8 Administering Groups

Transcription

1 8 Administering Groups Exam Objectives in this Chapter: Plan a security group hierarchy based on delegation requirements. Plan a security group strategy. Why This Chapter Matters As an administrator, you ll have to work with groups. Groups reduce administrative effort by allowing you to assign permissions and rights to a group of users rather than having to assign permissions to each individual user account. As a Microsoft Windows Server 2003 domain administrator, you must understand the different types of groups and which ones you can use with each domain functional level. You must certainly understand how to create and delete groups, add members to groups, and change the group scope, as these tasks are commonly performed by network administrators. You should also understand why logging on to Windows Server 2003 using an administrator account makes your system more vulnerable to Trojan horse attacks and other security risks. To address this problem, you will learn about the Run As program, which allows you to run specific tools and programs with permissions other than those provided by the account with which you are currently logged on to perform routine tasks without exposing your computer to unnecessary risk. Lessons in this Chapter: Lesson 1: Understanding Groups Lesson 2: Creating and Administering Groups Lesson 3: Administration Strategies Before You Begin To complete the lessons in this chapter, you must Prepare your test environment according to the descriptions given in the Getting Started section of About This Book Complete the practices for installing and configuring Active Directory as discussed in Chapter 2, Installing and Configuring Active Directory Learn to use Active Directory administration tools as discussed in Chapter 3, Administering Active Directory 8-1

2 8-2 Chapter 8 Administering Groups Complete the practices for configuring sites and replication as discussed in Chapter 5, Configuring Sites and Managing Replication Complete the practices for implementing an organizational unit (OU) structure as discussed in Chapter 6, Implementing an OU Structure Complete the practices for creating and maintaining user accounts as discussed in Chapter 7, Administering User Accounts

3 Lesson 1 Understanding Groups 8-3 Lesson 1: Understanding Groups Before you can create groups, you must understand the purpose of groups and how they are used to simplify administration tasks. This lesson introduces you to the group types and scopes you can create in Windows Server 2003 and the rules for group membership. You also learn about the various categories of default groups. At the end of the lesson, you learn how to plan a group strategy. After this lesson, you will be able to Explain the purpose of groups Explain the purpose of security and distribution group types Explain the characteristics of domain local, global, and universal group scopes Explain the purpose of local groups Describe the types of default groups Plan a group strategy Estimated lesson time: 30 minutes Introduction to Groups A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than having to assign permissions to each individual user account, as shown in Figure 8-1. Users can be members of more than one group. Permissions control what users can do with a resource, such as a folder, file, or printer. When you assign permissions, you give users the capability to gain access to a resource and you define the type of access that they have. For example, if several users need to read the same file, you would add their user accounts to a group. Then you would give the group permission to read the file. Assign permissions once for a group - instead of - Assign permissions for each user account Permissions Permissions User Group Resources Permissions User f08ad01 Figure 8-1 Groups simplify administration Permissions User

4 8-4 Chapter 8 Administering Groups Group Types In addition to user accounts, you can add other groups, contacts, and computers to groups. You add groups to other groups to create a consolidated group and reduce the number of times that you need to assign permissions. However, you should use caution to add only those groups that are absolutely necessary. You add computers to groups to simplify giving a system task on one computer access to a resource on another computer. You can create groups for security-related purposes, such as assigning permissions, or for nonsecurity purposes, such as sending messages. To facilitate this, Active Directory directory service provides for the use of two group types: security and distri bution. The group type determines how you use the group. Both types of groups are stored in the database component of Active Directory, which allows you to use them anywhere in your network. Security Groups Windows Server 2003 uses only security groups, which you use to assign permissions to gain access to resources. Programs that are designed to search Active Directory can also use security groups for nonsecurity purposes, such as retrieving user information for use in a Web application. Thus, a security group has all the capabilities of a distribution group. Distribution Groups Applications use distribution groups as lists for nonsecurity-related functions. Use distribution groups when the only function of the group is nonsecurity related, such as sending messages to a group of users at the same time. You cannot use distribution groups to assign permissions. Only programs that are designed to work with Active Directory can use distribution groups. For example, Microsoft Exchange Server is able to use distribution groups as distribution lists for sending messages. Note Because Windows Server 2003 uses only security groups, this chapter focuses on security groups. Group Scopes When you create a group, you must select a group type and a group scope. Group scopes allow you to use groups in different ways to assign permissions. The scope of a group determines where in the network you are able to use the group to assign permissions to the group. The three group scopes are global, domain local, and universal, as shown in Figure 8-2.

5 Lesson 1 Understanding Groups 8-5 Global group Members can come only from local domain. Members can access resources in any domain. Domain local group Members can come from any domain. Members access resources only in local domain. Universal group Members can come from any domain. Members can access resources in any domain. f08ad02 Figure 8-2 Group scopes Global Groups Global security groups are most often used to organize users who share similar network access requirements. A global group has the following characteristics: Limited membership You can add members only from the domain in which you create the global group. Access to resources in any domain You can use a global group to assign permissions to gain access to resources that are located in any domain in the tree or forest. Domain Local Groups Domain local security groups are most often used to assign permissions to resources. A domain local group has the following characteristics: Open membership You can add members from any domain. Access to resources in one domain You can use a domain local group to assign permissions to gain access to resources that are located only in the same domain where you create the domain local group. Universal Groups The universal group is a new feature beginning in Microsoft Windows Universal security groups are most often used to assign permissions to related resources in multiple domains. A universal security group has the following characteristics: Open membership You can add members from any domain in the forest.

6 8-6 Chapter 8 Administering Groups Access to resources in any domain You can use a universal group to assign permissions to gain access to resources that are located in any domain in the forest. Available only in domains with a domain functional level set to Windows 2000 native or Windows Server 2003 Universal security groups are not available in domains with the domain functional level set to Windows 2000 mixed. How Universal Groups Affect Replication Universal security groups and their members are listed in the global catalog. When you create a universal group, it temporarily resides in the domain directory partition in which the group was created until the global catalog queries the domain for changes. Once the global catalog acquires the new object, changes are replicated to other global catalogs in the forest. In Windows 2000, when one member of a group with universal scope changes, the entire group membership is replicated to all global catalogs in the domain tree or forest, consuming a large amount of network bandwidth and processor load. Further, if group membership is updated simultaneously on two or more domain controllers, some of the membership updates could potentially be lost during replication conflict resolution. In Windows Server 2003, when the forest functional level is set to Windows Server 2003, only the member that is modified is replicated to all global catalogs, which significantly reduces global catalog replication traffic and eliminates the possibility of lost updates. For more information about Active Directory forest and domain functional levels, refer to Chapter 3, Administering Active Directory. Group Membership The group scope determines the membership of a group. Membership rules define which members a group can contain. Group members include user accounts, other groups, contacts, and computers. Table 8-1 describes group membership rules. Table 8-1 Group Scope Membership Rules Group scope Global Domain local Universal In domains with the domain functional level set to Windows 2000 mixed, scope can contain User accounts and computer accounts from the same domain User accounts, computer accounts, and global groups from any domain Not available in domains with a domain functional level set to Windows 2000 mixed In domains with the domain functional level set to Windows 2000 native or Windows Server 2003, scope can contain User accounts, computer accounts, and global groups from the same domain User accounts, computer accounts, global groups, and universal groups from any domain; domain local groups from the same domain User accounts, computer accounts, global groups, and other universal groups from any domain in the forest

7 Lesson 1 Understanding Groups 8-7 Group Nesting Adding groups to other groups, or nesting, helps reduce the number of times permissions need to be assigned. Create a hierarchy of groups based on the needs of the members. Windows Server 2003 allows unlimited levels of nesting in domains with a domain functional level set to Windows 2000 native or Windows Server For example, you can create a group for each region in your organization and add managers from each region into their own group, called Regional Managers. You can then add each Regional Managers group to another group called Worldwide Managers. When all managers in the network need access to a resource, you assign permissions only to the Worldwide Managers group. Because the Worldwide Managers group contains all members of the Regional Managers groups through nesting, all managers in the network can reach the resource. This strategy allows for easy assignment of permissions and decentralized tracking of group membership. Guidelines for group nesting include the following: Minimize levels of nesting Tracking permissions and troubleshooting becomes more complex with multiple levels of nesting. One level of nesting is the most effective to use. Document group membership to keep track of permissions assignments Providing documentation of group membership can eliminate the redundant assignment of user accounts to groups and reduce the likelihood of accidental group assignments. To use nesting efficiently, you must recall the group scope membership rules: Local Groups In domains with a domain functional level set to Windows 2000 mixed, only one type of nesting is available: global groups from any domain can be members of domain local groups. Universal groups do not exist in domains with a domain functional level set to Windows 2000 mixed. In domains with a domain functional level set to Windows 2000 native or Windows Server 2003, all group membership rules apply and multiple levels of nesting are allowed. A local group is a collection of user accounts on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Windows Server 2003 creates local groups in the local security database.

8 8-8 Chapter 8 Administering Groups Note Because Active Directory groups with a domain local scope are sometimes referred to as local groups, it is important to distinguish between a local group and a group with a domain local scope. Guidelines for using local groups follow: Use local groups only on the computer where you create the local groups. Local group permissions provide access to only the resources on the computer where you created the local group. Use local groups on computers running Microsoft Windows XP Professional and member servers running Windows Server Local groups cannot be created on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory. Use local groups only on computers that do not belong to a domain. Using local groups on domain computers prevents you from centralizing group administration. Local groups do not appear in Active Directory, and you must administer local groups separately for each computer. Membership rules for local groups include the following: Local groups can contain local user accounts from the computer where you create the local group. Local groups cannot be members of any other group. Default Groups Windows Server 2003 has four categories of default groups: groups in the Builtin folder, groups in the Users folder, special identity groups, and default local groups. All of the default groups are security groups and have been assigned common sets of rights and permissions that you might want to assign to the users and groups that you place into the default groups. Groups in the Builtin Folder Windows Server 2003 creates default security groups with a domain local scope in the Builtin folder in the Active Directory Users And Computers console. The groups in the Builtin folder are primarily used to assign default sets of permissions to users who have administrative responsibilities in the domain. Table 8-2 describes the default groups in the Builtin folder.

9 Lesson 1 Understanding Groups 8-9 Table 8-2 Default Groups in the Builtin Folder Group Name Account Operators Administrators Backup Operators Guests Incoming Forest Trust Builders Network Configuration Operators Performance Log Users Performance Monitor Users Pre Windows 2000 Compatible Access Print Operators Remote Desktop Users Description This group exists only on domain controllers. By default, the group has no members. By default, members can create, modify, and delete accounts for users, groups, and computers in all containers and OUs of Active Directory except the Builtin folder and the Domain Controllers OU. Members do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members have complete and unrestricted access to the computer or domain controller, including the right to change their own permissions. If the Administrator account resides on the first domain controller configured for the domain, the Administrator account is automatically added to the Domain Admins group and complete access to the domain is granted. By default, this group has no members. Members can back up and restore all files on a computer, regardless of the permissions that protect those files. Members can also log on to the computer and shut it down. Members have the same privileges as members of the Users group. Members can create incoming, one-way trusts to this forest. Members have the same default rights as members of the Users group. Members can perform all tasks related to the client side of network configuration except for installing and removing drivers and services. Members cannot configure network server services such as the Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) server services. Members have remote access to schedule logging of performance counters on this computer. Members have remote access to monitor this computer. Members have read access on all users and groups in the domain. This group is provided for backward compatibility for computers running Microsoft Windows NT 4 and earlier. This group exists only on domain controllers. Members can manage printers and document queues. Members can log on to a computer from a remote location.

10 8-10 Chapter 8 Administering Groups Table 8-2 Default Groups in the Builtin Folder Group Name Replicator Server Operators Terminal Service License Users Users Windows Authorization Access Description This group supports directory replication functions and is used by the file replication service on domain controllers. By default, the group has no members. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add users to this group. This group exists only on domain controllers. By default, the group has no members. Members can log on to a server interactively, create and delete network shares, start and stop services, back up and restore files, format the hard disk of the computer, and shut down the computer. Terminal Server License Servers Members are prevented from making accidental or intentional system-wide changes. Members can run certified applications, use printers, shut down and start the computer, and use network shares for which they are assigned permissions. Members cannot share folders or install printers on the local computer. By default, the Domain Users group is a member. Members have access to the computed tokengroupsglobalanduniversal attribute on User objects. Off the Record If you need to create a list of groups, you can use the Net Localgroup and Net Group commands. For example, you could open a command prompt and type net localgroup > C:\localgroups.txt to create a list of local groups in a file named C:\localgroups.txt. As another example of how the Net commands work, examine and run the batch file named Grouplistings.bat on the Supplemental CD-ROM in the \70-294\Labs\Chapter08 folder. Groups in the Users Folder Windows Server 2003 creates default security groups in the Users folder in the Active Directory Users And Computers console. The groups in the Users folder are primarily used to assign default sets of permissions to users who have administrative responsibilities in the domain. Table 8-3 describes the default groups in the Users folder. Table 8-3 Default Groups in the Users Folder Group Name Domain Local Groups Cert Publishers Description Members of this group are permitted to publish certificates to Active Directory.

11 Lesson 1 Understanding Groups 8-11 Table 8-3 Default Groups in the Users Folder Group Name DnsAdmins HelpServicesGroup RAS and IAS Servers TelnetClients Global Groups DnsUpdateProxy Domain Admins Domain Computers Domain Controllers Domain Guests Domain Users Group Policy Creator Owners Universal Groups Enterprise Admins (appears only on forest root domain controllers Schema Admins (appears only on forest root domain controllers) Description Members of this group are permitted administrative access to the DNS server service. This group allows administrators to set rights common to all support applications. By default, the group has only one member, the account associated with Microsoft support applications, such as Microsoft Remote Assistance. Do not add users to this group, which is managed automatically by the Help And Support service. Servers in this group for the Remote Access Service (RAS) and Internet Authentication Service (IAS) are permitted access to the remote access properties of users. Members of this group have access to Telnet Server on this system. Members of this group are DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers). Members of this group can perform administrative tasks on any computer anywhere in the domain. Members include all workstations and servers joined to the domain. By default, any computer account created in a domain is automatically added to this group. Members include all domain controllers in the domain. Members include all domain guests. Members include all domain users. By default, any user account created in a domain is automatically added to this group. Members can modify group policy for the domain. Members include users designated as administrators of the entire network. Members include users designated as administrators of the schema.

12 8-12 Chapter 8 Administering Groups Special Identity Groups Special identity groups, known as special groups in Microsoft Windows NT, exist on all computers running Windows Server Membership in these groups is controlled by the operating system. Although the special identity groups can be assigned rights and permission to resources, you cannot modify or view the memberships of these groups. You do not see special identity groups when you administer groups, and you cannot place them into other groups. Group scopes do not apply to special identity groups. Windows Server 2003 bases special identity group membership on how the computer is accessed, not on who uses the computer. Table 8-4 describes the most commonly used special identity groups. Table 8-4 Commonly Used Special Identity Groups Special Identity Group Anonymous Logon Authenticated Users Dialup Enterprise Domain Controllers Everyone Interactive Network Service Terminal Server User Description Members include all users who log on without supplying a user name and password. Members include all users whose identities were authenticated when they logged on. This group does not include the Guest account even if the account has a password. Members include all users who are logged on to the system through a dial-up connection. Members include all domain controllers in a forest of domains. On computers running Windows Server 2003, members include Authenticated Users and Domain Guests. On computers running earlier versions of the operating system, members include Authenticated Users and Domain Guests, plus Anonymous Logon. Members include all users who have logged on locally or through a Remote Desktop connection. Members include all users who are logged on through a network connection. Members include all security principals (users, groups, or computers) that have logged on as a service. When Terminal Services are installed in application serving mode, this group contains any users who are currently logged on to the system using a terminal server. When Terminal Services are installed in remote administration mode, users logged on using a terminal server are not members of this group. Anonymous User Security Enhancement In Windows NT and Windows 2000, the operating system makes every user authenticated by the domain and all potential

13 Lesson 1 Understanding Groups 8-13 anonymous users members of the Everyone group because the Authenticated Users, the Anonymous Logon, and the Domain Guests groups are automatically made members of the Everyone group. This membership is provided to allow anonymous users access to Active Directory objects. To provide stricter control of access to resources, you must remember to remove the Everyone group from the access control list for the resource. Because administrators often do not realize that anonymous users are members of the Everyone group, these users might inadvertently be granted access to resources intended only for authenticated users. In Windows Server 2003, the Anonymous Logon group is no longer a member of the Everyone group. Therefore, anonymous users attempting to access resources hosted on computers running Windows Server 2003 will be impacted. If anonymous users must be granted access to resources, you must explicitly add the Anonymous Logon security group to the access control list for the resource and provide the required permissions. If anonymous users must always be granted access to resources, you can change the new Windows Server 2003 default security setting for the Everyone group by enabling the group policy Network Access: Let Everyone Permissions Apply To Anonymous Users, located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. For more information about using Group Policy, refer to Chapter 11, Administering Group Policy. Built-In Local Groups All stand-alone servers, member servers, and computers running Windows XP Professional have built-in local groups. Built-in local groups give users the rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Windows Server 2003 places the built-in local groups into the Groups folder in the Local Users and Groups snap-in in the Computer Management console. Table 8-5 describes the capabilities that members of the most commonly used built-in local groups have. Except where noted, there are no initial members in these groups. Table 8-5 Commonly Used Built-In Local Groups Built-in Local Group Administrators Backup Operators Description Members can perform all administrative tasks on the computer. By default, the built-in Administrator user account for the computer is a member. When a member server or computer running Windows XP Professional joins a domain, Windows Server 2003 adds the Domain Admins predefined global group to this group. Members can use Windows Backup to back up and restore the computer.

14 8-14 Chapter 8 Administering Groups Table 8-5 Commonly Used Built-In Local Groups Built-in Local Group Guests HelpServicesGroup Network Configuration Operators Performance Monitor Users Performance Log Users Power Users Print Operators Remote Desktop Users Replicator Terminal Server Users Users Description Members can perform only tasks for which you have specifically granted rights and can gain access only to resources for which you have assigned permissions; members cannot make permanent changes to their desktop environment. By default, the builtin Guest account for the computer is a member. Members can set rights common to all support applications. By default, the only member is the account associated with Microsoft support applications. Do not add users to this group. Members can make changes to TCP/IP settings and renew and release TCP/IP addresses. This group has no default members. Members can monitor performance counters on the server locally and from remote clients without being a member of the Administrators or Performance Log Users groups. Members can manage performance counters, logs, and alerts on the server locally and from remote clients without being a member of the Administrators or Performance Monitor Users groups. Members can create and modify local user accounts on the computer and share resources. Members can administer domain printers. Members can remotely log on to a server. Supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users to this group. Contains users who are currently logged on using Terminal Server. Members can perform only tasks for which you have specifically granted rights and can gain access only to resources for which you have assigned permissions. By default, Windows Server 2003 adds local user accounts that you create on the computer to the Users group. When a member server or a computer running Windows XP Professional joins a domain, Windows Server 2003 adds the Domain Users predefined global group to this group.! Exam Tip Be familiar with the groups in each category.

15 Lesson 1 Understanding Groups 8-15 Planning Groups To use groups effectively, you must determine how you will use the groups and which types of groups you will use. It is important to have a group strategy in place before you begin creating groups. Planning Global and Domain Local Groups Global and domain local groups are listed in the global catalog, but their members are not. This reduces the size of the global catalog and the replication traffic associated with keeping the global catalog up to date. You can improve network performance by using groups with global or domain local scope for directory objects that change frequently. Global and domain local group implementation guidelines are identical to the group strategy recommendations for a Windows NT 4 or earlier domain. Use the following procedure, as portrayed in Figure 8-3, to plan your global and domain local group strategy: 1. Assign users with common job responsibilities to global groups. Identify users with common job responsibilities and add the user accounts to a global group. For example, in an accounting department, add user accounts for all accountants to a global group called Accounting. 2. Create a domain local group for resources to be shared. Identify the resources or group of resources, such as related files or printers, to which users need access, and then create a domain local group for that resource. For example, if you have a number of color printers in your company, create a domain local group called Color Printers. 3. Add global groups that need access to the resources to the domain local group. Identify all global groups that share the same access needs for resources and make them members of the appropriate domain local group. For example, add the global groups Accounting and Sales to the domain local group Color Printers. 4. Assign resource permissions to the domain local group. Assign the required permissions for the resource to the domain local group. For example, assign the necessary permissions to use color printers to the Color Printers group. Users in the Accounting and Sales global groups receive the required permissions because their global group is a member of the domain local group Color Printers. This strategy gives you the most flexibility for growth and reduces permissions assignments.

16 8-16 Chapter 8 Administering Groups Salesperson1 Salesperson2 1 Sales global group Domain1 Domain2 Accountant1 Accountant2 1 Accounting global group Color Printers domain local group 4 Permission to use color printers in domain 1 1 Assign users with common job responsibilities to global groups. 2 3 Create a domain local group for resources to be shared. Add global groups who need access to the resources to the domain local group. 4 Assign resource permissions to the domain local group. f08ad03 Figure 8-3 Planning a global and domain local group strategy Some of the possible limitations of other strategies include the following: Placing user accounts in domain local groups and assigning permissions to the domain local groups This strategy does not allow you to assign permissions for resources outside of the domain. This strategy reduces the flexibility when your network grows. Placing user accounts in global groups and assigning permissions to the global groups This strategy can complicate administration when you are using multiple domains. If global groups from multiple domains require the same permissions, you have to assign permissions for each global group. Planning Universal Groups Use universal groups to grant or deny access to resources that are located in more than one domain. As discussed earlier in this lesson, when membership of any universal group changes, the changes must be replicated to every global catalog in the forest unless the Windows Server 2003 forest functional level is used. This action can cause excessive network traffic. Therefore, you should define universal groups with caution. Follow these guidelines to ensure minimal impact on replication traffic: Add global groups, not users, to universal groups The global groups are the members of the universal group. Keep the number of group members in universal groups as low as possible and minimize the number of individual users. Change the membership of universal groups as infrequently as possible By requiring all members of universal groups to be global groups and making individual membership changes in the global groups, the membership changes you make to the global groups do not affect the universal groups or replication traffic.

17 Lesson 1 Understanding Groups 8-17 Practice: Planning New Group Accounts In this practice, you plan the groups that are required for a business scenario. Exercise 1 You are an administrator for the customer service division of a manufacturing company. You administer a domain that is part of your company s domain tree. You do not administer other domains, but you might have to give selected user accounts from other domains access to resources in your domain. Users at the company use several shared network resources. The company is also planning to implement an program that uses Active Directory. As the administrator, you must determine Which groups are needed. The membership of each group. This can be user accounts or other groups. The type and scope for each group. Use the procedure provided earlier in this lesson to plan your global and domain local group strategy. Record your planning strategy on the Group Accounts Planning Worksheet provided on pages 8-18 and Follow these instructions to complete the worksheet: 1. On the worksheet, provide a name for each group. Record each name in the group name column. 2. Specify the type and scope of each group in the type and scope column. 3. List the members of each group in the members column. After completing the exercise, compare your worksheet with the sample provided. The sample presents only one set of possible answers. You might have planned your groups differently. Table 8-6 provides the job function and number of employees in each job function in the customer service division. Table 8-6 Customer Service Division Employee Information Job Function Number of Employees Product tester 20 Customer service representative 250 Maintenance worker 5 Manager 5 Sales representative 5 Network administrator 2

18 8-18 Chapter 8 Administering Groups Table 8-7 lists the information access requirements for various employees. Table 8-7 Employee Information Access Requirements Employee Customer service representatives and managers Sales representatives All employees All employees Any employees in any domain who are interested in these topics All employees, except maintenance workers Network administrators Sales representatives from your domain and all other domains Access Needed Group Accounts Planning Worksheet Customer database, full access Customer database, read-only access Company policies, read-only access Receive company announcements through Receive periodic announcements through about important topics Shared installation of Microsoft Office Full access to all resources in the company Sales reports Group Name Type and Scope Members

19 Lesson 1 Understanding Groups 8-19 Group Name Type and Scope Members Group Accounts Planning Worksheet (Answers) Group Name Type and Scope Members Testers Security, global All product testers CSRs Security, global All customer service representatives Maint Security, global All maintenance workers Mgrs Security, global All managers Sales Security, global All sales reps NetAdmin Security, global All network administrators AllEmployees Security, global All employees Topics Security, global Employees interested in manufacturing topics CustomerDB Security, domain local CSRs, Mgrs, Sales, NetAdmin global groups Policies Security, domain local AllEmployees global group MSOffice Security, domain local Testers, CSRs, Mgrs, Sales, NetAdmin global groups SalesReports Security, domain local Sales and NetAdmin global groups Ann Distribution, domain local AllEmployees global group Manuf Distribution, domain local Topics and NetAdmin global groups Now that you ve completed the worksheet, answer the following questions. 1. Does your network require local groups? No. The scenario presents no need to create local groups, which you can use only on a single computer. 2. Does your network require universal groups? No. The scenario presents no need to create universal groups. Your domain has no groups that need to have access to resources in multiple domains and also need to have members from multiple domains.

20 8-20 Chapter 8 Administering Groups Lesson Review 3. Sales representatives at the company frequently visit the company headquarters and other divisions. Therefore, you need to give sales representatives with user accounts in other domains the same permissions for resources that sales representatives in your domain have. You also want to make it easy for administrators in other domains to assign permissions to sales representatives in your domain. How can you accomplish this? Create global groups for sales representatives in all other domains. Add these global groups to the appropriate domain local groups in your domain. Tell administrators in other domains about the global group that represents sales representatives in your domain. Have the administrators add the sales representatives group from your domain to the appropriate domain local groups in their domains. The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the Questions and Answers section at the end of this chapter. 1. What is the purpose of using groups? 2. When should you use security groups rather than distribution groups? 3. What strategy should you apply when you use domain and local groups? 4. Why is replication an issue with universal groups? 5. Which of the following statements about group scope membership are incorrect? (Choose all that apply.) a. In domains with a domain functional level set to Windows 2000 mixed, global groups can contain user accounts and computer accounts from the same domain. b. In domains with a domain functional level set to Windows 2000 mixed, global groups can contain user accounts and computer accounts from any domain.

21 Lesson Summary Lesson 1 Understanding Groups 8-21 c. In domains with a domain functional level set to Windows 2000 mixed, domain local groups can contain user accounts, computer accounts, and global groups from the same domain. d. In domains with a domain functional level set to Windows 2000 mixed, domain local groups can contain user accounts, computer accounts, and global groups from any domain. e. In domains with a domain functional level set to Windows 2000 mixed, universal groups can contain user accounts, computer accounts, global groups, and other universal groups from any domain. f. In domains with a domain functional level set to Windows 2000 mixed, universal groups do not exist. A group is a collection of users, computers, contacts, and other groups. Distribution groups are used only for . Security groups are used to grant access to resources. Group scopes allow you to use groups in different ways to assign permissions. The three group scopes are global, domain local, and universal. Global security groups are most often used to organize users who share similar network access requirements. Domain local security groups are most often used to assign permissions to resources. Universal security groups are most often used to assign permissions to related resources in multiple domains. Windows Server 2003 has four categories of default groups: groups in the Builtin folder, groups in the Users folder, special identity groups, and default local groups. In Windows Server 2003, the Anonymous Logon group is no longer a member of the Everyone group. If anonymous users must be granted access to resources, you must explicitly add the Anonymous Logon security group to the access control list for the resource and provide the required permissions. If anonymous users must always be granted access to resources, you can change the new Windows Server 2003 default security setting for the Everyone group by enabling the group policy Network Access: Let Everyone permissions apply to anonymous users. Use the following strategy for planning groups: place user accounts into global groups, create a domain local groups for a group of resources to be shared in common, place the global groups into the domain local group, and then assign permissions to the domain local group.

22 8-22 Chapter 8 Administering Groups Lesson 2: Creating and Administering Groups After you assess user needs and have a group plan in place, you are ready to create your groups. Once you have created groups, you might find it necessary to carry out various administrative tasks to maintain them. This lesson shows you how to create groups, delete groups, add members to groups, and change the group scope. After this lesson, you will be able to Create groups Delete groups Add members to groups Change the group scope Estimated lesson time: 20 minutes Note If you are using Windows Server 2003 with Service Pack 1 (SP1), the Windows Firewall might prevent you from creating and administering groups using the Active Directory Users and Computers console. For example, you will get errors if the Windows Firewall is enabled on a domain controller and you are using the console from a workstation or other server. For more information, see Windows Firewall Settings: Remote Administration Tools at http: //technet2.microsoft.com/windowsserver/en/library/e0bb e-4408-bb52-544d0ab0f mspx. Creating a Group You use the Active Directory Users And Computers console to create groups. With the necessary permissions, you can create groups in any domain in the forest, in an OU, or in a container you have created specifically for groups. The name you select for a group must be unique in the domain where you create the group. To create a group, complete the following steps: 1. Click Start, point to Administrative Tools, and then click Active Directory Users And Computers. 2. Right-click the appropriate domain, OU, or container, point to New, and click Group. 3. In the New Object Group dialog box, shown in Figure 8-4, type the name of the group in the Group Name box. Note that an entry automatically appears in the Group Name (Pre Windows 2000) box, based on the group name you typed. Select the group scope in the Group Scope box. Select the group type in the Group Type box. Click OK.

23 Lesson 2 Creating and Administering Groups 8-23 f08ad04 Figure 8-4 New Object Group dialog box Deleting a Group As your organization grows and changes, you might discover groups that you no longer need. Be sure to delete these groups. Deleting unnecessary groups ensures you maintain security so you do not accidentally assign permissions for accessing resources to groups you no longer need. Each group you create has a unique, nonreusable identifier called the security identifier (SID). Windows Server 2003 uses the SID to identify the group and the permissions assigned to it. When you delete a group, Windows Server 2003 does not use the SID for that group again, even if you create a new group with the same name as the group you deleted. Therefore, you cannot restore access to resources by recreating the group. When you delete a group, you delete only the group and the permissions and rights associated with it. Deleting a group does not delete the user accounts that are members of the group. To delete a group, complete the following steps: 1. Right-click the group, and then click Delete. 2. Click Yes in the Active Directory dialog box. Off the Record You can use a script to determine a user s group memberships. This is helpful if you d like to make a logon script dependent upon a user s group membership. The script Chkgrps.vbs on the companion CD-ROM in the \70-294\Labs\Chapter08 folder illustrates how you can use Microsoft Visual Basic Scripting Edition (VBScript) to list a user s group memberships. In the Troubleshooting Lab, you ll learn how to use the Ifmember executable to list group membership.

24 8-24 Chapter 8 Administering Groups Adding Members to a Group After you create a group, you add members. Members of groups can include user accounts, contacts, other groups, and computers. You can add a computer to a group to give one computer access to a shared resource on another computer, for example, for remote backup. To add members, use the Active Directory Users And Computers console. To add members to a group, complete the following steps: 1. Start the Active Directory Users And Computers console and expand the domain, OU, or container in which the group is contained. 2. Right-click the appropriate group, and then click Properties. 3. In the Properties dialog box for the group, click the Members tab, and then click Add. 4. In the Select Users, Contacts, Computers, Or Groups dialog box, shown in Figure 8-5, click Advanced. f08ad05 Figure 8-5 The Select Users, Contacts, Computers, Or Groups dialog box Note If you are adding members to a global group in a domain with a domain functional level set to Windows 2000 mixed, the Select Users, Contacts, Or Computers dialog box appears because you cannot add global groups to global groups in a domain with a domain functional level set to Windows 2000 mixed. 5. In the extended Select Users, Contacts, Computers, Or Groups dialog box, shown in Figure 8-6, click Find Now. Scroll through the list at the bottom of the dialog box and select the user, contact, computer, or group that you want to add to the group. Hold down the SHIFT or CTRL key to select multiple users, contacts, computers, or groups at a time. Click OK.

25 Lesson 2 Creating and Administering Groups 8-25 f08ad06 Figure 8-6 Extended Select Users, Contacts, Computers, Or Groups dialog box 6. The accounts you have selected are listed in the Enter The Object Names To Select box at the bottom of the Select Users, Contacts, Computers, Or Groups dialog box. Review the accounts to make sure that they are the accounts you wish to add to the group, and click OK to add the members. 7. In the Properties dialog box for the group, click OK. Note You can also add a user, contact, computer, or group by using the Member Of tab in the Properties dialog box for the user, contact, computer, or group. Use this method to quickly add the same user, contact, computer, or group to multiple groups. Changing the Group Scope When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following scope changes are allowed in domains with a domain functional level set to Windows 2000 native or Windows Server Global to universal, as long as the group is not a member of another group having global scope Domain local to universal, as long as the group being converted does not have another group with a domain local scope as its member

26 8-26 Chapter 8 Administering Groups Universal to global, as long as the group being converted does not have another universal group as its member Universal to domain local To change the scope of a group, complete the following steps: 1. Start the Active Directory Users And Computers console and expand the domain, OU, or container in which the group is contained. 2. Right-click the appropriate group, and then click Properties. 3. Change the group scope in the General tab of the Properties dialog box for the group. Click OK. Practice: Creating and Administering Groups In this practice, you create and administer a global security group. Note To complete this practice, you must have successfully completed the practices in Chapter 6, Implementing an OU Structure, and Chapter 7, Administering User Accounts. Exercise 1: Creating a Global Group and Adding Members In this exercise, you create a global security group and add members to the group. To create a global group and add members 1. Log on to Server1 as Administrator. 2. On Server1, use the procedure provided earlier in this lesson to create a global security group in the Chicago OU. Name the global group Sales. 3. Use the procedure provided earlier in this lesson to add User One and User Five as members of the Sales global group. Exercise 2: Creating a Domain Local Group and Adding Members In this exercise, you create a domain local group that you use to assign permissions to gain access to sales reports. Because you use the group to assign permissions, you make it a domain local group. You then add members to the group by adding the security global group you created in Exercise 1. To create a domain local group and add members 1. On Server1, use the procedure provided earlier in this lesson to create a domain local group in the Chicago OU. Name the domain local group Reports. 2. Use the procedure provided earlier in this lesson to add the Sales global group as a member of the Reports domain local group.

27 Lesson 2 Creating and Administering Groups 8-27 Lesson Review The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the Questions and Answers section at the end of this chapter. 1. Where can you create groups? 2. What is deleted when you delete a group? 3. What Active Directory components can be members of groups? 4. In what domain functional level is changing the group scope allowed? What scope changes are permitted in this domain functional level? 5. The name you select for a group must be unique to which of the following Active Directory components? a. forest b. tree c. domain d. site e. OU Lesson Summary You use the Active Directory Users And Computers console to create groups, delete groups, add members to groups, and change the group scope. With the necessary permissions, you can create groups in any domain in the forest, in an OU, or in a container you have created specifically for groups. The name you select for a group must be unique in the domain where you create the group.

28 8-28 Chapter 8 Administering Groups When you delete a group, you delete only the group and remove the permissions and rights that are associated with it. Deleting a group does not delete the user accounts that are members of the group. You cannot change the group scope for domains with a domain functional level set to Windows 2000 mixed. The following scope changes are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003: global to universal, as long as the group is not a member of another group having global scope; domain local to universal, as long as the group being converted does not have another group with a domain local scope as its member; universal to global, as long as the group being converted does not have another universal group as its member; and universal to domain local.

29 Lesson 3: Administration Strategies Lesson 3 Administration Strategies 8-29 For optimum security, Microsoft recommends that you do not assign administrators to the Administrators group and that you avoid running your computer while logged on as an administrator. This lesson examines reasons why you should not run your computer as an administrator and the actions you should take to ensure security for administrators. After this lesson, you will be able to Explain why you should not run your computer as an administrator Explain the groups administrators should use to log on Explain how to use the Run As program to start a program as an administrator Estimated lesson time: 15 minutes Why You Should Not Run Your Computer as an Administrator Running Windows Server 2003 as an administrator makes the system vulnerable to Trojan horse attacks and other security risks. The simple act of visiting an Internet site can be extremely damaging to the system. An unfamiliar Internet site might contain Trojan horse code that can be downloaded to the system and executed. If you are logged on with administrator privileges, a Trojan horse could possibly reformat your hard drive, delete all files, create a new user account with administrative access, and so on. Therefore, you should not assign yourself to the Administrators group and you should avoid running your computer while logged on as an administrator. For most computer activity, you should assign yourself to the Users or Power Users group. When you log on as a member of the Users group, you can perform routine tasks, including running programs and visiting Internet sites, without exposing your computer to unnecessary risks. As a member of the Power Users group, you can perform routine tasks and also install programs, add printers, and use most Control Panel items. If you need to perform an administrator-only task, such as upgrading the operating system or configuring system parameters, you should log on as an administrator, perform the task, and then log off. If you frequently need to log on as an administrator, you can use the Run As program to start programs as an administrator. Using the Run As Program The Run As program allows a user to run specific tools and programs with permissions other than those provided by the account with which the user is currently logged on. Therefore, you can use the Run As program to run administrative tools with either local or domain administrator rights and permissions while logged on as a normal user. The

30 8-30 Chapter 8 Administering Groups Run As program can be used to start any program, Microsoft Management Console (MMC) tool, or Control Panel item, as long as You provide the appropriate user account and password information The user account has the ability to log on to the computer The program, MMC tool, or Control Panel item is available on the system and to the user account The Run As program is usually used to run programs as an administrator, although it is not limited to administrator accounts. Any user with multiple accounts can use Run As to run a program, MMC tool, or Control Panel item with alternate credentials. The Run As program can be invoked on the desktop or by using the Runas command. To invoke the Run As program from the desktop, complete the following steps: 1. In Windows Explorer, or on the Start menu, right-click the program, MMC tool, or Control Panel item you want to open, and then click Run As. 2. In the Run As dialog box, shown in Figure 8-7, click The Following User. f08ad07 Figure 8-7 Run As dialog box 3. Type the user name and password of the account you want to use in the User Name and Password boxes, respectively. Click OK. If you attempt to start a program, MMC tool, or Control Panel item from a network location using the Run As program, it might fail if the credentials used to connect to the network share are different from the credentials used to start the program. The credentials used to run the program might not be able to gain access to the same network share. If the Run As program fails, the Secondary Logon service might not be running. You can set the Secondary Logon service to start automatically when the system starts using the Secondary Logon Service option in the Services console.