11 chapter 7: working with groups course 290:. assigning permissions in server 2003 for users to be...
TRANSCRIPT
11
Chapter 7:Chapter 7: WORKING WITH WORKING WITH GROUPSGROUPS
Course 290:
Assigning Permissions in Server Assigning Permissions in Server 20032003 For users to be able to access resources on
an Active Directory network, they must have the appropriate permissions.
Shared folders and drives, printers, and virtually all other resources on a network have an access control list (ACL).
An ACL is a list of objects that are permitted to access the resource, along with the degree of access that each object is permitted.
The objects in an ACL are referred to as security principals
Using Groups for permissionsUsing Groups for permissions
A group is simply a list of users that functions as a security principal.
In Active Directory, group objects can contain user objects, computers, contacts, and, under certain conditions, even other groups.
When you use a group object as a security principal by adding it to an ACL, all of the group’s members receive the permissions that you assigned to the group
UNDERSTANDING GROUPSUNDERSTANDING GROUPS
User RightsUser Rights
Groups also make it possible to assign user rights to multiple users at once.
In Windows Server 2003, rights are distinctly different from permissions.
A user right grants a user or group the ability to perform a particular system task, such as access the computer from the network, change the system time, or take ownership of files and other objects.
Groups vs. Group PoliciesGroups vs. Group Policies The structure of the Active Directory hierarchy
is a critical part of the domain user account creation process because rights and permissions granted to a container object are inherited by the objects they contain, including user objects
Group inheritance works the same: the members receive the settings assigned to the group.
The main difference between a group and a container is that the group is not restricted by the structure of the Active Directory tree. You can create groups with members
anywhere in the domain, and even in other domains, and grant them all privileges in one quick step.
GROUP POLICIESGROUP POLICIES
Group policies and groups are not related.
Group policies cannot be directly applied to a group.
A Group policy can only be applied to an Active Directory site, domain, or OU
DOMAIN FUNCTIONAL LEVELSDOMAIN FUNCTIONAL LEVELS
The Domain Functional Level determines the level of functionality used by Active Directory
The different versions of Windows have slightly different capabilities built into their Active Directory implementations. Each successive version has some new
features that are not usable when some of the domain controllers in a domain are running older versions of Windows
Changing the domain functional level informs the operating system that all of the domain controllers are compatible and that it is safe to activate the version-specific features The Functional level can be raised but not
lowered
DOMAIN FUNCTIONAL LEVELSDOMAIN FUNCTIONAL LEVELS Windows 2000 mixed
default functional level of a domain controller Supports universal distribution groups but not universal
security groups Global groups cannot have other groups as members
(group nesting). Windows 2000 native
Supports Server 2000 and 2003 Supports universal security and distribution groups. Allows groups to be members of other groups. Allows conversions between security groups and
distribution groups. Windows Server 2003 interim
Used only when upgrading domain controllers in Windows NT 4 domains to Windows Server 2003 domain controllers.
Windows Server 2003 Same as Server 2000 native, but only supports Server
2003
Managing the Functional Domain Managing the Functional Domain LevelLevel Use the Active Directory Domains And Trusts
console You cannot lower the functional level after you
raise it, except by reinstalling Active Directory on all of your domain controllers
Once the functional level is raised on that one domain controller, the change is replicated to all of the other domain controllers in the domain.
Local vs. Domain groupsLocal vs. Domain groups Windows Server 2003 supports local groups
and domain groups. A local group is a collection of local user
accounts on a particular computer. Local groups perform the same basic function
as all groups: they enable you to assign permissions to multiple users in one step.
Local groups are created using the Local Users And Groups snap-in, which is integrated into the Computer Management console
When you create a local group, the system stores it in the local Security Accounts Manager (SAM) database
Restrictions on LOCAL GROUPSRestrictions on LOCAL GROUPS You can use local groups only on the computer where
you create them.
Only local users from the same computer can be members of local groups.
When the computer is a member of a domain, local group members can include users and global groups from the domain or any trusted domain.
Local groups cannot have other local groups as members.
Local group permissions provide access only to resources on the computer where you created the local group.
You cannot create local groups on a Windows Server 2003 computer that is functioning as a domain controller.
ACTIVE DIRECTORY GROUPSACTIVE DIRECTORY GROUPS
Active Directory groups are characterized by their type and their scope
Types Security
Distribution
Scopes Local
Global
Universal
ACTIVE DIRECTORY GROUP TYPESACTIVE DIRECTORY GROUP TYPES Security Groups: used to assign access permissions
for network resources Membership depends on the type of security group
and the domain functional level.
Can also be used as a distribution group.
The most common type of group created and used in Active Directory.
Distribution Groups: Used to group users together for use by applications in non-security-related functions You use distribution groups when the only function of
the group is not security-related, such as sending e-mail messages to a group of users at the same time.
Can be used only by directory-aware applications
Can be converted to a security group
ACTIVE DIRECTORY GROUP SCOPESACTIVE DIRECTORY GROUP SCOPES
Group scopes define how permissions are assigned to the group members
The 3 Scope Levels are: Domain local
Global
Universal
DOMAIN LOCAL GROUPSDOMAIN LOCAL GROUPS Domain local groups are most often used to assign
access permissions to network resources, like printers or shared folders, in a single domain Available in all domain functional levels
Can only be used to assign permissions to resources in the domain where they are created
Permitted membership depends on domain functional level
In Windows 2000 mixed or Windows 2003 interim functional level, members can include user and computer accounts and global groups from any domain in the forest.
In Windows 2000 native or Windows Server 2003 functional
level, members can include user and computer accounts, global and universal groups from any domain in the forest, and other domain local groups from the same domain
GLOBAL GROUPSGLOBAL GROUPS Used to collect users or computers in the same domain
that share the same job, role, or function Global Groups are given access to network resources by
making the group a member of a Domain Local group Most commonly used to manage permissions for
directory objects, such as user and computer accounts, that require frequent maintenance.
More efficient than using Universal groups because they are not replicated outside of their domain. This minimizes the amount of replication traffic to the global catalog, Available in all functional levels Can include only members from within their domain Actual membership depends on domain functional level Can be granted access permissions to resources in any
domain in the forest, and in domains in other trusted forests
UNIVERSAL GROUPSUNIVERSAL GROUPS Used primarily to grant access to related resources in
multiple domains.
Generally used to consolidate groups that span multiple domains
To use universal groups effectively, the best practice is to create a global group in each domain, with user or computer accounts as members, and then make the global groups members of a universal group Available only in the Windows 2000 native and
Windows Server 2003 domain functional levels
Can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests
Can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members
NESTING GROUPSNESTING GROUPS
MMeemmbbeerrss AAlllloowweedd iinn WWiinnddoowwss 22000000MMiixxeedd oorr WWiinnddoowwss SSeerrvveerr 22000033IInntteerriimm FFuunnccttiioonnaall LLeevveell
MMeemmbbeerrss AAlllloowweedd iinn WWiinnddoowwss 22000000NNaattiivvee oorr WWiinnddoowwss SSeerrvveerr 22000033FFuunnccttiioonnaall LLeevveell
DomainLocal
User and computer accountsand global groups fromany domain
User and computer accounts,universal groups, and global groups
from any domain; other domainlocal groups from the same domain
Global User and computer accountsfrom the same domain
User and computer accounts andother global groups from the same
domain
Universal Not available User and computer accounts, otheruniversal groups, and global groups
from any domain
GGrroouupp SSccooppee
•Nesting Groups is the ability to make groups membersof other groups•a single level of nesting is sufficient for most networks
CONVERTING GROUPSCONVERTING GROUPS
TToo DDoommaaiinn LLooccaall TToo GGlloobbaall TToo UUnniivveerrssaall
FFrroomm DDoommaaiinnLLooccaall
Not applicable Not permitted Permitted only when thedomain local group does not
have other domain localgroups as members
FFrroomm GGlloobbaallNot permitted Not applicable Permitted only when the
global group is not a memberof another global group
FFrroomm UUnniivveerrssaallNo restrictions Permitted only when
the universal groupdoes not have otheruniversal groups asmembers
Not applicable
• In a domain using the Windows 2000 native or Windows Server 2003 functional level, you can convert groups to different scopes at any time
PLANNING GLOBAL AND DOMAIN PLANNING GLOBAL AND DOMAIN LOCAL GROUPSLOCAL GROUPS Step 1—Create domain local groups for
resources to be shared.
Step 2—Assign resource permissions to the domain local group.
Step 3—Create global groups for users with common job responsibilities.
Step 4—Add global groups that need access to resources to the appropriate domain local group.
WINDOWS SERVER 2003 DEFAULT WINDOWS SERVER 2003 DEFAULT GROUPSGROUPS1. Built-in local groups
2. Predefined Active Directory groups
3. Built-in Active Directory groups
4. Special identities
BUILT-IN LOCAL GROUPSBUILT-IN LOCAL GROUPS Built-in local groups give users the rights to perform
system tasks on a single computer backing up and restoring files, changing the system
time, and administering system resources
Some of these groups have default privileges granted to them through the assignment of user rights to the group Administrators, Backup Operators, Users, Power User,
Remote Desktop Users
Only on Windows Server 2003 standalone servers and member servers. Domain controllers do not have local groups (or local
users) because their SAM is converted for Active Directory use.
Located in the Groups folder in the Local Users And Groups snap-in.
BUILT-IN LOCAL GROUPSBUILT-IN LOCAL GROUPS
PREDEFINED ACTIVE DIRECTORY PREDEFINED ACTIVE DIRECTORY GROUPSGROUPS Predefined groups: security groups, most with a global scope,
that are intended to group together common types of domain user accounts.
By default, Windows Server 2003 automatically adds members to some predefined global groups. You can add user objects to these predefined groups to
provide additional users with the privileges and permissions assigned to the group
Created in the domain’s Users container Domain Admins, Domain Controllers, Domain Computers,
Domain users By default, they do not have any inherent rights or permissions
You can assign rights or permissions to them by adding the predefined global groups to domain local groups or by explicitly assigning rights or permissions to the predefined global groups.
By default some of the predefined Active Directory groups have privileges granted to them through the assignment of user rights. Domain Admins and Enterprise Admins ONLY
PREDEFINED ACTIVE DIRECTORY PREDEFINED ACTIVE DIRECTORY GROUPSGROUPS
BUILT-IN ACTIVE DIRECTORY BUILT-IN ACTIVE DIRECTORY GROUPSGROUPS Every Active Directory domain has a Built-in
container in which the system creates a series of security groups, all of which have a domain local scope.
The Built-In groups provide users with user rights and permissions to perform tasks on domain controllers and in the Active Directory tree.
Built-in domain local groups provide predefined rights and permissions to user accounts when you add user objects or global groups as members. Account Operators, Administrators, Users,
Guests
BUILT-IN ACTIVE DIRECTORY BUILT-IN ACTIVE DIRECTORY GROUPSGROUPS
SPECIAL IDENTITIESSPECIAL IDENTITIES Special identities exist on all computers
running Windows Server 2003. These are not really groups because you
cannot create them, delete them, or directly modify their memberships.
They are like placeholders for one or more users Special identities do not appear in the Local
Users And Groups snap-in or the Active Directory Users and Computers console
You can use them like groups, by adding them to the ACLs of system and network resources
Examples: Everyone, Authenticated Users, Creator Owner
SPECIAL IDENTITIESSPECIAL IDENTITIES
CREATING LOCAL GROUPSCREATING LOCAL GROUPS
WORKING WITH ACTIVE DIRECTORY WORKING WITH ACTIVE DIRECTORY GROUPSGROUPS Active Directory Users and Computers
console: Create security groups
Manage group membership
Nest groups
Change group types and scopes
Delete a group
CREATING SECURITY GROUPSCREATING SECURITY GROUPS
•The Active Directory Users and Groups console letsyou create group objects anywhere you want•Groups should always be created in an OU so that you can assign user rights to them
NESTING GROUPSNESTING GROUPS
Both groups must be created separately, and then one is made a member of the other.
Possible nestings depend on the domain functional level and scope type.
Observe rules on group nesting.
CHANGING GROUP TYPES AND CHANGING GROUP TYPES AND SCOPESSCOPES
DELETING A GROUPDELETING A GROUP
Deletes only the group object, not the members of the group.
Deletes the SID for the group. The SID cannot be re-created.
Removes ACL entries for the group – all permissions for that group are deleted and are NOT restore even if you make a new group with the same name
AUTOMATING GROUP AUTOMATING GROUP MANAGEMENTMANAGEMENT
The following command-line utilities can be used in scripts and batch files to automate group management: Dsadd.exe: Used to create new group
objects
Dsmod.exe: Used to configure existing group objects
Dsget.exe: Used to locate groups in Active Directory
CREATING GROUP OBJECTS WITH CREATING GROUP OBJECTS WITH DSADD.EXEDSADD.EXE Allows groups to be created from a command
line Useful when scripting group creation for large
numbers of groups Can be used only to create new groups, not
modify existing groups Syntax:
dsadd group GroupDN [parameters] Ex: Create a new group called Sales in the
Users container and make the Administrator user a member dsadd group "CN=Sales,CN=Users,DC=contoso,DC=com" –
member "CN=Administrator,CN=Users,DC=contoso,DC=com"
MANAGING GROUP OBJECTS WITH MANAGING GROUP OBJECTS WITH DSMOD.EXEDSMOD.EXE
Can be used to configure group objects, including: Setting the group scope
Adding and removing individual group members
Replacing the entire group membership
Syntax: dsmod group GroupDN [parameters]
Example: Add the Administrator user to the Guests group dsmod group
"CN=Guests,CN=Builtin,DC=contoso,DC=com" –addmbr "CN=Administrator,CN=Users,DC=contoso,DC=com"
FINDING OBJECTS WITH DSGET.EXEFINDING OBJECTS WITH DSGET.EXE
Command-line utility
Used to locate and show information on an object
Cannot be used to create, modify, or delete an object
Syntax: dsget objectclass ObjectDN [parameters]
Example: Display a list of the groups of which a user is a member dsget user
"CN=Administrator,CN=Users,DC=contoso,DC=com" -memberof