1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators

2 Introduction to Groups Groups and Permissions Group Types Group Scopes Group Nesting Rules for Group Membership Local Groups Using Local Groups

3 Groups Simplify Administration

4 Group Types Two group types exist: security and distribution. The group type determines how the group is used. Both types are stored in the database component of Active Directory. Storage in the database component allows use of groups anywhere in the network.

5 Security Groups Microsoft Windows 2000 uses only security groups. Security groups are used to assign permissions to gain access to resources. A security group has all the capabilities of a distribution group.

6 Distribution Groups Used by applications as lists for nonsecurity-related functions Used when the only function of the group is nonsecurity-related Cannot be used to assign permissions

7 Group Scopes

8 Group Scope Overview A group type and scope must be selected when a group is created. Group scopes allow groups to be used in different ways to assign permissions. The scope of a group determines where in the network the group can be used to assign group permissions.

9 Global Groups Used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group is created. Can be used to assign permissions to gain access to resources that are located in any domain in the domain tree or forest.

10 Domain Local Groups Used to assign permissions to resources. Members can be added from any domain. Can be used to assign permissions to gain access to resources located only in the same domain where the domain local group is created.

11 Universal Groups Used to assign permissions to related resources in multiple domains. Members can be added from any domain. Can be used to assign permissions to gain access to resources located in any domain. Not available in mixed mode. Full feature set of Windows 2000 is available only in native mode.

12 Guidelines for Group Nesting Minimize levels of nesting. Tracking permissions and troubleshooting becomes more complex with multiple levels of nesting. One level of nesting is most effective. Document group membership to keep track of permissions assignments. Eliminates the redundant assignment of user accounts to groups. Reduces the likelihood of accidental group assignments.

13 Group Membership Overview The group scope determines the membership of a group. Membership rules determine the members that a group can contain. Group members can be user accounts and other groups. Knowledge of group membership rules is important when assigning members to groups and using nesting.

14 Native Mode Global group scope: User accounts and global groups from the same domain Domain local group scope: User accounts, universal groups, and global groups from any domain; domain local groups from the same domain Universal group scope: User accounts, other universal groups, and global groups from any domain

15 Mixed Mode Global group scope: Users from the same domain. Domain local group scope: User accounts and global groups from any domain. Universal group scope: Not applicable; universal groups cannot be created in mixed mode.

16 Local Group Overview Collection of user accounts on a computer Allows assignment of permissions to resources residing on the computer on which the local group is created Created in the local security database

17 Local Group Guidelines Can be used only on the computer where it is created. Its permissions provide access only to the resources on the computer where it is created. Can be used on computers running Windows 2000 Professional and member servers running Windows 2000 Server. Cannot be created on domain controllers. Used to limit the ability of local users and groups to gain access to network resources without creating domain groups.

18 Local Group Membership Rules A local group can contain local user accounts from the computer where the local group is created. Local groups cannot be members of any other group.

19 Planning a Group Strategy Planning Global and Domain Local Groups Using Universal Groups Practice: Planning New Group Accounts

20 Group Strategy Planning

21 Limitations of Other Strategies Placing user accounts in domain local groups and assigning permissions to the domain local groups Does not allow for the assignment of permissions for resources outside of the domain. Reduces the flexibility when your network grows. Placing user accounts in global groups and assigning permissions to the global groups Complicates administration when using multiple domains. If global groups from multiple domains require the same permissions, permissions have to be assigned for each global group.

22 Universal Group Guidelines Assign permissions to universal groups for resources in any domain in the network. Use universal groups only when their membership is static since changes in membership can cause excessive network traffic between domain controllers. Membership of universal groups may be replicated to a larger number of domain controllers. Add global groups from several domains to a universal group, and then assign permissions for access to a resource to the universal group. Use a universal group in the same way as a domain local group to assign permissions for resources.

23 Creating Groups Creating and Deleting Groups Deleting a Group Adding Members to a Group Changing the Group Type Changing the Group Scope to Universal Creating Local Groups Practice: Creating Groups

24 Creating and Deleting Groups Use the Active Directory Users and Computers console to create and delete groups. Create groups in the Users container or in another container, or in an OU created specifically for groups. As the organization grows and changes, delete groups when they are no longer needed; helps maintain security.

25 New Object-Group Dialog Box

26 Deleting a Group Each group has a unique, nonreusable identifier called the security identifier (SID). Windows 2000 uses the SID to identify the group and the assigned permissions. If a new group is created using the deleted group name, Windows 2000 creates a new SID for that group. Access to resources cannot be restored by re-creating the group.

27 Adding Members to a Group After the group is created, members are added. Members of groups can include user accounts, contacts, other groups, and computers. The Active Directory Users and Computers console is used to add members.

28 Select Users, Contacts, Computers, Or Groups Dialog Box

29 Changing the Group Type As group functions change, changing the group type may become necessary. The group type can be changed only when Windows 2000 is operating in native mode.

30 Group Scopes That Can Be Changed A global group to a universal group: Only if the global group is not a member of another global group A domain local group to a universal group: Only if the domain local group does not contain another domain local group

31 Creating Local Groups Use the Local Users and Groups snap-in within the Computer Management console to create local groups. Create local groups in the Groups folder.

32 New Group Dialog Box

33 Select Users Or Groups Dialog Box

34 Understanding Default Groups Predefined Groups Built-In Groups Built-In Local Groups Special Identity Groups

35 Default Group Overview Four categories: predefined, built-in, built-in local, and special identity. Default groups have a predetermined set of user rights or group membership. User rights determine the system tasks that a user or member can perform.

36 Predefined Group Overview Windows 2000 creates predefined groups with a global scope to group common types of user accounts. Windows 2000 automatically adds members to some predefined global groups. Additional user accounts can be added to predefined groups to provide additional users with privileges and permissions assigned to the group. The Users container holds the predefined global groups in a domain. Predefined groups do not have any inherent rights. Rights are assigned by adding the global groups to domain local groups or explicitly assigning user rights or permissions to the predefined global groups.

37 Default Membership: Domain Admins Windows 2000 automatically adds Domain Admins to the Administrators built-in domain local group. Being added to the Administrators built-in domain local group allows members of Domain Admins to perform administrative tasks on any computer anywhere in the domain. By default, the Administrator account is a member.

38 Default Membership: Domain Guests Windows 2000 automatically adds Domain Guests to the Guests built-in domain local group. By default, the Guest account is a member.

39 Default Membership: Domain Users Windows 2000 automatically adds Domain Users to the Users built-in domain local group. By default, the Administrator, Guest IUSR_computername, IWAM_computername, KRbtgt, and TsInternetUser accounts are initially members. Each new domain user account is automatically a member.

40 Default Membership: Enterprise Admins User accounts should be added to Enterprise Admins for users who should have administrative control for the entire network. Enterprise Admins should be added to the Administrators domain local group in each domain. By default, the Administrator account is a member.

41 Built-In Groups Overview Windows 2000 creates built-in groups with a domain local scope. Built-in groups provide users with user rights and permissions to perform tasks on domain controllers and in Active Directory. Built-in domain local groups give predefined rights and permissions to user accounts when user accounts or global groups are added as members. The Built-in container holds the built-in domain local groups in a domain.

42 Built-In Domain Local Groups: Account Operators Members can create, delete, and modify user accounts and groups. Members cannot modify the Administrators group or any of the operators groups.

43 Built-In Domain Local Groups: Administrators Members can perform all administrative tasks on all domain controllers and the domain itself. By default, the Administrator user account and the Domain Admins and Enterprise Admins predefined global groups are members.

44 Built-In Domain Local Groups: Backup Operators Members can back up and restore all domain controllers by using Windows Backup.

45 Built-In Domain Local Groups: Guests Members can perform only tasks for which the administrator has granted rights. Members can gain access only to resources for which the administrator has assigned permissions. Members cannot make permanent changes to their desktop environment. By default, the Guest, IUSR_computername, IWAM_computername, and TsInternetUser user accounts and the Domain Guests predefined global group are members.

46 Built-In Domain Local Groups: Pre-Windows 2000 Compatible Access A backward compatibility group that allows read access for all users and groups in the domain. By default, only the Everyone pre-Windows 2000 system group is a member.

47 Built-In Domain Local Groups: Print Operators Members can set up and manage network printers on domain controllers.

48 Built-In Domain Local Groups: Replicator Supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. The accounts of actual users must not be added to this group.

49 Built-In Domain Local Groups: Server Operators Members can share disk resources and backup and restore files on a domain controller.

50 Built-In Domain Local Groups: Users Members can perform only tasks for which the administrator has granted rights. Members can gain access only to resources for which the administrator has assigned permissions. By default, the Authenticated Users and INTERACTIVE pre- Windows 2000 groups and the Domain Users predefined global group are members. Use this group to assign permissions and rights that every user with a user account in the domain should have.

51 Built-In Local Groups Overview All stand-alone servers, member servers, and computers running Windows 2000 Professional have built-in local groups. Built-in local groups give users the rights to perform system tasks on a single computer. Windows 2000 places the built-in local groups into the Groups folder in the Local User Manager snap-in.

52 Built-In Local Groups: Administrators Members can perform all administrative tasks on the computer. By default, the built-in Administrator user account for the computer is a member. Windows 2000 automatically adds the Domain Admins predefined global groups to the local Administrators group.

53 Built-In Local Groups: Backup Operators Members can use Windows Backup to back up and restore the computer.

54 Built-In Local Groups: Guests Members can perform only tasks for which the administrator has specifically granted rights. Members can gain access only to resources for which the administrator has assigned permissions. Members cannot make permanent changes to their desktop environment. By default, the built-in Guest account for the computer is a member. Windows 2000 automatically adds the Domain Guests predefined global group to the local guests group.

55 Built-In Local Groups: Power Users Members can create and modify local user accounts on the computer and share resources.

56 Built-In Local Groups: Replicator Supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. The accounts of actual users must not be added to this group.

57 Built-In Local Groups: Users Members can perform only tasks for which the administrator has specifically granted rights. Members can gain access only to resources for which the administrator has assigned permissions. By default, Windows 2000 adds to the Users group local user accounts that the administrator creates on the computer. Windows 2000 automatically adds the Domain Users predefined global group to the local Users group.

58 Special Identity Groups Overview Exist on all computers running Windows Do not have specific memberships that can be modified. Can represent different users at different times, depending on how a user gains access to a computer or resource. Are not seen when administering groups, but are available for use when the administrator assigns rights and permissions to resources. Membership is based on how the computer is accessed, not on who uses the computer.

59 Special Identity Groups: Anonymous Logon Includes any user account that Windows 2000 did not authenticate

60 Special Identity Groups: Authenticated Users Includes all users with a valid user account on the computer or in Active Directory Used instead of the Everyone group to prevent anonymous access to a resource

61 Special Identity Groups: Creator Owner Includes the user account for the user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group is owner of the resource.

62 Special Identity Groups: Dialup Includes any user who currently has a dial-up connection

63 Special Identity Groups: Everyone Includes all users who access the computer. Windows 2000 will authenticate a user who does not have a valid user account as Guest and any valid user (including Guest) automatically gets all rights and permissions that have been assigned to the Everyone group. The Everyone group is assigned full control to many resources by default.

64 Special Identity Groups: Interactive Includes the user account for the user who is logged on at the computer. Members gain access to resources on the computer at which they are physically located. Members log on and gain access to resources by “interacting” with the computer.

65 Special Identity Groups: Network Includes any user with a current connection from another computer on the network to a shared resource on the computer

66 Groups for Administrators Why You Should Not Run Your Computer as an Administrator Administrators as Members of the Users and Power Users Groups Using Run As to Start a Program RUNAS Command RUNAS Examples Practice: Using Run As to Start a Program as an Administrator

67 Reasons Not to Run Your Computer as an Administrator Makes the network vulnerable to Trojan horse attacks and other security risks. The simple act of visiting an Internet site can be extremely damaging to the system. A Trojan horse could reformat the hard drive, delete all files, and create a new user account with administrative access. Should not assign yourself to the Administrators group and should avoid running nonadministrative tasks on the computer as administrator. Assign yourself to the Users or Power Users group. Log on as an administrator, perform the administrative task, and then log off.

68 Administrators as Members of the Users and Power Users Groups Member of Users group: Allows performance of routine tasks without exposing the computer to unnecessary risk. Member of Power Users group: Allows the performance of routine tasks, as well as installing programs, adding printers, and using most Control Panel items. If administrator privileges are frequently needed, use the Run As program to start a program as an administrator.

69 Using Run As to Start a Program Run As is used to run a program that requires the user to be logged on as an administrator. Run As allows one to run administrative tools with either local or domain administrator rights and permissions while logged on as a normal user. If you attempt to start a program, MMC console, or Control Panel item from a network location using the Run As program, it might fail if the credentials used to connect to the network share are different from the credentials used to start the program. Credentials used to run the program may not be able to gain access to the same network share.

70 Using Run As to Start a Program (con’t) The RunAs service must be running for Run As to start a program. The RunAs service can be configured to start automatically when the system starts using the RunAs Server option in the Services console. A property should be set on shortcuts to programs and MMC tools so that you will always be prompted for alternate credentials when you use the shortcut. A property is set by right-clicking the shortcut, clicking Properties, and then clicking the Run As Different User check box. When the shortcut is started, the Run As Other User dialog box appears, prompting for the alternate user name, password, and domain.

71 Run As Other User Dialog Box

72 RUNAS Command Syntax runas [/profile] [/env] [/netonly] /user:UserAccountName program /profile: Specifies the name of the user’s profile, if it needs to be loaded /env: Specifies that the current network environment be used instead of the user’s local environment /netonly: Indicates that the user information specified is for remote access only /user: UserAccountName: Specifies the name of the user account under which to run the program; account Name format should be or domain\user /program: Specifies the program or command to run using the account specified in /user