Your SlideShare is downloading. ×
Chapter04      Implementing And  Managing  Group And  Computer  Accounts
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Chapter04 Implementing And Managing Group And Computer Accounts

2,259
views

Published on

Published in: Technology

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,259
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
202
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts
  • 2. Objectives
    • Understand the purpose of using group accounts to simplify administration
    • Create group objects using both graphical and command-line tools
    • Manage security groups and distribution groups
    • Explain the purpose of the built-in groups created when Active Directory is installed
    • Create and manage computer accounts
  • 3. Introduction to Group Accounts
    • A group is a container object
      • Used to organize collections of users, computers, contacts, other groups
      • Used to simplify administration
    • Similar to Organizational Units except
      • OUs are not security principals, groups are
      • OUs can only contain objects from their parent domain, groups can contain objects from within forest
  • 4. Group Types
    • Security groups
      • Defined by Security Identifier (SID)
      • Can be assigned permissions for resources
        • In discretionary access control lists (DACLs)
      • Can be assigned rights to perform different tasks
      • Can also be used as e-mail entities
    • Distribution groups
      • Primarily used as e-mail entities
      • Do not have associated SID
  • 5. Group Scopes
    • Scope refers to logical boundary of permissions to specific resources
    • Both Security and Distribution Groups have scopes
    • Three scopes
      • Objects possible within each scope dependent on configured functional level of a domain
      • Scope types are global, domain local, and universal
  • 6. Group Scopes (continued)
    • Three domain functional levels:
      • Windows 2000 mixed: default configuration, supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers
      • Windows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers
      • Windows Server 2003: supports Windows Server 2003 domain controllers only
  • 7. Global Groups
    • Organize groups of users, computers, groups within the same domain
    • Usually represents a geographic location or job function group
    • Types of objects in group related to configured functional level of the domain
      • Depends on the types of domain controllers in environment
  • 8. Domain Local Groups
    • Created on domain controllers
    • Can be assigned rights and permissions to any resource within the same domain
    • Can contain groups from other domains
    • Specific objects allowed in group related to configured functional level of the domain
  • 9. Universal Groups
    • Typically created to aggregate users or groups in different domains
    • Stored on domain controllers configured as global catalog servers
    • Can be assigned rights and permissions for any resource within a forest
    • Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level
  • 10. Universal Groups (continued)
  • 11. Creating Group Objects
    • Group objects are stored in Active Directory database
    • Variety of tools can be used can be used for creation and management
      • Active Directory Users and Computers
      • Command-line utilities
        • DSADD, DSMOD, DSQUERY, etc.
  • 12. Active Directory Users and Computers
    • Primary tool
      • To create group accounts
      • Can also be used to configure properties of group accounts
    • Groups can be created in any built-in containers, at root of the domain object, or in custom OU objects
    • Possible group scopes determined by the functional level the domain is configured to
  • 13. Active Directory Users and Computers (continued)
  • 14. Activity 4-1: Creating and Adding Members to Global Groups
    • Objective: Use Active Directory Users and Computers to create global groups
    • Start  Administrative Tools  Active Directory Users and Computers  Users container  New  Group
    • Follow directions to create several global groups and add user accounts to the groups
  • 15. Activity 4-1 (continued)
  • 16. Activity 4-2: Creating and Adding Members to Domain Local Groups
    • Objective: Use Active Directory Users and Computers to create domain local groups
    • Active Directory  Users  New  Group
    • Follow directions to create new Domain Local groups and add global groups to them
  • 17. Activity 4-3: Changing the Functional Level of a Domain and Creating and Adding Members to Universal Groups
    • Objective: Change the functional level of a domain to Windows Server 2003 and use Active Directory Users and Computers to create universal groups
    • Open your domain object in Active Directory Users and Computers
  • 18. Activity 4-3 (continued)
  • 19. Activity 4-3 (continued)
    • Follow directions to raise the functional level of your domain to Windows Server 2003
    • Continue the exercise to create a new universal group
    • Continue the exercise to add existing groups to the new group
  • 20. Activity 4-3 (continued)
  • 21. Converting Group Types
    • May need to change a security group to a distribution group or vice versa
    • Type of group can only be changed if domain functional level is Windows 2000 native or above
  • 22. Activity 4-4: Converting Group Types
    • Objective: Use Active Directory Users and Computers to change group types
    • Follow directions to create a new global group with distribution type
    • Verify type of new group
    • Continue exercise to change type to security and to verify the change
  • 23. Activity 4-4 (continued)
  • 24. Activity 4-4 (continued)
  • 25. Converting Group Scopes
    • Scope of a group can be changed
    • Domain functional level must be at least Windows 2000 native
    • Supported changes
      • Global to universal
      • Domain local to universal
      • Universal to global
      • Universal to domain local
  • 26. Activity 4-5: Converting Group Scopes
    • Objective: Use Active Directory Users and Computers to change group scopes
    • Follow directions to create a new global group
    • Add a member group
    • Note restrictions and warnings that follow from group scope structure as described in exercise
    • Change the scope of the group to universal
  • 27. Command Line Utilities
    • An alternative to Active Directory Users and Computers
      • Some administrators have a preference for command-line utilities
      • Command-line utilities are more flexible for group management and creation in some situations
  • 28. DSADD
    • Introduced in Windows Server 2003
    • Used to create new user and group accounts
    • Syntax is
      • dsadd group distinguished-name switches
    • Switches include: -secgrp, -scope, -memberof, -members
    • More help is available for switches and options at Windows Server 2003 Help and Support Center or at command-line
  • 29. DSADD (continued)
  • 30. Activity 4-6: Creating Groups Using DSADD
    • Objective: Use the DSADD GROUP command to add groups of different types and scopes
    • Follow directions to execute dsadd group command to create a new global group
    • Verify group creation with Active Directory Users and Computers
    • Create a domain local group with members using dsadd group and verify that group was properly created
  • 31. DSMOD
    • Also introduced in Windows Server 2003
    • Allows various object types to be modified from the command line
    • Syntax is
      • dsmod group distinguished-name switches
    • Switches include: -desc, -rmmbr, -addmbr
    • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line
  • 32. DSMOD (continued)
  • 33. Activity 4-7: Modifying Groups Using DSMOD
    • Objective: Use the DSMOD GROUP command to modify group accounts
    • Follow directions to execute dsmod group command to add a description to an existing group
    • Verify modification with Active Directory Users and Computers
    • Modify group by adding and removing members and verify changes
  • 34. DSQUERY
    • Also introduced in Windows Server 2003
    • Used to query various object types from the command line, returns values
    • Syntax for groups is
      • dsquery group query
    • Supports wildcard character (*)
    • Output can be piped as input to other command-line tools
    • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line
  • 35. DSMOVE
    • Used to move or rename various object types from the command line
    • Syntax for groups is
      • dsmove group distinguished-name switches
    • Switches include: -newparent, -newname
    • Can only be used for groups within a single domain
    • More help is available for switches and options at Windows Server 2003 Help and Support Center or at the command-line
  • 36. DSRM
    • Used to delete various object types from the command line
    • Syntax for groups is
      • dsrm group distinguished-name switches
    • Switches include: -noprompt
    • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line
  • 37. Managing Security Groups
    • Strategy for managing security groups uses acronym A G U DL P:
        • Create user Accounts (A) and organize them within Global groups (G)
        • Optional: Create Universal groups (U) and place global groups from any domain in universal groups
        • Create Domain Local groups (DL) and add global and universal groups
        • Assign Permissions (P) to the domain local groups
  • 38. Determining Group Membership
    • Important task for administrators is to ensure that users are members of correct groups
    • One method is via Member Of tab in the properties of a user account
      • Only shows first level of groups (not groups of groups)
    • Second method is to use DSGET
    • Returns values to a query
  • 39. Determining Group Membership (continued)
    • Syntax is
      • dsget group distinguished-name switches
    • Switches include: -members, -memberof
    • Can also be used as dsget user to get membership information about a specific user
    • Output can be saved to a file:
      • dsget group distinguished-name switches >> filename
  • 40. Built-In Groups
    • When Windows Server 2003 Active Directory is installed
      • Built-in groups are created automatically
      • Rights are pre-assigned
      • Stored in Builtin container and Users container
    • Use built-in groups where possible
      • Eases implementation of security rights
  • 41. The Builtin Container
    • Contains a number of domain local group accounts
    • Allocated different user rights based on common administrative or network-related tasks
  • 42. The Builtin Container (continued)
  • 43. The Users Container
    • Contains a number of domain local and global group accounts
    • Some groups only found in the root domain of an Active Directory forest rather than in individual domains
  • 44. The Users Container (continued)
  • 45. Creating and Managing Computer Accounts
    • Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003
    • Can be created during installation or added manually later
    • Creation and management tools
      • Active Directory Users and Computers
      • System applet in Control Panel
      • Command-line utilities
  • 46. Activity 4-8: Creating and Managing Computer Accounts
    • Objective: Use Active Directory Users and Computers to create and manage computer accounts
    • Follow directions to create a new computer account from Active Directory Users and Computers
    • Configure and review the account as directed
  • 47. Activity 4-8 (continued)
  • 48. Resetting Computer Accounts
    • Secure channel
      • Used by computers that are domain members to communicate with domain controller
      • Uses password that is changed every 30 days
      • Automatically synchronized between domain controller and workstation
    • Occasional synchronization issues arise
      • Administrator must reset computer account
      • Using Active Directory Users and Computers or Netdom.exe command from Windows Support Tools
  • 49. Summary
    • Group accounts reduce administrative effort by enabling assignment of common rights and permissions to multiple users simultaneously
    • Two group security types:
      • Security groups
      • Distribution groups
    • Three types of scoping possible for groups
      • Global groups
      • Domain local groups
      • Universal groups
  • 50. Summary (continued)
    • Group and computer accounts can be created and managed
      • From Active Directory Users and Computers
      • From command-line utilities
    • Builtin and User groups and containers are automatically created at installation with specific pre-assigned rights and permissions
    • Windows NT 4.0, 2000, XP, and Server 2003 require computer accounts in Active Directory