Module 3: Managing Groups

Overview

Creating Groups
Managing Group Membership
Strategies for Using Groups
Using Default Groups
Lesson: Creating Groups

What Are Groups?

What Are Domain Functional Levels?
What Are Global Groups?
What Are Universal Groups?
What Are Domain Local Groups?
What Are Local Groups?
Guidelines for Creating and Naming Groups
Who Can Create Groups?
Practice: Creating Groups
What Are Groups?

Groups simplify administration by enabling you to

assign permissions for resources

Group

Groups are characterized by scope and type

Group type Description

Used to assign user rights and permissions
Security
Can be used as an e-mail distribution list

Can be used only with e-mail applications

Distribution
Cannot be used to assign permissions
 What Are Domain Functional Levels?

Windows 2000 Windows 2000 Windows Server Windows Server

mixed (default) native 2003 2003 interim

Windows NT
Windows NT
Domain Server 4.0, Windows 2000,
Windows Server Server 4.0,
controllers Windows 2000, Windows Server
2003 Windows Server
supported Windows Server 2003
2003
2003

Group
Global, domain Global, domain Global, domain Global, domain
scopes
local local, universal local, universal local
supported
What Are Global Groups?

Global group rules

Mixed functional level: User and computer accounts
Membership from same domain
can include Native functional level: User and computer accounts
and global groups from same domain
Mixed functional level: Domain local groups
Can be a Native functional level: Universal and domain local
member of groups in any trusting domain and global groups in
the same domain
Scope Visible in its own domain and all trusting domains
Permissions All domains in the forest and trusting domains
 What Are Universal Groups?

Universal group rules

Mixed functional level: Not applicable
Membership
Native functional level: User accounts, global groups, and
can include
universal groups from any domain in the forest
Mixed functional level: Not applicable
Can be a
Native functional level: Domain local or universal groups in
member of
any domain

Scope Visible in all domains in the forest and all trusting domains

Permissions All domains in the forest and all trusting domains

 What Are Domain Local Groups?

Domain local group rules

Mixed functional level and Windows interim 2003: User and
computer accounts and global groups from any trusted domain
Membership
can include Native functional level: User and computer accounts, global and
universal groups from any domain in the forest or trusted domains,
plus domain local groups from the same domain

Can be a Mixed functional level and Windows interim 2003: None

member of Native functional level: Domain local groups in the same domain

Scope Visible only in its own domain

Permissions Domain to which the domain local group belongs
 What Are Local Groups?

Local group rules

Local user accounts, domain user and computer

Membership can
accounts, global and universal groups from the
include
computer's domain and trusted domains

Can be a member of Not applicable

Guidelines for Creating and Naming Groups

Create groups in organizational units by using the following

naming considerations:
 Naming conventions for security groups
• Incorporate the scope in the group name
• Should reflect the group ownership
• Use a descriptor to identify the assigned permissions
 Naming conventions for distribution groups
• Use short alias names
• Do not include a user’s alias name in the display name
• Allow a maximum of five co-owners of a single distribution group
Who Can Create Groups?

In the domain:
 Account Operators group
 Domain Admins group
 Enterprise Admins group
 Or users with appropriate delegated authority
On the local computer:
 Power Users group
 Administrators group on the local computer
 Or users with appropriate delegated authority
Practice: Creating Groups

In this practice, you will:

Create groups by using Active Directory
Users and Computers
Create groups by using the dsadd command-
line tool
Lesson: Managing Group Membership

Determining Group Membership

Adding and Removing Members from a Group
Practice: Managing Group Membership
Determining Group Membership

Group or Team Global Group Domain Local Group

Tom, Jo, and Kim GDenver

DenverAdmins
Admins DL OU Admins

Member Of Members Member Of Members Member Of

G Denver Admins Tom, Jo, Denver
DL OU Admins
OU Admins G Denver Admins N/A
Kim G Vancouver
Admins

Sam, Scott, and Amy G Vancouver Admins

Member Of Members Member Of

G Vancouver Admins Sam, DL OU Admins
Scott, Amy
Adding and Removing Members from a Group

Group membership can be modified by using Active Directory

Users and Computers or the dsmod command
Practice: Managing Group Membership

In this practice, you will:

Determine a user’s group membership
Add users to global groups
Add global groups to domain local groups
Lesson: Strategies for Using Groups

Multimedia: Strategy for Using Groups in a

Single Domain
What Is Group Nesting?
Group Strategies
Class Discussion: Using Groups in a Single-Domain or
Multiple-Domain Environment
Practice: Nesting Groups and Creating Universal Groups
Modifying the Scope or Type of a Group?
Why Assign a Manager to a Group?
Practice: Changing the Scope and Assigning a Manager to a
Group
Multimedia: Strategy for Using Groups in a Single
Domain

This presentation explains the A G DL P

strategy for using groups
What Is Group Nesting?

Group nesting means adding a group as a member of

another group

Group Group
Group Group
Group

Nest groups to consolidate group management

Nesting options depend on the domain functional level
Group Strategies

AAGGDL
AAAG PPPP
UGDL
LDL
User Accounts Global Groups Universal Groups Domain Local
User
User Global Universal Domain Local
Permissions
Groups
Accounts Groups Groups Groups
Domain Local
Domain Local
User
User
User Accounts
Accounts
Accounts Global Global Groups
Global Groups
Groups Local Groups Permissions
Permissions
Permissions
Groups Groups

A G U DL
A G U DL P
Permissions
User Local Groups
Global Group strategies:
Accounts Groups

A G AGP
DL AGP U DL P
AA GG A GDL
LDL P A G L PPP

AP G L
Class Discussion: Using Groups in a Single-Domain or
Multiple-Domain Environment

Northwind Traders
Examples
Northwind andwants
1Traders 2 has to react moredomain
a single quickly tothat
market demands.inIt Paris,
is located is
determinedNorthwind
France.
Contoso, that the
Ltd., accounting
has singledata
aTraders must be
domain
managers available
that need to all Accounting
is located
access intoParis,
the
personnel. Northwind Traders wants to create the group structure for
Inventory
France. Contoso
database
the entire Accounting managers
to perform
division, need
which their
access
includesjobs. What
to the do
the Accounts Inventory
you do to
Payable
ensure
database that
and AccountstoReceivable
the
perform
managers
their jobs.
haveWhat
departments. access
What dodoto you
youthe
dodo
Inventory
toto ensure
ensure that that the
database?
managers
the managershave
have access to the
the required Inventory
access and that database?
there is a minimum
of administration?
Place all of the managers in a global group
Example 3 that your network is running in native functional level.
Make sure
CreateLtd.,
Contoso, a domain local grouptoforinclude
has expanded Inventory database in access
Create three global groups called Accountingoperations South
Division, Accounts Payable,
America and
and Accounts
Make Asia and now
Receivable.
the global group has three
a member domains.
of the domain You local need
groupto grant
and
grant
access permissions
Placetothe
allAccounting toDivision
IT managers the domain
from alllocal
global group
domains
group tofordomain
into the accessing
the IT_Admin the tools
local group so
Inventory
that users
shared database
foldercanin access the accounting
the Contoso domain. data.
Create a domain local group called Accounting Data.
Grant this group appropriate permission for the accounting data
resources file.
Practice: Nesting Groups and Creating Universal
Groups

In this practice, you will:

Create the Contoso Managers global group
Nest the departmental Managers global
groups into G Contoso Managers
Create an Enterprise Managers universal
group
Examine the Members and Member Of
properties
Modifying the Scope or Type of a Group?

Changing group scope

 Global to universal
 Domain local to universal
 Universal to global
 Universal to domain local
Changing group type
 Security to distribution
 Distribution to security
Why Assign a Manager to a Group?

Manager Group

Enables you to:

 Track who is responsible for groups
 Delegate to the manager of the group the authority to add
and remove users
 Distribute the administrative responsibility to the people
who request the group
Practice: Changing the Scope and Assigning a Manager
to a Group

In this practice, you will:

Create a global group and change the scope
to universal
Assign a manager to the group
Test the group manager properties
Lesson: Using Default Groups

Default Groups on Member Servers

Default Groups in Active Directory
When to Use Default Groups
Security Considerations for Default Groups
System Groups
Class Discussion: Using Default Groups vs. Creating New
Groups
Best Practices for Managing Groups
Default Groups on Member Servers
Default Groups in Active Directory
When to Use Default Groups

Default groups are:

 Created during the installation of the operating system
or when services are added
 Automatically assigned a set of user rights
Use default groups to:
 Control access to shared resources
 Delegate specific domain-wide administration
Security Considerations for Default Groups

Place a user in a default group when you are sure that you
want to give the user all the user rights and permissions
assigned to that group in Active Directory; otherwise, create
a new security group
As a security best practice, members of default groups
should use Run as
System Groups

System groups represent different users at

different times
You can grant user rights and permissions to system groups,
but you cannot modify or view the memberships
Group scopes do not apply to system groups
Users are automatically assigned to system groups
whenever they log on or access a particular resource
Class Discussion: Using Default Groups vs. Creating
New Groups

Contoso, Ltd., has over 100 servers across the world.

You must determine:
The current tasks that administrators must perform and
what minimum level of access users need to perform
specific tasks
Whether you can use default groups or must create
groups and assign specific user rights or permissions to
the groups
Best Practices for Managing Groups

Create groups based on administrative needs

Add user accounts to the group that is most restrictive

Use the default group when possible instead of creating a new

group

Use the Authenticated Users group instead of the Everyone group

to grant most user rights and permissions

Limit the number of users in the Administrators group

Lab: Creating and Managing Groups

In this lab, you will:

Create global and domain local groups
Manage group membership
Manage default groups