Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Server 2003 使用者群組管理 林寶森

Similar presentations


Presentation on theme: "Windows Server 2003 使用者群組管理 林寶森"— Presentation transcript:

1 Windows Server 2003 使用者群組管理 林寶森

2 How Groups Work Permissions Group Permissions User Permissions User Permissions Assigned Once for Each User Account Permissions Assigned Once for a Group Permissions Assigned Once for a Group Instead of Permissions User Group Members Have the Rights and Permissions Granted to the Group Users Can Be Members of Multiple Groups Groups and Computers Can Also Be Members of a Group

3 Groups in Workgroups and Domains Domain Workgroup Created on Domain Controllers Reside in Active Directory Used to Control Resources in the Domain Created on Computers That Are Not Domain Controllers Reside in SAM Used to Control Access to Resources for the Computer Domain Controller Client Computer Member Server SAM

4 Managing Local Groups Computer Management Tree Computer Management (Local) Event Viewer System Information Performance Logs and Alerts System Tools Shared Folders Device Manager Local Users and Groups Users NameDescription Groups Storage Services and Applications New Group… Refresh Export List… ActionView Arrange Icons Line Up Icons Help Administrators Backup Operators Guests Power Users Replicator Users Administrators have full access to th… Backup Operators can only use a ba… Guests can operate the computer an… Power Users can modify the comput… Supports file replication in a domain Users can operate the computer and… New Group Group name: Description: Members: Add…Remove Close Create

5 Group Types Purpose of Group Types –Security groups Use to assign or deny rights and permissions –Distribution groups Use to send messages Selecting a Group Type –Use distribution groups unless you need security capabilities –Distribution groups improve logon performance

6 Group Scopes Universal Group Members from any domain in forest Use for access to resources in any domain Members from any domain in forest Use for access to resources in any domain Domain Local Group Members from any domain in forest Use for access to resources in one domain Members from any domain in forest Use for access to resources in one domain Global Group Members from own domain only Use for access to resources in any domain Members from own domain only Use for access to resources in any domain

7 Groups and Domain Functional Levels Domain controllers Supported Windows NT ® Server 4.0, Windows 2000, Windows Server 2003 Windows 2000, Windows Server 2003 Windows Server 2003 Group scopes supported Global, domain local Global, domain local, universal Windows 2000 mixed (default) Windows 2000 native Windows Server 2003

8 What Is Group Nesting? Group It means adding a group as a member of another group that is the same kind of group scope Nest groups to consolidate group management Nesting options depend on whether the domain functional level of your Windows Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed

9 What Are Global Groups? Global group rules Members Mixed mode: User accounts from same domain Native mode: User accounts and global groups from same domain Can be a member of Mixed mode: Domain local groups Native mode: Universal and domain local groups in any domain and global groups in the same domain Scope Visible in its own domain and all trusted domains Permissions All domains in the forest

10 What Are Universal Groups? Universal group rules Members Mixed mode: Not applicable Native mode: User accounts, global groups, and other universal groups from any domain in the forest Can be a member of Mixed mode: Not applicable Native mode: Domain local and universal groups in any domain Scope Visible in all domains in a forest Permissions All domains in a forest

11 What Are Domain Local Groups? Domain local group rules Members Mixed mode: User accounts and global groups from any domain Native mode: User accounts, global groups, and universal groups from any domain in the forest, and domain local groups from the same domain Can be a member of Mixed mode: None Native mode: Domain local groups in the same domain Scope Visible only in its own domain Permissions Domain to which the domain local group belongs

12 Creating and Deleting Domain Groups Use Active Directory Users and Computers to Create and Delete Groups When You Delete a Group Its: –Rights and permissions are removed –Members are not deleted –SID is never used again New Object - Group Create in: nwtraders.msft/Users Group name: Group name (pre-Windows 2000): Group scope: Domain local Global Universal Group type: Security Distribution OK Cancel Public Group Name

13 Adding Members to Domain Groups Group 01 Properties General Members Member O f Managed By Members: NameActive Directory Folder Add... Remove OKCancel Apply Select Users, Contacts, Computers, or Groups NameIn Folder Look in: nwtraders.msft Casablanca Portland Seattle Denver Administrator Guest TsInternet User Add Casablanca; Portland Check Names OK Cancel nwtraders.msft/Casablanca nwtraders.msft/Portland nwtraders.msft/Seattle nwtraders.msft/Denver OU nwtraders.msft/Users Select Add

14 Why Assign a Manager to a Group? To enable you to: –Track who is responsible for groups –Delegate to the manager of the group the authority to add users to and remove users from the group To distribute the administrative responsibility of adding users to groups to the people who request the group Group Manager

15 Modifying Groups Changing Group Scope –Global to universal –Domain local to universal –Universal to global –Universal to domain local –Available in native mode Changing Group Type –Security to distribution –Distribution to security –Available in native mode Deleting a Group –Deletes the group but not the objects that are members –Cannot restore a group and its permissions

16 The Strategy for Using Local Groups in a Workgroup A A User Accounts = P P = Permissions L L Local Group = Workgroup Windows Server 2003 Windows 2000 Professional Windows XP Professional L L P P A A Add L L P P A A L L P P A A Windows 2000 Server L L P P A A Add Assign

17 Group Strategies (1) A A P P G G Global Groups Permissions User Accounts

18 Group Strategies (2) A A P P DL Domain Local Groups Permissions User Accounts

19 Group Strategies (3) A A P P Domain Local Groups DL G G Permissions Global Groups User Accounts

20 Group Strategies (4) A A P P Local Groups L L G G Permissions Global Groups User Accounts

21 Group Strategies (5) A A P P Domain Local Groups DL G G Permissions Global Groups User Accounts Universal Groups U U A A G G Global Groups User Accounts

22 The Strategy for Using Groups in a Single Domain User AccountsGlobal GroupsGlobal Group Domain Local Group Permissions A A G G DL P P G G DLG Add Domain User Accounts into Global Groups (Optional) Add Global Groups into Another Global Group Add Global Group into Domain Local Group Assign Resource Permissions to the Domain Local Group

23 Why Use Group Strategies AGDL or LP Managing UserManaging Resource Domain ControllerMember Server

24 Guidelines for Planning a Group Strategy Assign users with common job responsibilities to global groups Create a domain local group for sharing resources Add global groups that require access to resources to domain local groups Use universal groups to grant access to resources in multiple domains Use universal groups when membership is static

25 Default Groups on Member Servers

26 Default Groups in Active Directory

27 When to Use Default Groups Default groups are: –Created during the installation of the operating system or when services are added such as Active Directory or DHCP –Automatically assigned a set of user rights Use Default groups to: –Control access to shared resources –Delegate specific domain-wide administration

28 What Are User Rights? Examples of User Rights

29 User Rights vs. Permissions User Rights: Actions on System User Rights: Actions on System Permissions: Actions on Object

30 System Groups System groups represent different users at different times You can grant user rights and permissions to system groups, but you cannot modify or view the memberships Group scopes do not apply to system groups Users are automatically assigned to system groups whenever they log on or access a particular resource


Download ppt "Windows Server 2003 使用者群組管理 林寶森"

Similar presentations


Ads by Google