Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts
Objectives <ul><li>Understand the purpose of using group accounts to simplify administration </li></ul><ul><li>Create grou...
Introduction to Group Accounts <ul><li>A  group  is a container object </li></ul><ul><ul><li>Used to organize collections ...
Group Types <ul><li>Security groups </li></ul><ul><ul><li>Defined by Security Identifier (SID) </li></ul></ul><ul><ul><li>...
Group Scopes <ul><li>Scope refers to logical boundary of permissions to specific resources </li></ul><ul><li>Both Security...
Group Scopes (continued) <ul><li>Three domain functional levels: </li></ul><ul><ul><li>Windows 2000 mixed: default configu...
Global Groups <ul><li>Organize groups of users, computers, groups within the same domain </li></ul><ul><li>Usually represe...
Domain Local Groups <ul><li>Created on domain controllers </li></ul><ul><li>Can be assigned rights and permissions to any ...
Universal Groups <ul><li>Typically created to aggregate users or groups in different domains </li></ul><ul><li>Stored on d...
Universal Groups (continued)
Creating Group Objects <ul><li>Group objects are stored in Active Directory database  </li></ul><ul><li>Variety of tools c...
Active Directory Users and Computers <ul><li>Primary tool </li></ul><ul><ul><li>To create group accounts </li></ul></ul><u...
Active Directory Users and Computers (continued)
Activity 4-1: Creating and Adding Members to Global Groups <ul><li>Objective: Use Active Directory Users and Computers to ...
Activity 4-1 (continued)
Activity 4-2: Creating and Adding Members to Domain Local Groups <ul><li>Objective: Use Active Directory Users and Compute...
Activity 4-3: Changing the Functional Level of a Domain and Creating and Adding Members to Universal Groups <ul><li>Object...
Activity 4-3 (continued)
Activity 4-3 (continued) <ul><li>Follow directions to raise the functional level of your domain to Windows Server 2003 </l...
Activity 4-3 (continued)
Converting Group Types <ul><li>May need to change a security group to a distribution group or vice versa </li></ul><ul><li...
Activity 4-4: Converting Group Types <ul><li>Objective: Use Active Directory Users and Computers to change group types </l...
Activity 4-4 (continued)
Activity 4-4 (continued)
Converting Group Scopes <ul><li>Scope of a group can be changed </li></ul><ul><li>Domain functional level must be at least...
Activity 4-5: Converting Group Scopes <ul><li>Objective: Use Active Directory Users and Computers to change group scopes <...
Command Line Utilities <ul><li>An alternative to Active Directory Users and Computers </li></ul><ul><ul><li>Some administr...
DSADD <ul><li>Introduced in Windows Server 2003 </li></ul><ul><li>Used to create new user and group accounts </li></ul><ul...
DSADD (continued)
Activity 4-6: Creating Groups Using DSADD <ul><li>Objective: Use the DSADD GROUP command to add groups of different types ...
DSMOD <ul><li>Also introduced in Windows Server 2003 </li></ul><ul><li>Allows various object types to be modified from the...
DSMOD (continued)
Activity 4-7: Modifying Groups Using DSMOD <ul><li>Objective: Use the DSMOD GROUP command to modify group accounts </li></...
DSQUERY <ul><li>Also introduced in Windows Server 2003 </li></ul><ul><li>Used to query various object types from the comma...
DSMOVE <ul><li>Used to move or rename various object types from the command line </li></ul><ul><li>Syntax for groups is  <...
DSRM <ul><li>Used to delete various object types from the command line </li></ul><ul><li>Syntax for groups is  </li></ul><...
Managing Security Groups <ul><li>Strategy for managing security groups uses acronym A G U DL P: </li></ul><ul><ul><ul><li>...
Determining Group Membership <ul><li>Important task for administrators is to ensure that users are members of correct grou...
Determining Group Membership (continued) <ul><li>Syntax is </li></ul><ul><ul><li>dsget group  distinguished-name switches ...
Built-In Groups <ul><li>When Windows Server 2003 Active Directory is installed </li></ul><ul><ul><li>Built-in groups are c...
The Builtin Container <ul><li>Contains a number of domain local group accounts </li></ul><ul><li>Allocated different user ...
The Builtin Container (continued)
The Users Container <ul><li>Contains a number of domain local and global group accounts </li></ul><ul><li>Some groups only...
The Users Container (continued)
Creating and Managing Computer Accounts <ul><li>Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003 </li></u...
Activity 4-8: Creating and Managing Computer Accounts <ul><li>Objective: Use Active Directory Users and Computers to creat...
Activity 4-8 (continued)
Resetting Computer Accounts <ul><li>Secure channel </li></ul><ul><ul><li>Used by computers that are domain members to comm...
Summary <ul><li>Group accounts reduce administrative effort by enabling assignment of common rights and permissions to mul...
Summary (continued) <ul><li>Group and computer accounts can be created and managed </li></ul><ul><ul><li>From Active Direc...
Upcoming SlideShare
Loading in...5
×

Chapter04 Implementing And Managing Group And Computer Accounts

2,513
-1

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,513
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
253
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Chapter04 Implementing And Managing Group And Computer Accounts

  1. 1. Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts
  2. 2. Objectives <ul><li>Understand the purpose of using group accounts to simplify administration </li></ul><ul><li>Create group objects using both graphical and command-line tools </li></ul><ul><li>Manage security groups and distribution groups </li></ul><ul><li>Explain the purpose of the built-in groups created when Active Directory is installed </li></ul><ul><li>Create and manage computer accounts </li></ul>
  3. 3. Introduction to Group Accounts <ul><li>A group is a container object </li></ul><ul><ul><li>Used to organize collections of users, computers, contacts, other groups </li></ul></ul><ul><ul><li>Used to simplify administration </li></ul></ul><ul><li>Similar to Organizational Units except </li></ul><ul><ul><li>OUs are not security principals, groups are </li></ul></ul><ul><ul><li>OUs can only contain objects from their parent domain, groups can contain objects from within forest </li></ul></ul>
  4. 4. Group Types <ul><li>Security groups </li></ul><ul><ul><li>Defined by Security Identifier (SID) </li></ul></ul><ul><ul><li>Can be assigned permissions for resources </li></ul></ul><ul><ul><ul><li>In discretionary access control lists (DACLs) </li></ul></ul></ul><ul><ul><li>Can be assigned rights to perform different tasks </li></ul></ul><ul><ul><li>Can also be used as e-mail entities </li></ul></ul><ul><li>Distribution groups </li></ul><ul><ul><li>Primarily used as e-mail entities </li></ul></ul><ul><ul><li>Do not have associated SID </li></ul></ul>
  5. 5. Group Scopes <ul><li>Scope refers to logical boundary of permissions to specific resources </li></ul><ul><li>Both Security and Distribution Groups have scopes </li></ul><ul><li>Three scopes </li></ul><ul><ul><li>Objects possible within each scope dependent on configured functional level of a domain </li></ul></ul><ul><ul><li>Scope types are global, domain local, and universal </li></ul></ul>
  6. 6. Group Scopes (continued) <ul><li>Three domain functional levels: </li></ul><ul><ul><li>Windows 2000 mixed: default configuration, supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers </li></ul></ul><ul><ul><li>Windows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers </li></ul></ul><ul><ul><li>Windows Server 2003: supports Windows Server 2003 domain controllers only </li></ul></ul>
  7. 7. Global Groups <ul><li>Organize groups of users, computers, groups within the same domain </li></ul><ul><li>Usually represents a geographic location or job function group </li></ul><ul><li>Types of objects in group related to configured functional level of the domain </li></ul><ul><ul><li>Depends on the types of domain controllers in environment </li></ul></ul>
  8. 8. Domain Local Groups <ul><li>Created on domain controllers </li></ul><ul><li>Can be assigned rights and permissions to any resource within the same domain </li></ul><ul><li>Can contain groups from other domains </li></ul><ul><li>Specific objects allowed in group related to configured functional level of the domain </li></ul>
  9. 9. Universal Groups <ul><li>Typically created to aggregate users or groups in different domains </li></ul><ul><li>Stored on domain controllers configured as global catalog servers </li></ul><ul><li>Can be assigned rights and permissions for any resource within a forest </li></ul><ul><li>Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level </li></ul>
  10. 10. Universal Groups (continued)
  11. 11. Creating Group Objects <ul><li>Group objects are stored in Active Directory database </li></ul><ul><li>Variety of tools can be used can be used for creation and management </li></ul><ul><ul><li>Active Directory Users and Computers </li></ul></ul><ul><ul><li>Command-line utilities </li></ul></ul><ul><ul><ul><li>DSADD, DSMOD, DSQUERY, etc. </li></ul></ul></ul>
  12. 12. Active Directory Users and Computers <ul><li>Primary tool </li></ul><ul><ul><li>To create group accounts </li></ul></ul><ul><ul><li>Can also be used to configure properties of group accounts </li></ul></ul><ul><li>Groups can be created in any built-in containers, at root of the domain object, or in custom OU objects </li></ul><ul><li>Possible group scopes determined by the functional level the domain is configured to </li></ul>
  13. 13. Active Directory Users and Computers (continued)
  14. 14. Activity 4-1: Creating and Adding Members to Global Groups <ul><li>Objective: Use Active Directory Users and Computers to create global groups </li></ul><ul><li>Start  Administrative Tools  Active Directory Users and Computers  Users container  New  Group </li></ul><ul><li>Follow directions to create several global groups and add user accounts to the groups </li></ul>
  15. 15. Activity 4-1 (continued)
  16. 16. Activity 4-2: Creating and Adding Members to Domain Local Groups <ul><li>Objective: Use Active Directory Users and Computers to create domain local groups </li></ul><ul><li>Active Directory  Users  New  Group </li></ul><ul><li>Follow directions to create new Domain Local groups and add global groups to them </li></ul>
  17. 17. Activity 4-3: Changing the Functional Level of a Domain and Creating and Adding Members to Universal Groups <ul><li>Objective: Change the functional level of a domain to Windows Server 2003 and use Active Directory Users and Computers to create universal groups </li></ul><ul><li>Open your domain object in Active Directory Users and Computers </li></ul>
  18. 18. Activity 4-3 (continued)
  19. 19. Activity 4-3 (continued) <ul><li>Follow directions to raise the functional level of your domain to Windows Server 2003 </li></ul><ul><li>Continue the exercise to create a new universal group </li></ul><ul><li>Continue the exercise to add existing groups to the new group </li></ul>
  20. 20. Activity 4-3 (continued)
  21. 21. Converting Group Types <ul><li>May need to change a security group to a distribution group or vice versa </li></ul><ul><li>Type of group can only be changed if domain functional level is Windows 2000 native or above </li></ul>
  22. 22. Activity 4-4: Converting Group Types <ul><li>Objective: Use Active Directory Users and Computers to change group types </li></ul><ul><li>Follow directions to create a new global group with distribution type </li></ul><ul><li>Verify type of new group </li></ul><ul><li>Continue exercise to change type to security and to verify the change </li></ul>
  23. 23. Activity 4-4 (continued)
  24. 24. Activity 4-4 (continued)
  25. 25. Converting Group Scopes <ul><li>Scope of a group can be changed </li></ul><ul><li>Domain functional level must be at least Windows 2000 native </li></ul><ul><li>Supported changes </li></ul><ul><ul><li>Global to universal </li></ul></ul><ul><ul><li>Domain local to universal </li></ul></ul><ul><ul><li>Universal to global </li></ul></ul><ul><ul><li>Universal to domain local </li></ul></ul>
  26. 26. Activity 4-5: Converting Group Scopes <ul><li>Objective: Use Active Directory Users and Computers to change group scopes </li></ul><ul><li>Follow directions to create a new global group </li></ul><ul><li>Add a member group </li></ul><ul><li>Note restrictions and warnings that follow from group scope structure as described in exercise </li></ul><ul><li>Change the scope of the group to universal </li></ul>
  27. 27. Command Line Utilities <ul><li>An alternative to Active Directory Users and Computers </li></ul><ul><ul><li>Some administrators have a preference for command-line utilities </li></ul></ul><ul><ul><li>Command-line utilities are more flexible for group management and creation in some situations </li></ul></ul>
  28. 28. DSADD <ul><li>Introduced in Windows Server 2003 </li></ul><ul><li>Used to create new user and group accounts </li></ul><ul><li>Syntax is </li></ul><ul><ul><li>dsadd group distinguished-name switches </li></ul></ul><ul><li>Switches include: -secgrp, -scope, -memberof, -members </li></ul><ul><li>More help is available for switches and options at Windows Server 2003 Help and Support Center or at command-line </li></ul>
  29. 29. DSADD (continued)
  30. 30. Activity 4-6: Creating Groups Using DSADD <ul><li>Objective: Use the DSADD GROUP command to add groups of different types and scopes </li></ul><ul><li>Follow directions to execute dsadd group command to create a new global group </li></ul><ul><li>Verify group creation with Active Directory Users and Computers </li></ul><ul><li>Create a domain local group with members using dsadd group and verify that group was properly created </li></ul>
  31. 31. DSMOD <ul><li>Also introduced in Windows Server 2003 </li></ul><ul><li>Allows various object types to be modified from the command line </li></ul><ul><li>Syntax is </li></ul><ul><ul><li>dsmod group distinguished-name switches </li></ul></ul><ul><li>Switches include: -desc, -rmmbr, -addmbr </li></ul><ul><li>More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line </li></ul>
  32. 32. DSMOD (continued)
  33. 33. Activity 4-7: Modifying Groups Using DSMOD <ul><li>Objective: Use the DSMOD GROUP command to modify group accounts </li></ul><ul><li>Follow directions to execute dsmod group command to add a description to an existing group </li></ul><ul><li>Verify modification with Active Directory Users and Computers </li></ul><ul><li>Modify group by adding and removing members and verify changes </li></ul>
  34. 34. DSQUERY <ul><li>Also introduced in Windows Server 2003 </li></ul><ul><li>Used to query various object types from the command line, returns values </li></ul><ul><li>Syntax for groups is </li></ul><ul><ul><li>dsquery group query </li></ul></ul><ul><li>Supports wildcard character (*) </li></ul><ul><li>Output can be piped as input to other command-line tools </li></ul><ul><li>More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line </li></ul>
  35. 35. DSMOVE <ul><li>Used to move or rename various object types from the command line </li></ul><ul><li>Syntax for groups is </li></ul><ul><ul><li>dsmove group distinguished-name switches </li></ul></ul><ul><li>Switches include: -newparent, -newname </li></ul><ul><li>Can only be used for groups within a single domain </li></ul><ul><li>More help is available for switches and options at Windows Server 2003 Help and Support Center or at the command-line </li></ul>
  36. 36. DSRM <ul><li>Used to delete various object types from the command line </li></ul><ul><li>Syntax for groups is </li></ul><ul><ul><li>dsrm group distinguished-name switches </li></ul></ul><ul><li>Switches include: -noprompt </li></ul><ul><li>More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line </li></ul>
  37. 37. Managing Security Groups <ul><li>Strategy for managing security groups uses acronym A G U DL P: </li></ul><ul><ul><ul><li>Create user Accounts (A) and organize them within Global groups (G) </li></ul></ul></ul><ul><ul><ul><li>Optional: Create Universal groups (U) and place global groups from any domain in universal groups </li></ul></ul></ul><ul><ul><ul><li>Create Domain Local groups (DL) and add global and universal groups </li></ul></ul></ul><ul><ul><ul><li>Assign Permissions (P) to the domain local groups </li></ul></ul></ul>
  38. 38. Determining Group Membership <ul><li>Important task for administrators is to ensure that users are members of correct groups </li></ul><ul><li>One method is via Member Of tab in the properties of a user account </li></ul><ul><ul><li>Only shows first level of groups (not groups of groups) </li></ul></ul><ul><li>Second method is to use DSGET </li></ul><ul><li>Returns values to a query </li></ul>
  39. 39. Determining Group Membership (continued) <ul><li>Syntax is </li></ul><ul><ul><li>dsget group distinguished-name switches </li></ul></ul><ul><li>Switches include: -members, -memberof </li></ul><ul><li>Can also be used as dsget user to get membership information about a specific user </li></ul><ul><li>Output can be saved to a file: </li></ul><ul><ul><li>dsget group distinguished-name switches >> filename </li></ul></ul>
  40. 40. Built-In Groups <ul><li>When Windows Server 2003 Active Directory is installed </li></ul><ul><ul><li>Built-in groups are created automatically </li></ul></ul><ul><ul><li>Rights are pre-assigned </li></ul></ul><ul><ul><li>Stored in Builtin container and Users container </li></ul></ul><ul><li>Use built-in groups where possible </li></ul><ul><ul><li>Eases implementation of security rights </li></ul></ul>
  41. 41. The Builtin Container <ul><li>Contains a number of domain local group accounts </li></ul><ul><li>Allocated different user rights based on common administrative or network-related tasks </li></ul>
  42. 42. The Builtin Container (continued)
  43. 43. The Users Container <ul><li>Contains a number of domain local and global group accounts </li></ul><ul><li>Some groups only found in the root domain of an Active Directory forest rather than in individual domains </li></ul>
  44. 44. The Users Container (continued)
  45. 45. Creating and Managing Computer Accounts <ul><li>Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003 </li></ul><ul><li>Can be created during installation or added manually later </li></ul><ul><li>Creation and management tools </li></ul><ul><ul><li>Active Directory Users and Computers </li></ul></ul><ul><ul><li>System applet in Control Panel </li></ul></ul><ul><ul><li>Command-line utilities </li></ul></ul>
  46. 46. Activity 4-8: Creating and Managing Computer Accounts <ul><li>Objective: Use Active Directory Users and Computers to create and manage computer accounts </li></ul><ul><li>Follow directions to create a new computer account from Active Directory Users and Computers </li></ul><ul><li>Configure and review the account as directed </li></ul>
  47. 47. Activity 4-8 (continued)
  48. 48. Resetting Computer Accounts <ul><li>Secure channel </li></ul><ul><ul><li>Used by computers that are domain members to communicate with domain controller </li></ul></ul><ul><ul><li>Uses password that is changed every 30 days </li></ul></ul><ul><ul><li>Automatically synchronized between domain controller and workstation </li></ul></ul><ul><li>Occasional synchronization issues arise </li></ul><ul><ul><li>Administrator must reset computer account </li></ul></ul><ul><ul><li>Using Active Directory Users and Computers or Netdom.exe command from Windows Support Tools </li></ul></ul>
  49. 49. Summary <ul><li>Group accounts reduce administrative effort by enabling assignment of common rights and permissions to multiple users simultaneously </li></ul><ul><li>Two group security types: </li></ul><ul><ul><li>Security groups </li></ul></ul><ul><ul><li>Distribution groups </li></ul></ul><ul><li>Three types of scoping possible for groups </li></ul><ul><ul><li>Global groups </li></ul></ul><ul><ul><li>Domain local groups </li></ul></ul><ul><ul><li>Universal groups </li></ul></ul>
  50. 50. Summary (continued) <ul><li>Group and computer accounts can be created and managed </li></ul><ul><ul><li>From Active Directory Users and Computers </li></ul></ul><ul><ul><li>From command-line utilities </li></ul></ul><ul><li>Builtin and User groups and containers are automatically created at installation with specific pre-assigned rights and permissions </li></ul><ul><li>Windows NT 4.0, 2000, XP, and Server 2003 require computer accounts in Active Directory </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×