Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ch 10 Security Group Management 1. Objectives 1.Understand Local security groups 2. Understand Domain local groups 3.Understand Global groups 4.Understand.

Published byEdwina Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "Ch 10 Security Group Management 1. Objectives 1.Understand Local security groups 2. Understand Domain local groups 3.Understand Global groups 4.Understand."— Presentation transcript:

1 Ch 10 Security Group Management 1

2 Objectives 1.Understand Local security groups 2. Understand Domain local groups 3.Understand Global groups 4.Understand Universal groups 2

3 Security Group Management One of the best ways to manage accounts is by grouping accounts that have similar characteristics Scope of influence (or scope) – The reach of a group for gaining access to resources in Active Directory Types of groups: 1.Local 2.Domain local 3.Global 4.Universal 3

4 Security Group Management (continued) All of these groups can be used for security or distribution groups Security groups – Used to enable access to resources on a stand- alone server or in Active Directory Distribution groups – Used for e-mail or telephone lists, to provide quick, mass distribution of information 4

5 Implementing Local Groups Local security group – Used on stand-alone servers that are not part of a domain; scope of this type of group does not go beyond the local server on which it is defined Consider an office of mineral resource consultants in which there are 18 user accounts on the server. Four of these accounts are used by the founding partners of the consulting firm, who manage employee hiring, payroll, schedules, and general accounting. Seven accounts are for consultants who specialize in coal-bed methane extraction, and the seven remaining accounts belong to consultants who work with oil extraction. In this situation, the company might decide not to install Active Directory, and divide these accounts into three local groups. One group would be called Managers and consist of the four founding partners. Another group would be called CBM for the coal-bed methane consultants, and the third group would be called Oil and be used for the oil consultants. Each group would be given different security access based on the resources at the server, which would include access to folders and to printers. 5

6 Implementing Domain Local Groups Domain local security group – Used when there is a single domain or to manage resources in a particular domain so that global and universal groups can access those resources The scope of a domain local group is the domain in which the group exists The typical purpose of a domain local group is to provide access to resources a domain local group can contain user accounts, global groups, and universal groups. 6

7 Implementing Global Groups Global security group – Used to manage group accounts from the same domain so that those accounts can access resources in the same and in other domains – This capability gives global groups a broader scope than domain local groups, because their members can access resources in other domains – Can also be set up as a member of a domain local group in the same or another domain A global group can contain user accounts and other global groups from the domain in which it was created A global group can be converted to a universal group – As long as it is not nested in another global group or in a universal group 7

8 Implementing Global Groups (continued) 8 In the example shown in Figure 4-18, the Finance and Budget global groups cannot be converted to universal groups because they already are members of the Managers and Finance groups

9 Implementing Global Groups (continued) A typical use for a global group is to build it with accounts that need access to resources in the same or in another domain – And then to make the global group in one domain a member of a domain local group in the same or another domain This model enables you to manage user accounts and their access to resources through one or more global groups – While reducing the complexity of managing accounts 9

10 Global Group Example consider a college that has a domain for students, a domain for faculty and staff, and a domain for research organizations that are associated with the college. The college’s executive council, consisting of the college president and vice presidents, needs access to resources in all three domains. One way to enable the executive council to have access is to create a domain local group called LocalExec in each domain that provides the appropriate access to folders, files, 10

11 Global Group Example (Cont) and other resources. Next, create a GlobalExec global group in the faculty and staff domain that has the president’s and vice presidents’ user accounts as members (see Figure next slide). These steps enable you to manage security for all of their accounts at one time from one global group. If the president or a vice president leaves to take another job, you simply delete (or disable) that person’s account from the global group and later add an account (or rename and enable the old account) for her or his replacement. You also can manage access to resources in each domain one time through each domain local group, resulting in much less management work. If a new printer is added to a domain, for example, you can give the domain local group full privileges to the printer. 11

12 Implementing Global Groups (continued) 12

13 Creating Domain Local and Global Security Groups 1. click Start, point to Administrative Tools, and click Active Directory Users and Computers. 2. In the tree in the left pane, double-click Active Directory Users and Computers, and the domain, such as jpcomp.com, if the contents of these are not displayed in the tree. 3. Click Users in the tree. 4. Click the Action menu, point to New, and click Group. What defaults are already selected in the New Object–Group dialog box? 5. In the Group name box, enter DomainMgrs plus your initials, for example DomainMgrsJP. What is the pre-Windows 2000 group name? 6. Click Domain local under Group scope, and click Security (if it is not already selected) under Group type. 7. Click OK and then look for the group you just created in the right pane within the Users folder. 8. Click the Create a new group in the current container icon on the button bar (with two heads). 9. In the Group name box, type GlobalMgrs plus your initials, for example GlobalMgrsJP. 10. Click Global under Group scope, and click Security under Group type, if they are not already selected. 13

14 Creating Domain Local and Global Security Groups 11. Click OK and then look for the group you just created in the right pane. 12. Double-click the global group you created. 13. Click the Members tab. Notice that no members are currently associated with this group. 14. Click the Add button. 15. Click the Advanced button in the Select Users, Contacts, Computers, or Groups dialog box. 16. Click Find Now. 17. Click the first user provided by your instructor, press and hold down the CTRL key and click the second user provided by your instructor. Click OK 18. Make sure that the users you selected are shown in the Select Users, Contacts, Computers, orGroups dialog box. Click OK. 19. Again, be sure that both accounts are shown in the Members box on the Members tab. Click OK. 20. Double-click the domain local group, such as DomainMgrsJP, and then click the Members tab. 14

15 Creating Domain Local and Global Security Groups 21. Click Add. 22. Click Advanced in the Select Users, Contacts, Computers, or Groups dialog box. 23. Click Find Now. 24. Locate the global group you created, such as GlobalMgrsJP. Click that global group and click OK. 25. Verify that the global group is displayed in the Select Users, Contacts, Computers, or Groups dialog box, and then click OK. 26. Make sure the global group is listed under Members on the Members tab. Click OK. 27. Close the MMC and click Yes to save the console settings. If you haven’t already given the console a name, enter a name for it, such as Manage Accounts, and click Save. 15

16 Implementing Universal Groups Used to provide access to resources in any domain within a forest Universal group membership can include user accounts from any domain, global groups from any domain, and other universal groups from any domain Universal groups are offered to provide an easy means to access any resource in a tree – Or among trees in a forest 16

17 Implementing Universal Groups In the example of setting up access for the executive council in a college that has three domains, an alternative is to create one universal group that has access to all resources in the three domains—create one global group containing the president and vice presidents, and make that global group a member of the universal group. This model has only two groups to manage, as shown in Figure next slide 17

18 18

19 Guidelines Guidelines to help simplify how you plan to use groups: – Use global groups to hold accounts as members, Give accounts access to resources by making the global groups to which they belong members of domain local groups or universal groups or both. – Use domain local groups to provide access to resources in a specific domain – Use universal groups to provide extensive access to resources particularly when Active Directory contains trees and forests 19

Download ppt "Ch 10 Security Group Management 1. Objectives 1.Understand Local security groups 2. Understand Domain local groups 3.Understand Global groups 4.Understand."

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.

CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.
User Training. Step 1 Press Ctrl-I or choose File > Login, this will open the Login window. Figure 1-1 shows the Login window. Figure 1-1 Login Window.

User Training. Step 1 Press Ctrl-I or choose File > Login, this will open the Login window. Figure 1-1 shows the Login window. Figure 1-1 Login Window.
XP Tutorial 9 New Perspectives on Microsoft Windows XP 1 Microsoft Windows XP Exploring Your Network Tutorial 9.

XP Tutorial 9 New Perspectives on Microsoft Windows XP 1 Microsoft Windows XP Exploring Your Network Tutorial 9.
Windows Server 2003 使用者群組管理 林寶森

Windows Server 2003 使用者群組管理 林寶森
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
1 Distributed File System, and Disk Quotas (Week 7, Thursday 2/21/2007) © Abdou Illia, Spring 2007.

1 Distributed File System, and Disk Quotas (Week 7, Thursday 2/21/2007) © Abdou Illia, Spring 2007.
Office 2003 Introductory Concepts and Techniques M i c r o s o f t Outlook Project E-Mail and Contact Management with Outlook.

Office 2003 Introductory Concepts and Techniques M i c r o s o f t Outlook Project and Contact Management with Outlook.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.

Lesson 19 – ADMINISTERING WINDOWS 2000 SERVER : THE BASICS.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Performing Software Installation with Group Policy

Performing Software Installation with Group Policy
Ch 9 Managing Active Directory User Accounts. Objectives Create Organizational Unit Creating User Accounts in Active Directory Disabling, Enabling, and.

Ch 9 Managing Active Directory User Accounts. Objectives Create Organizational Unit Creating User Accounts in Active Directory Disabling, Enabling, and.

Similar presentations

Ads by Google