Chapter 7 WORKING WITH GROUPS

Chapter 7: WORKING WITH GROUPS CHAPTER OVERVIEW Understand the functions of groups and how to use them. Understand the difference between local groups and domain groups. Identify the two group types and three group scopes, and their proper use. List the predefined and built-in groups included in Windows Server 2003. This chapter focuses on the use of groups in Active Directory and includes a discussion of domain functional levels and their effect on groups.

CHAPTER OVERVIEW (continued) Chapter 7: WORKING WITH GROUPS CHAPTER OVERVIEW (continued) Understand the difference between groups and special identities. Create, manage, and delete groups using graphical and command-line tools.

ACL AND SECURITY PRINCIPLES Chapter 7: WORKING WITH GROUPS ACL AND SECURITY PRINCIPLES Access control list restrict or permit access to resource objects Objects in the ACL are called security principles Examples of security principles User account Computer account Group Printer Shared folders

Chapter 7: WORKING WITH GROUPS UNDERSTANDING GROUPS Example: Sales department resources Shared folders = 3 Printers = 2 Users = 15 Per user permissions = 75 Group = 1 [Sales] Group permission = 5 Groups are very important in system administration. Example: You have three shared folders and two printers that all users in the Sales department need access to. If the Sales department has 15 users and you make the permission assignments on a per-user basis, how many permission assignments do you need to make? Answer: 75. If you create a Sales group and then make all of the users in the Sales department a member of that group, how many permission assignments do you need to make? Answer: 5. Even with the additional (but minimal) workload of creating a group, this still represents a dramatic savings in administrative overhead.

USING GROUPS AND GROUP POLICIES Chapter 7: WORKING WITH GROUPS USING GROUPS AND GROUP POLICIES Group policy and groups are not related. Group policy cannot be directly applied to a group, user and computer account object. Group, user and computer account objects are security principals. Group policy is set on a site, domain, or OU It can be configured to apply to groups in that site, domain, or OU. Group policy and groups are not related. A group policy is a policy that is applied to a collection of objects and a group is a collection of objects. A group is a security principal, just like a user. Therefore, group policy can affect the group, and thus the members of a group, just like it can affect a user or computer account object. Groups, users and computer accounts cannot have group policy applied directly to them. Detailed information on group policy on Windows Server 2003 can be found at http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx.

UNDERSTANDING DOMAIN FUNCTIONAL LEVELS Chapter 7: WORKING WITH GROUPS UNDERSTANDING DOMAIN FUNCTIONAL LEVELS Raising functional level action cannot be reversed Domain functional levels Windows 2000 mixed [default on install] Windows 2000 native Windows Server 2003 interim Windows Server 2003 Windows 2003: Windows 2003 domain controllers only. Universal security and distribution groups. Allows groups to be members of other groups. Allows group conversions (security and distribution). Allows migration of security principals from one domain to another domain (SID history). Windows 2003 interim: Windows NT4 Windows 2003 domain controllers. Use for migration between NT4 and W2K3. Windows 2000 mixed: Windows NT4, Win2K and Win2K3 domain controllers. Universal distribution groups but not universal security groups. Global groups cannot have other groups (group nesting). Windows 2003 native: Windows 2K and Windows 2K3 domain controllers. Universal distribution groups & universal security groups. Conversion between universal groups. Migration security principals between DCs (SID history). The default domain functional level on a newly installed Windows Server 2003 system that is not part of an existing tree is always Windows 2000 mixed. Discuss each domain functional level and its attributes. For this chapter, the limitations of group nesting and the availability of universal groups are of key concern. Students often ask, “Why can’t you just raise the domain functional level to the highest possible level?” There really is no reason not to run Active Directory at the highest domain functional level supported by all domain controllers. You must be a member of the Domain Admins group in the domain for which you want to raise functionality or be a member of the Enterprise Admins group in order to raise the domain functional level. Detailed information on domain functional levels and the advanced features available at each level can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_levels.asp.

UNDERSTANDING DOMAIN FUNCTIONAL LEVELS (continued) Chapter 7: WORKING WITH GROUPS UNDERSTANDING DOMAIN FUNCTIONAL LEVELS (continued) Determines the level of functionality used by Active Directory Available levels depend on the operating system servers are running Some features are not available in certain levels Functional level can be raised but not lowered

RAISING THE DOMAIN FUNCTIONAL LEVEL Chapter 7: WORKING WITH GROUPS RAISING THE DOMAIN FUNCTIONAL LEVEL Active Directory Domains and Trusts Right click Do not raise at this time The process of raising the domain functional level by right-clicking the domain object in Active Directory Domains And Trusts and selecting Raise Domain Functional Level. However, do not actually raise the domain functional level at this time. In addition to AD features, forest functional level allows domain rename.

Chapter 7: WORKING WITH GROUPS USING LOCAL GROUPS Can be used only on the system on which they are created In a workgroup environment, can contain only users from the local system In a domain environment, can contain users and global groups Cannot be created on a domain controller Explain that local groups can be used on member servers and workstations to provide access to local resources only. These groups, referred to as machine local groups (as opposed to domain local groups), have limited application, but they can be useful for such purposes as granting access to resources on a member server. If you have access to a Windows Server 2003 system that is not a domain controller, demonstrate the process of creating a local group using the Computer Management console. The slide mentions global groups, but students might not yet be familiar with these groups. They are discussed later in the chapter.

USING ACTIVE DIRECTORY GROUPS Chapter 7: WORKING WITH GROUPS USING ACTIVE DIRECTORY GROUPS Group Types Security Distribution Group Scopes Local Global Universal Groups in Active Directory are defined by their type (security or distribution) and their scope (local, global, or universal). Detailed discussions of these types and scopes are included on the following slides. Detail discussion on slides that follow

GROUP TYPE: SECURITY GROUPS Chapter 7: WORKING WITH GROUPS GROUP TYPE: SECURITY GROUPS Used to assign access permissions for network resources. Membership depends on the type of security group and the domain functional level. Can also be used as a distribution group. The most common type of group created and used in Active Directory. Typically people discuss security groups because security groups can be used as distribution groups, they can contain Active Directory contacts. Security groups are the focus of this chapter and are discussed in detail throughout the rest of the chapter. Every object can’t belong to every type of group (local, global, or universal).

GROUP TYPE: DISTRIBUTION GROUPS Chapter 7: WORKING WITH GROUPS GROUP TYPE: DISTRIBUTION GROUPS Cannot be used as security principals to grant permission to objects List of IDs used to group users together for use by applications in non-security-related functions Can be used only by directory-aware applications such as Microsoft Exchange Can be converted to a security group Security group can be used as distribution group, so distribution group may not be used Distribution groups cannot be used as security principals to grant permissions to objects. They are merely lists of user IDs for use by directory-aware applications such as Microsoft Exchange. The ability to use security groups as distribution groups means that in many environments distribution groups are not used at all.

Chapter 7: WORKING WITH GROUPS GROUP SCOPES Domain local groups Most often used to assign access permission to resources either directly or adding a global group to a domain local group. Global groups Used primarily to provide categorized membership in domain local groups for individual security principals or for direct permission assignment. Used to collect users or computers in the same domain that share the same job, role or function or that have similar network access requirements. Universal groups Used primarily to grant access to resources in multiple domains.

GROUP SCOPE: DOMAIN LOCAL GROUPS Chapter 7: WORKING WITH GROUPS GROUP SCOPE: DOMAIN LOCAL GROUPS Available in all domain functional levels Can only be used to assign permissions to resources in the domain where they are created Membership depends on domain functional level W2K mixed or W2K3 interim can include User and computer accounts, and global groups from any domain in forest No other group nesting W2K native or W2K3 can include User and computer accounts, global and universal groups from any domain in forest. Can convert to universal scope if contains no domain local groups as members. Commonly use to control access to resources. Domain local groups are generally assigned permissions to a resource such as a folder or printer to facilitate group nesting, but they can also be used to group together users from the same domain that require the same permissions and access to another object in the same domain.

GROUP SCOPE: GLOBAL GROUPS Chapter 7: WORKING WITH GROUPS GROUP SCOPE: GLOBAL GROUPS Available in all functional levels Can be converted to universal group as long as it is not a member of any other global group Can be member of machine local or domain local groups Can only include members from within their domain Membership depends on domain functional level W2K native or W2K3 global group members can include user and computer account, and other global groups from the same domain W2K mixed user and computer account from the same domain Can be granted access permissions to resources in any domain in the forest, and in domains in other trusted forests Explain the purpose and function of global groups. In terms of domain functional level, a global group on a Windows 2000 mixed functional level can contain only user and computer accounts from the same domain. On a Windows 2000 native or Windows Server 2003 functional level, a global group can contain user and computer accounts as well as other global groups from the same domain. Global groups are generally created for groups of users with a common purpose or common access requirements (such as department, location, or function). Global groups can be assigned directly to a resource, but they are typically placed into domain local groups that are granted permissions to a resource or object. Do not discuss the best practices of group nesting. This is covered later in the chapter.

GROUP SCOPE: UNIVERSAL GROUPS Chapter 7: WORKING WITH GROUPS GROUP SCOPE: UNIVERSAL GROUPS Available only in the Windows 2000 native and Windows Server 2003 domain functional levels Can include user and computer accounts, global groups, and other universal group from any domain in the forest Can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests Can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members Generally used to consolidate groups that span multiple domains Explain the purpose and function of universal groups. Explain that universal groups are really only needed if you have users in more than one domain that need access to the same resources. For example, you might have a user account for a manager in each domain that needs permissions to a folder or printer in one or more of the other domains. Mention that the entire membership of a universal group is replicated to the global catalog. If the universal group membership changes, this creates replication traffic.

Chapter 7: WORKING WITH GROUPS NESTING GROUPS M e m b r s A l o w d i n W 2 x S v 3 I t F u c a L N Domain Local User and computer accounts and global groups from any domain User and computer accounts, unive sal groups, and global groups from any domain; other domain local groups from the same domain Global from the same domain User and computer accounts and other global groups from the same domain Universal Not available User and computer accounts, other universal groups, and global groups from any domain G p The availability of additional nesting options in Windows 2000 native or Windows Server 2003 functional level is just one reason to raise the domain functional level where possible.

Chapter 7: WORKING WITH GROUPS CONVERTING GROUPS T o D m a i n L c l G b U v e r s F Not applicable Not permitted Permitted only when the d main local group does not have other domain local groups as members global group is not a member of a other global group No restrictions Permitted only when the universal group does not have other universal groups as members Using the table as a guide, explain what group scope conversions are possible. Provide an example of when you might need to perform such a conversion. Do not discuss the actual process of converting groups. This is done later in the chapter. You may need to convert groups….. What you can do…..

PLANNING GLOBAL AND DOMAIN LOCAL GROUPS Chapter 7: WORKING WITH GROUPS PLANNING GLOBAL AND DOMAIN LOCAL GROUPS Step 1—Create domain local groups for resources to be shared. Step 2—Assign resource permissions to the domain local group. Step 3—Create global groups for users with common job responsibilities. Step 4—Add global groups that need access to resources to the appropriate domain local group. Explain that these steps are best practice for good reason. Once the appropriate groups are set up, minimal administration is required to provide a user with necessary access. For example, if all users in the Sales department require permissions to five folders and three printers, once the domain local and global groups are created and nested, the only change required to grant or revoke rights to all eight resources for a user is inclusion or removal from the Sales group. A user added to the Sales group will automatically receive rights to all resources. An old administrators mnemonic for this is U.G.L.Y. Put Users into Global groups, Global groups into Local groups—Yes, it works. Best Practices…..

WINDOWS SERVER 2003 DEFAULT GROUPS Chapter 7: WORKING WITH GROUPS WINDOWS SERVER 2003 DEFAULT GROUPS Built-in local groups Predefined Active Directory groups Built-in Active Directory groups Special identities Refer to your textbook for the list….. Explain that the default groups available depends on whether you are using Active Directory or not. Do not discuss each of the group types in detail here. This is done on the slides that follow.

Chapter 7: WORKING WITH GROUPS BUILT-IN LOCAL GROUPS Explain that on a Windows Server 2003 system that is not a domain controller (and is therefore a member server or a standalone server), a number of built-in groups are created by default and are used to grant users sets of permissions based on common administration and user roles. Explain that built-in local groups are designed to provide subsets of functionality on the local system, and they can be used only on the system. The figure in the slide is from a Windows Server 2003 system before it was promoted to a domain controller. You cannot show built-in local groups on a system that is a domain controller.

PREDEFINED ACTIVE DIRECTORY GROUPS Chapter 7: WORKING WITH GROUPS PREDEFINED ACTIVE DIRECTORY GROUPS Show the Users folder in Active Directory Users And Computers. Discuss some of the predefined Active Directory groups, and explain when and how they are used. For example, all new user accounts are automatically made members of the Domain Users group. This provides a simple way to assign permissions to an object or resource to all users in the domain. Enterprise & Schema Admins appear in the first forest DC

BUILT-IN ACTIVE DIRECTORY GROUPS Chapter 7: WORKING WITH GROUPS BUILT-IN ACTIVE DIRECTORY GROUPS Show the Built-in folder in Active Directory Users And Computers, and show the system-created groups. These groups are assigned special rights so they can perform certain tasks on the server. These rights are derived via user rights assignments from the Default Domain Controller Security Settings Group Policy.

Chapter 7: WORKING WITH GROUPS SPECIAL IDENTITIES Member cannot be added directly but by action or access – Example: Authenticated Users Explain that a user or group cannot be made a member of a special identity directly; it becomes a member of a special identity by performing some action or connecting to the network in a certain way. The simplest example of a special identity is the Authenticated Users identity. If you are logged on to the network, you are automatically a member of this special identity. As an administrator, you can assign permissions to an object using a special identity. So, if you have a resource that you want all users to access, you can assign permissions to the Authenticated Users special identity. Be sure to point out, though, that the Authenticated Users entity does not include the Guest account. This is default behavior and cannot be modified. For example purposes, contrast the Authenticated Users special identity with the Everyone special identity. In a real-world setting, people tend not to use special identities a great deal, preferring to create security groups as needed.

CREATING AND MANAGING GROUP OBJECTS Chapter 7: WORKING WITH GROUPS CREATING AND MANAGING GROUP OBJECTS Creating local groups Creating security groups in Active Directory. Do not discuss these topics in detail. They are covered in the following slides.

Chapter 7: WORKING WITH GROUPS CREATING LOCAL GROUPS If you have a Windows Server 2003 system that is not a domain controller, demonstrate the process of creating local groups using the Computer Management console. The only information that is required to create a local group is a group name.

WORKING WITH ACTIVE DIRECTORY GROUPS Chapter 7: WORKING WITH GROUPS WORKING WITH ACTIVE DIRECTORY GROUPS Creating security groups Managing group membership Nesting groups Changing group types and scopes Deleting a group This slide lists some of the group management tasks that administrators perform. Do not discuss the procedures for each task in detail. This is done on the slides that follow.

CREATING SECURITY GROUPS Chapter 7: WORKING WITH GROUPS CREATING SECURITY GROUPS Demonstrate the creation of a security group in Active Directory Users And Computers. Explain that there is no New, Security Group option on the Action menu—you just select New, Group and then specify whether the group is a security or a distribution group. You must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or have been explicitly granted the rights, to create a group object. Have students practice creating groups by doing Exercise 7-1.

MANAGING GROUP MEMBERSHIP Chapter 7: WORKING WITH GROUPS MANAGING GROUP MEMBERSHIP Demonstrate the process of managing group membership in Active Directory Users And Computers. Show students the process of locating a user object and adding it to a group, as explained in the textbook. When you have successfully added a user to the group, open the Properties page for that user and show the Member Of tab to demonstrate the successful addition to the group membership. Have students practice adding members to a group by doing Exercise 7-2.

Chapter 7: WORKING WITH GROUPS NESTING GROUPS Both groups must be created separately, and then one is made a member of the other. Possible nestings depend on the domain functional level and scope type. Observe rules on group nesting. Demonstrate the process of nesting groups. Refer to Table 7-1 in the textbook (also on an earlier slide) to determine what group nestings can be configured on the respective domain functional level and scope type. Have students practice nesting groups by doing Exercise 7-3.

CHANGING GROUP TYPES AND SCOPES Chapter 7: WORKING WITH GROUPS CHANGING GROUP TYPES AND SCOPES Demonstrate the process of changing a group scope. Make sure students realize that you can change the group type only when the domain is using the Windows 2000 native or Windows Server 2003 functional level. Refer to Table 7-2 in the textbook (also on an earlier slide) for more information on what conversions are permitted. Also demonstrate the process of converting a distribution group to a security group.

Chapter 7: WORKING WITH GROUPS DELETING A GROUP Deletes only the group object, not the members of the group. Deletes the SID for the group. The SID cannot be re-created. Removes ACL entries for the group. Demonstrate the process of deleting a group. Students should already under-stand the importance of the SID and the fact that a SID cannot be re-created, based on previous discussions of user accounts. Discuss how the inability to re-create a group with the same SID might affect your work in the real world. If a group is deleted, a new group must be created and all necessary permissions must be assigned it in order for it to gain the group functionality that the old group provided.

AUTOMATING GROUP MANAGEMENT Chapter 7: WORKING WITH GROUPS AUTOMATING GROUP MANAGEMENT The following command-line utilities can be used in scripts and batch files to automate group management: Dsadd.exe: Used to create new group objects Dsmod.exe: Used to configure existing group objects Dsget.exe: Used to locate groups in Active Directory Explain that group management tasks such as creation and configuration can be performed from the command line. Although not mentioned in the text, the Dsrm.exe command can also be used to delete a group.

CREATING GROUP OBJECTS WITH DSADD.EXE Chapter 7: WORKING WITH GROUPS CREATING GROUP OBJECTS WITH DSADD.EXE Allows groups to be created from a command line Useful when scripting group creation for large numbers of groups Can be used only to create new groups, not modify existing groups Students should already be familiar with Dsadd.exe, which was discussed in Chapter 6. Be sure that students understand that the “Group” designation must be added after the Dsadd.exe command to create a group. Demonstrate creating a group with Dsadd.exe.

MANAGING GROUP OBJECTS WITH DSMOD.EXE Chapter 7: WORKING WITH GROUPS MANAGING GROUP OBJECTS WITH DSMOD.EXE Can be used to configure group objects, including: Setting the group scope Adding and removing individual group members Replacing the entire group membership Explain that Dsmod.exe allows group management tasks to be scripted or run from batch files. Syntax for the Dsmod.exe Group command is similar to that of other “Ds” commands. Demonstrate modifying the membership of a group using Dsmod.exe.

FINDING OBJECTS WITH DSGET.EXE Chapter 7: WORKING WITH GROUPS FINDING OBJECTS WITH DSGET.EXE Command-line utility Used to locate and show information on an object Cannot be used to create, modify, or delete an object Students should now be familiar with other “Ds” command-line utilities, so only a brief explanation of Dsget.exe should be required. Discuss some of the switches used with Dsget.exe. Demonstrate using Dsget.exe to locate a user or group object.

Chapter 7: WORKING WITH GROUPS SUMMARY A group is an object that consists of a list of users. All permissions assigned to the group are inherited by its members. The domain functional level determines which group types and scopes you can use, which groups can be nested, and which group conversions you can perform. Security groups can be assigned permissions, while distribution groups are used for query containers, such as e-mail distribution groups, and cannot be assigned permissions to a resource. Summarize the information presented in this chapter. The summary continues on the following slide.

Chapter 7: WORKING WITH GROUPS SUMMARY (continued) Domain local groups are used for assigning permissions to resources. Global groups are used for gathering together users with similar resource requirements. Universal groups are used primarily to grant access to related resources in multiple domains. You can create domain groups in any container or OU in the Active Directory tree. Complete the chapter summary slides and then direct students to the review questions, case scenarios, and exercises at the end of the chapter.

Chapter 7: WORKING WITH GROUPS SUMMARY (continued) Group nesting refers to the ability to make one group a member of another group. Command-line tools such as Dsadd.exe, Dsmod.exe, and Dsget.exe allow you to automate group management tasks.