain Computers • Domain Controllers • Domain Guests • Domain Users • Group Policy Creator Owner • Enterprise Admins • Schema Admins

  22. (Skill 3) Introducing Built-in Groups (5) Built-in system groups • Are populated with users based upon how they access a computer or a resource • Network administrators cannot add, modify, or delete user accounts because the operating system does so automatically • Anonymous Logon • Authenticated Users • Creator Owner • Dial-up • Everyone • Interactive • Network • Terminal Server Users

  23. (Skill 3) Figure 7-8 Built-in local groups in the Computer Management console on a member server

  24. (Skill 3) Figure 7-9 Built-in domain local groups in the Builtin container in the Active Directory Users and Computers console

  25. (Skill 3) Figure 7-10 Built-in domain local groups in the Users container in the Active Directory Users and Computers console

  26. (Skill 3) Figure 7-11 Built-in global groups in the Users container

  27. (Skill 3) Figure 7-12 Built-in system groups in the Select Users or Groups dialog box

  28. (Skill 3) Introducing Built-in Groups (6) • In Windows 2000 mixed mode environments, the best practice is to use domain local and global groups following what is referred to as the A-G-DL-P strategy • You put user accounts (A) into global groups (G), put the global groups into domain local groups (DL), and grant permissions (P) to the domain local group • In Windows 2000 native mode or Windows Server 2003 mode, universal groups can be used to organize global groups from multiple domains so that they fit between global and domain local (A-G-U-DL-P)

  29. (Skill 4) Creating and Modifying Groups by using the Active Directory Users and Computers MMC Snap-in • Groups can be used effectively to manage large numbers of users and resources • Even in small environments, it is advised that you follow the Microsoft rule for creating groups and assigning permissions • While it takes a little more work to set up, in the long run it reduces effort to such a large degree that the extra setup effort is worth it

  30. (Skill 4) Creating and Modifying Groups by using the Active Directory Users and Computers MMC Snap-in (2) • After you have created a group, you can set its properties in the Properties dialog box for the group • Tabs used to set the properties for a group • General • Members • Member Of • Managed By • Object • Security

  31. (Skill 4) Creating and Modifying Groups by using the Active Directory Users and Computers MMC Snap-in (3) • Considerations when modifying group scopes • A domain local group can be converted to a universal group only if the domain local group does not contain another domain local group • A global group can be changed to a universal group only if the global group is independent and not a member of another group • Group scopes and group types can be changed only when the domain is operating in Windows 2000 native mode or Windows Server 2003 mode

  32. (Skill 4) Click to add the group to other groups in the domain or to add it to a universal group in another domain in the forest Figure 7-13 The Member Of tab in the Properties dialog box for a group

  33. (Skill 4) Displays the path to the group in the domain Figure 7-14 The Object tab

  34. (Skill 4) The pre- Windows 2000 group name is automatically filled in The two types of groups The three group scopes Figure 7-15 The New Object-Group dialog box

  35. (Skill 4) The new group Figure 7-16 The new group in the Active Directory Users and Computers console

  36. (Skill 4) Member of the group Click to remove members from the group Click to add members to the group Figure 7-17 Adding a member to the group

  37. (Skill 4) Click to select a new manager Click to remove the existing manager of the group Click to view the properties for the manager’s account Figure 7-18 Choosing the Manager for the group

  38. (Skill 4) The domain local group scope is disabled because a global group can be converted only to a universal group Figure 7-19 Changing the properties for a group

  39. (Skill 4) Creating and Modifying Groups by using the Active Directory Users and Computers MMC Snap-in (4) • You use the same tools to automate or partially automate the process of group creation as you use to automate the process of user account creation • Scripting • Importation tools • You use Csvde.exe to import and export group objects into and out of Active Directory • You use Ldifde.exe to import and export group objects to and from .ldif files, which are supported by many third-party LDAP applications

  40. (Skill 4) Creating and Modifying Groups by using the Active Directory Users and Computers MMC Snap-in (5) ADSI Edit • An MMC snap-in used to add, delete, and move Active Directory objects • You can view and change the attributes for an object • After you create the MMC, right-click ADSI Edit and connect to the domain • Open the Properties dialog box for an object and edit one or more attributes

  41. (Skill 4) Figure 7-20 Using csvde.exe to export a group

  42. (Skill 4) Figure 7-21 The Group1 group exported and opened in Excel

  43. (Skill 4) Figure 7-22 ADSI Edit

  44. (Skill 5) Finding Domain Groups • Active Directory contains information about all objects located on a network • Each Active Directory object has a unique set of attributes • On a network that has a large number of Active Directory objects, it becomes difficult for an administrator to remember the exact location of all of the objects • The administrator can use the object attributes to locate the objects

  45. (Skill 5) Finding Domain Groups (2) Locating objects in Active Directory • Use the Find dialog box in the Active Directory Users and Computers console • The Find dialog box provides various options you can use to search for Active Directory objects • When you search Active Directory for an object, the Find dialog box helps generate a Lightweight Directory Access Protocol (LDAP) query • The LDAP query searches the global catalog or the local domain for the specified object • The query then returns the queried information

  46. (Skill 5) Finding Domain Groups (3) • Requirements for locating objects using Active Directory • You must have Read permission for the objects you want to find • Your computers must have Windows Server 2003, Windows 2000, Windows XP, Windows NT with the Active Directory client, or Windows 95/98 with the Active Directory Client, IE 4.01 or later, and Active Desktop enabled • You can use the Advanced tab in the Find dialog box to make the search more specific

  47. (Skill 5) The name of the Find dialog box will change according to the object type you select Figure 7-23 The Find dialog box

  48. (Skill 5) Users will generally use the Search option on the Start menu because for the most part they will not have access to the Active Directory Users and Computers console Figure 7-24 Searching for printers, computers, or people using the Search tool on the Start menu

  49. (Skill 5) Figure 7-25 Finding objects in the Users container

  50. (Skill 5) Specify the object type you want to find Specify the path to the container you want to search Specify the domain or OU you want to search: Entire Directory will search all domains in the forest Figure 7-26 Specifying search attributes

More Related