|1| Chapter 8, Group Account Administration
|2| Chapter 8, Lesson 1
Introduction to Groups
|3| 1. Groups
and Permissions
A. A group is a collection of user accounts.
B. Groups simplify administration by allowing
permissions and rights to be assigned to a group of users.
C. Permissions control what users can do with
a resource, such as a folder, file, or printer.
D. When permissions are assigned, users can
gain access to a resource and define the type of access.
E. Rights allow users to perform system tasks.
F. User accounts, other groups, contacts, and
computers can be added to groups.
G. Computers are added to groups to simplify
giving a system task on one computer access to a resource on another computer.
2. Group Types
|4| A. Overview
1. The group type, which is either security
or distribution, determines how the group is used.
2. Both types of groups are stored in the
database component of Active Directory.
3. Storage in the database component allows
use of groups anywhere in the network.
|5| B. Security groups
1. Microsoft Windows 2000 uses only security
groups.
2. Are used to assign permissions to gain
access to resources
3. Has all the capabilities of a
distribution group
|6| C. Distribution groups
1. Used by applications as lists for nonsecurity-related
functions
2. Used when the only function of the group
is nonsecurity-related
3. Cannot be used to assign permissions
Note Only
programs that are designed to work with Active Directory can use distribution
groups.
|7| 3. Group
Scopes
|8| A. Overview
1. A group type and scope must be selected
when a group is created.
2. Group scopes allow groups to be used in
different ways to assign permissions.
3. The scope of a group determines where in
the network the group can be used to assign group permissions.
|9| B. Global groups
1. Used to organize users who share similar
network access requirements
2. Members can be added only from the domain
in which the global group is created.
3. Can be used to assign permissions to gain
access to resources that are located in any domain in the domain tree or forest
|10| C. Domain local groups
1. Used to assign permissions to resources
2. Members can be added from any domain.
3. Can be used to assign permissions to gain
access to resources located only in the same domain where the domain local
group is created
|11| D. Universal groups
1. Used to assign permissions to related
resources in multiple domains
2. Members can be added from any domain.
3. Can be used to assign permissions to gain
access to resources located in any domain
4. Not available in mixed mode
5. A full feature set of Windows 2000 is
available only in native mode.
|12| 4. Group
Nesting
A. Overview
1. Creates a consolidated group
2. Reduces network traffic between domains
and simplifies administration in a domain tree
B. Guidelines for group nesting
1. Minimize levels of nesting
a. Tracking permissions and troubleshooting
becomes more complex with multiple levels of nesting.
b. One level of nesting is most effective.
2. Document group membership to keep track
of permissions assignments
a. Eliminates the redundant assignment of
user accounts to groups
b. Reduces the likelihood of accidental group
assignments
5. Rules for Group Membership
|13| A. Overview
1. The group scope determines the membership
of a group.
2. Membership rules determine the members
that a group can contain.
3. Group members can be user accounts and
other groups.
4. Knowledge of group membership rules is
important when assigning members to groups and using nesting.
B. Group scope membership rules
|14| 1. Native mode
a. Global group scope: User accounts and
global groups from the same domain
b. Domain local group scope: User accounts,
universal groups, and global groups from any domain; domain local groups from
the same domain
c. Universal group scope: User accounts,
other universal groups, and global groups from any domain
|15| 2. Mixed mode
a. Global group scope: Users from the same
domain
b. Domain local group scope: User accounts
and global groups from any domain
c. Universal group scope: Not applicable;
universal groups cannot be created in mixed mode.
|16| 6. Local
Groups
A. A collection of user accounts on a
computer
B. Used to assign permissions to resources
residing on the computer on which the local group is created
B.
Windows
2000 creates local groups in the local security database.
Note Because
Active Directory groups with a “domain local” scope are sometimes referred to
as “local groups,” it is important to distinguish between a local group and a
group with a domain local scope.
7. Using Local Groups
|17| A. Guidelines
1. Can be used only on the computer where it
is created
2. Its permissions provide access only to
the resources on the computer where it is created.
3. Can be used on computers running Windows
2000 Professional and member servers running Windows 2000 Server
4. Cannot be created on a domain controller
5. Used to limit the ability of local users
and groups to gain access to network resources without creating domain groups
|18| B. Membership rules
1. A local group can contain local user
accounts from the computer where the local group is created.
2. Local groups cannot be members of any
other group.
|19| Chapter 8, Lesson 2
Planning a Group Strategy
|20| 1. Planning
Global and Domain Local Groups
A. Use the following strategy:
1. Assign users with common job
responsibilities to global groups.
2. Create a domain local group for resources
to be shared.
3. Add to the domain local group global
groups that need access to the resources.
4. Assign resource permissions to the domain
local group.
|21| B. Limitations of other strategies:
1. Placing user accounts in domain local
groups and assigning permissions to the domain local groups
a. Does not allow for the assignment of
permissions for resources outside of the domain
b. Reduces the flexibility when your network
grows
2. Placing user accounts in global groups
and assigning permissions to the global groups
a. Complicates administration when using
multiple domains
b. If global groups from multiple domains
require the same permissions, permissions have to be assigned for each global
group.
2. Using Universal Groups
|22| A. Guidelines
1. Assign permissions to universal groups
for resources in any domain in the network.
2. Use universal groups only when their
membership is static, since changes in membership can cause excessive network
traffic between domain controllers.
3. Membership of universal groups may be
replicated to a larger number of domain controllers.
4. Add global groups from several domains to
a universal group, and then assign permissions for access to a resource to the
universal group.
5. Use a universal group in the same way as
a domain local group to assign permissions for resources.
|23| Chapter 8, Lesson 3
Creating Groups
1. Creating and Deleting Groups
|24| A. Overview
1. Use the Active Directory Users and
Computers console to create and delete groups.
2. Create groups in the Users container or
in another container, or in an OU created specifically for groups.
3. As the organization grows and changes,
delete groups when they are no longer needed; helps maintain security.
B. To create a group
1. Click Start, point to Programs, point to
Administrative Tools, and then click Active Directory Users And Computers
2. Click the domain, right-click the Users
container, point to New, and click Group
|25| 3. Complete the New Object-Group dialog box
and click OK
C. New Object-Group dialog box options
1. Group Name: The object name must be
unique in the domain where the group is created
2. Group Name (pre–Windows 2000): Filled in
automatically based on the group name that is typed in
3. Group Scope: Click Domain Local, Global,
or Universal
4. Group Type: Click Security or
Distribution
2. Deleting a Group
|26| A. Overview
1. Each group has a unique, nonreusable
identifier called the security identifier (SID).
2. Windows 2000 uses the SID to identify the
group and the assigned permissions.
3. If a new group is created using the
deleted group name, Windows 2000 creates a new SID for that group.
4. Access to resources cannot be restored by
recreating the group.
B. To delete a group
1. Right-click the group, and then click
Delete
2. Click Yes on the Active Directory message
box
3. Adding Members to a Group
|27| A. Overview
1. After the group is created, members are
added.
2. Members of groups can include user
accounts, contacts, other groups, and computers.
3. The Active Directory Users and Computers
console is used to add members.
B. To add members to a group
1. Start the Active Directory Users and
Computers console and expand Users
2. Right-click the appropriate group, and
then click Properties
3. In the Properties dialog box, click the
Members tab, and then click Add
|28| 4. The Select Users, Contacts, Computers, Or
Groups dialog box appears
5. In the Look In list, select a domain from
which to display user accounts and groups, or select Entire Directory to view
user accounts and groups from anywhere in Active Directory
6. In the Name column, select an object to
add, and click Add
Note Use
the Shift or Ctrl key to select multiple user accounts or groups
simultaneously.
7. Review the accounts to be certain they
are the ones to be added, and then click OK to add the members
8. On the Properties dialog box, click OK
Note You
can also add a user account or group by using the Member Of tab in the
Properties dialog box for that user account or group. Use this method to
quickly add the same user or group to multiple groups.
4. Changing the Group Type
|29| A. Overview
1. As group functions change, it may become
necessary to change the group type.
2. The group type can be changed only when
Windows 2000 is operating in native mode.
B. To change the group type
1. Right-click the group, and then click
Properties
2. Change the group type in the General tab
of the Properties dialog box for the group
5. Changing the Group Scope to Universal
A. Overview
1. As a network changes, it may be necessary
to change a global or domain local group to universal.
2. The group scope can be changed only when
Windows 2000 is operating in native mode.
|30| B. Group scopes that can be changed
1. A global group to a universal group: Only
if the global group is not a member of another global group
2.
A domain local
group to a universal group: Only if the domain local group does not contain
another domain local group
Note Windows
2000 does not allow changes to the scope of a universal group, because usage
and membership rules for other groups are more restrictive.
C. To change the scope of a group
1. Right-click the group, and then click
Properties
2. Change the group scope in the General tab
of the Properties dialog box for the group
6. Creating Local Groups
|31| A. Overview
1. Use the Local Users and Groups snap-in
within the Computer Management console to create local groups.
2. Create local groups in the Groups folder.
B. To create a local group
1. Click Start, point to Programs, point to
Administrative Tools, and then click Computer Management
2. For Windows 2000 Professional, click
Start, point to Settings, and open the Control Panel
3. Expand the Local Users and Groups
snap-in, right-click Groups, and select New Group
|32| 4. Complete the New Group dialog box, and
then click OK
C. New Group dialog box options
1. Group Name: Unique name for the local
group
2. Description: Description of the group
3. Members: Members of the local group
4. Add: Adds a user or global group to the
list of members
5. Remove: Removes a user or global group
from the list of members
6. Create: Creates the group
D. To delete a local group
1. Right-click the group, and then click
Delete
2. Click Yes on the Local Users and Groups
message box
E. To add members to a local group
1. Expand the Local Users and Groups
snap-in, and then expand Groups
2. Right-click the appropriate group, and
then click Properties
3. In the Properties dialog box, click Add
|33| 4. The Select Users Or Groups dialog box
appears.
5. The Look In list shows the computer for
which you are creating a group; select the user account that you want to add,
and then click Add.
6. Review the accounts to be certain they
are the accounts to be added to the group, and then click OK to add the members
7. On the Properties dialog box, click OK
|34| Chapter 8, Lesson 4
Understanding Default Groups
|35| 1. Overview
A. Four categories of default groups:
predefined, built-in, built-in local, and special identity
B. Default groups have a predetermined set of
user rights or group membership.
C. User rights determine the system tasks
that a user or member can perform.
|36| 2. Predefined
Groups
A. Overview
1. Windows 2000 creates predefined groups
with a global scope to group common types of user accounts.
2. Windows 2000 automatically adds members
to some predefined global groups.
3. Additional user accounts can be added to
predefined groups to provide additional users with privileges and permissions
assigned to the group.
4. The Users container holds the predefined
global groups in a domain.
5. Predefined groups do not have any
inherent rights.
6. Rights are assigned by adding the global
groups to domain local groups or by explicitly assigning user rights or
permissions to the predefined global groups.
B. Default membership of commonly used predefined
global groups
|37| 1. Domain Admins
a. Windows 2000 automatically adds Domain
Admins to the Administrators built-in domain local group.
b. Being added to the Administrators built-in
domain local group allows members of Domain Admins to perform administrative
tasks on any computer anywhere in the domain.
c. By default, the Administrator account is
a member.
|38| 2. Domain Guests
a. Windows 2000 automatically adds Domain
Guests to the Guests built-in domain local group.
b. By default, the Guest account is a member.
|39| 3. Domain Users
a. Windows 2000 automatically adds Domain
Users to the Users built-in domain local group.
b. By default, the Administrator, Guest IUSR_computername, IWAM_computername, KRbtgt, and TsInternetUser accounts are initially
members.
c. Each new domain user account is
automatically a member.
|40| 4. Enterprise
Admins
a. User accounts should be added to
Enterprise Admins for users who should have administrative control for the
entire network.
b. Enterprise Admins should be added to the
Administrators domain local group in each domain.
c. By default, the Administrator account is
a member.
|41| 3. Built-In
Groups
A. Overview
1. Windows 2000 creates built-in groups with
a domain local scope.
2. Built-in groups provide users with user
rights and permissions to perform tasks on domain controllers and in Active
Directory.
3. Built-in domain local groups give
predefined rights and permissions to user accounts when user accounts or global
groups are added as members.
4. The Built-in container holds the built-in
domain local groups in a domain.
B. Commonly used built-in domain local groups
|42| 1. Account Operators
a. Members can create, delete, and modify
user accounts and groups.
b. Members cannot modify the Administrators group
or any of the operators groups.
|43| 2. Administrators
a. Members can perform all administrative
tasks on all domain controllers and the domain itself.
b. By default, the Administrator user account
and the Domain Admins and Enterprise Admins predefined global groups are
members.
|44| 3. Backup Operators
a. Members can back up and restore all domain
controllers by using Windows Backup.
|45| 4. Guests
a. Members can perform only tasks for which
the administrator has granted rights.
b. Members can gain access only to resources
for which the administrator has assigned permissions.
c. Members cannot make permanent changes to
their desktop environment.
d. By default, the Guest, IUSR_computername, IWAM_computername, and TsInternetUser user accounts and the Domain
Guests predefined global group are members.
|46| 5. Pre–Windows 2000 Compatible Access
a. A backward compatibility group that allows
read access for all users and groups in the domain
b. By default, only the Everyone pre-Windows
2000 system group is a member.
|47| 6. Print Operators
a. Members can set up and manage network
printers on domain controllers.
|48| 7. Replicator
a. Supports directory replication functions
b. The only member should be a domain user
account used to log on to the Replicator services of the domain controller.
c. The accounts of actual users must not be
added to this group.
|49| 8. Server Operators
a. Members can share disk resources and
backup and restore files on a domain controller.
|50| 9. Users
a. Members can perform only tasks for which
the administrator has granted rights.
b. Members can gain access only to resources
for which the administrator has assigned permissions.
c. By default, the Authenticated Users and
INTERACTIVE pre–Windows 2000 groups and the Domain Users predefined global
group are members.
d. Use this group to assign permissions and
rights that every user with a user account in the domain should have
|51| 4. Built-In
Local Groups
A. Overview
1. All stand-alone servers, member servers,
and computers running Windows 2000 Professional have built-in local groups.
2. Built-in local groups give users the
rights to perform system tasks on a single computer.
3. Windows 2000 places the built-in local
groups into the Groups folder in the Local User Manager snap-in.
B. Commonly used built-in local groups
|52| 1. Administrators
a. Members can perform all administrative
tasks on the computer.
b. By default, the built-in Administrator
user account for the computer is a member.
c. Windows 2000 automatically adds the
Domain Admins predefined global groups to the local Administrators group.
|53| 2. Backup Operators
a. Members can use Windows Backup to back up
and restore the computer.
|54| 3. Guests
a. Members can perform only tasks for which
the administrator has specifically granted rights.
b. Members can gain access only to resources
for which the administrator has assigned permissions.
c. Members cannot make permanent changes to
their desktop environment.
d. By default, the built-in Guest account for
the computer is a member.
e. Windows 2000 automatically adds the Domain
Guests predefined global group to the local guests group.
|55| 4. Power Users
a. Members can create and modify local user
accounts on the computer and share resources.
|56| 5. Replicator
a. Supports directory replication functions
b. The only member should be a domain user
account used to log on to the Replicator services of the domain controller.
c. The accounts of actual users must not be
added to this group.
|57| 6. Users
a. Members can perform only tasks for which
the administrator has specifically granted rights.
b. Members can gain access only to resources
for which the administrator has assigned permissions.
c. By default, Windows 2000 adds to the
Users group local user accounts that the administrator creates on the computer.
d. Windows 2000 automatically adds the Domain
Users predefined global group to the local Users group.
|58| 5. Special
Identity Groups
A. Overview
1. Exist on all computers running Windows
2000
2. Do not have specific memberships that can
be modified
3. Can represent different users at
different times, depending on how a user gains access to a computer or resource
4. Are not seen when administering groups,
but are available for use when the administrator assigns rights and permissions
to resources
5. Membership is based on how the computer
is accessed, not on who uses the computer.
B. Commonly used special identity groups
|59| 1. Anonymous Logon
a. Includes any user account that Windows
2000 did not authenticate
|60| 2. Authenticated Users
a. Includes all users with a valid user
account on the computer or in Active Directory
b. Used instead of the Everyone group to
prevent anonymous access to a resource
|61| 3. Creator Owner
a. Includes the user account for the user who
created or took ownership of a resource
b. If a member of the Administrators group
creates a resource, the Administrators group is owner of the resource.
|62| 4. Dialup
a. Includes any user who currently has a
dial-up connection
|63| 5. Everyone
a. Includes all users who access the computer
b. Windows 2000 will authenticate a user who
does not have a valid user account as Guest, and any valid user (including
Guest) automatically gets all rights and permissions that have been assigned to
the Everyone group.
c. The Everyone group is assigned full
control to many resources by default.
Note Be
careful if you assign permissions to the Everyone group and enable the Guest
account.
|64| 6. Interactive
a. Includes the user account for the user who
is logged on at the computer
b. Members gain access to resources on the
computer at which they are physically located.
c. Members log on and gain access to
resources by “interacting” with the computer.
|65| 7. Network
a. Includes any user with a current
connection from another computer on the network to a shared resource on the
computer
|66| Chapter 8, Lesson 5
Groups for Administrators
1. Overview
A. For optimum security, Microsoft recommends
that administrators not be assigned to the Administrators group.
B. Avoid running the computer while logged on
as an administrator.
|67| 2. Reasons
Not to Run Your Computer as Administrator
A. Makes the network vulnerable to Trojan
horse attacks and other security risks
B. The simple act of visiting an Internet
site can be extremely damaging to the system.
C. A Trojan horse could reformat the hard
drive, delete all files, and create a new user account with administrative
access.
D. You should not assign yourself to the
Administrators group and should avoid running nonadministrative tasks on the
computer as administrator.
1. Assign yourself to the Users or Power
Users group.
2. Log on as an administrator, perform the
administrative task, and then log off.
|68| 3. Administrators
as Members of the Users and Power Users Groups
A. Member of the Users group: Allows
performance of routine tasks, including running programs and visiting Internet
sites, without exposing the computer to unnecessary risk
B. Member of the Power Users group: Allows the
performance of routine tasks, as well as installing programs, adding printers,
and using most Control Panel items
C. If administrator privileges are frequently
needed, use the Run As program to start a program as an administrator.
|69| 4. Using
Run As to Start a Program
A. Overview
1. Run As is used to run a program that
requires the user to be logged on as an administrator.
2. Run As allows one to run administrative
tools with either local or domain administrator rights and permissions while
logged on as a normal user.
3. If you attempt to start a program, MMC
console, or Control Panel item from a network location using the Run As
program, it might fail if the credentials used to connect to the network share
are different from the credentials used to start the program.
4. Credentials used to run the program may
not be able to gain access to the same network share.
|70| 5. If the Run As program fails, the RunAs
service may not be running.
6. The RunAs service can be configured to
start automatically when the system starts using the RunAs Server option in the
Services console.
7. A property should be set on shortcuts to
programs and MMC tools so that you will always be prompted for alternate
credentials when you use the shortcut.
a. A property is set by right-clicking the
shortcut, clicking Properties, and then clicking the Run As Different User
check box.
b. When the shortcut is started, the Run As
Other User dialog box appears, prompting for the alternate user name, password,
and domain.
B. Run As can be used if:
1. The appropriate user account and password
information is provided
2. The user account has the ability to log
on to the computer
3.
The program, MMC
tool, or Control Panel item is available on the system and to the user account
Note Some
applications, such as Windows Explorer, the Printers folder, and desktop items,
are started indirectly by Windows 2000 and therefore cannot be started with the
Run As program.
C. To use Run As to start a program as an
administrator
1. In Windows Explorer, click the program or
its shortcut, MMC console, or the Control Panel item that is to be opened
2. Press Shift and right-click the program,
tool, or item; then, click Run As
|71| 3. On the Run As Other User dialog box,
click Run The Program As The Following User
4. In the User Name and Password boxes, type
the user name and password of the administrator account to be used
5. In the Domain box:
a. To use the local administrator account on
the computer, type the name of your computer
b. To use the domain administrator account on
the computer, type the name of the domain
b.
Click OK
Note Run
As usually is used to run programs as an administrator, although it is not
limited to administrator accounts. Any user with multiple accounts can use Run
As to run a program, MMC tool, or Control Panel item with alternate
credentials.
5. RUNAS Command
A. Overview
1. Performs the same functions as the Run As
program
2. Command-line utility
|72| B. Syntax
1. runas [/profile] [/env] [/netonly] /user:UserAccountName program
a. /profile: Specifies the name of the user’s
profile, if it needs to be loaded
b. /env: Specifies that the current network
environment be used instead of the user’s local environment
c. /netonly: Indicates that the user
information specified is for remote access only
d. /user:UserAccountName:
Specifies the name of the user account under which to run the program; account
Name format should be user@domain or domain\user
e. /program: Specifies the program or command
to run using the account specified in /user
6. RUNAS Examples
A. To start an instance of the Windows 2000
command prompt as an administrator on the local computer
1. Type runas
/user:localmachinename\administrator cmd
2. When prompted, type the administrator
password
B. To start an instance of the Computer
Management snap-in using a domain administrator account called
companydomain\domainadmin
1. Type runas
/user:companydomain\domainadmin mmc %windir%\system32\compmgmt.msc
2. When prompted, type the account password
C. To start an instance of Notepad using a
domain administrator account called user in a domain called
domain.microsoft.com
1. Type runas
/user:user@domain.microsoft.com “notepad my_file.txt”
2. When prompted, type the account password
D. To start an instance of a command prompt
window, saved MMC console, Control Panel item, or program that will administer
a server in another forest
1. Type runas/netonly/user:domain\username
“command”
2. domain\username must be a user with
sufficient permissions to administer the server.
3. When prompted, type the account password
4. Can also type: runas
/user:username@domain.mycompany.com program.exe