identifying the types of group accounts

7.1 © 2004 Pearson Education, Inc.

Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment

Lesson 7: Introducing Group Accounts

Identifying the Types of Group Accounts

A group is a collection of user accounts or computers with similar rights and permissions

The users in a group are called members Administrators can categorize users into groups based

on the functions they perform and the requirements of their jobs so that they can easily manage multiple users as a single entity

(Skill 1)




Identifying the Types of Group Accounts (2)

Two main types of groups Security groups

Used to define the rights and permissions users will have to access resources on a computer or a network

Are listed in Discretionary Access Control Lists (DACLs)

Distribution groups Used only for the distribution of messages by applications such

as Microsoft Exchange Server Cannot be used to assign permissions to users

(Skill 1)





Group scope When you create a group, you must specify the group

scope The group scope determines whether the group can be

used to access resources in a specific domain or across domains in a network

There are three group scopes in a Windows Server 2003 environmentDomain local scopeGlobal scopeUniversal group scope

(Skill 1)





Domain local scope A domain local group is created in Active Directory on a

domain controller The scope of a domain local group is the domain in

which the group was created You can add members to a domain local group from any

domain

(Skill 1)





Global scope A global group has members with common network

access requirementsMembers can be drawn only from the domain where the

global group was createdPermissions can be assigned to members for resources in

any domain

(Skill 1)




Figure 7-1 Group types and group scopes

(Skill 1)





Universal group scope A universal group is used when there are multiple

domains in a forest Members can be drawn from many different domains Permissions can be assigned for resources in any

domain Universal groups are available only when Active

Directory is running in Windows 2000 native mode or Windows Server 2003 mode

(Skill 1)





Group nesting Process of adding groups to other groups is called group

nesting Group nesting minimizes the number of times you need

to assign permissions to multiple groups

(Skill 1)




Figure 7-2 Nested groups

(Skill 1)




Introducing Built-in Groups Windows Server 2003 includes default groups called

built-in groups that have a preset collection of rights and permissions

Built-in groups can be used to manage common tasks performed by users

There are four types of built-in groupsBuilt-in local groupsBuilt-in domain local groupsBuilt-in global groupsBuilt-in system groups

(Skill 3)




Introducing Built-in Groups (2)Built-in local groups Are created on all Windows Server 2003 computers Are stored in the Builtin container in the Active Directory

Users and Computers console

(Skill 3)

Account OperatorsAdministratorsBackup OperatorsGuestsIncoming Forest Trust BuildersNetwork Configuration OperatorsPerformance Log Users

Performance Monitor UsersPre-Windows 2000 Compatible AccessPrint OperatorsRemote Desktop UsersReplicatorServer OperatorsUsers




Introducing Built-in Groups (3)Built-in domain local groups Are automatically created only on domain controllers Cannot be deleted Are stored in the Users container in the Active Directory Users and

Computers console The number of domain local groups is different on each domain

controller, depending on the type of services the domain controller is running

(Skill 3)

Cert PublishersDHCP AdministratorsDHCP UsersDnsAdminsHelpServicesGroup

IIS_WPG (installed with IIS)RAS and IAS ServersTelnetClientsWINS Users




Introducing Built-in Groups (4)

Built-in global groups Are automatically created on all domain controllers Are stored in the Users container in the Active Directory

Users and Computers console

(Skill 3)

DnsUpdateProxyDomain AdminsDomain ComputersDomain ControllersDomain Guests

Domain UsersGroup Policy Creator OwnerEnterprise AdminsSchema Admins





Built-in system groups Are populated with users based upon how they access a computer

or a resource Network administrators cannot add, modify, or delete user accounts

because the operating system does so automatically

(Skill 3)

Anonymous LogonAuthenticated UsersCreator OwnerDial-up

EveryoneInteractiveNetworkTerminal Server Users




Figure 7-9 Built-in domain local groups in the Builtin container in the Active Directory Users and Computers console

(Skill 3)




Figure 7-10 Built-in domain local groups in the Users container in the Active Directory Users and Computers console

(Skill 3)




Figure 7-11 Built-in global groups in the Users container

(Skill 3)





In Windows 2000 mixed mode environments, the best practice is to use domain local and global groups following what is referred to as the A-G-DL-P strategy

You put user accounts (A) into global groups (G), put the global groups into domain local groups (DL), and grant permissions (P) to the domain local group

In Windows 2000 native mode or Windows Server 2003 mode, universal groups can be used to organize global groups from multiple domains so that they fit between global and domain local (A-G-U-DL-P)

(Skill 3)




Figure 7-15 The New Object-Group dialog box

The pre-

Windows 2000

group name is

automatically

filled in

The three group

scopes

The two

types of

groups

(Skill 4)




Figure 7-16 The new group in the Active Directory Users and Computers console

The new

group

(Skill 4)




Figure 7-17 Adding a member to the group

Member of

the group

Click to

remove

members

from the

group

Click to

add

members

to the

group

(Skill 4)




Creating Group Policy Objects

Group Policies are used to control the computer configuration, user environment, and account policies such as the minimum password length and length of time a password can be used

Network administrators apply Group Policies To centrally manage configuration settings for groups of

users or computersTo control the distribution of software applications in a

domain

(Skill 6)




Creating Group Policy Objects (2)

Group Policies are applied to objects in Active Directory to control how they and their child objects will function

There are both user settings and computer settings, which can also affect the rights that are given to user accounts and groups

The idea is to enforce uniform corporate policies on a portion of the network

(Skill 6)




Creating Group Policy Objects (4)Group Policy Objects (GPOs) Store all Group Policy settings that are applied to users and

computers, along with the properties associated with the objects in the Active Directory store

The policy settings for sites, domains, and organizational units are also stored in GPOs To create a GPO for a domain or an organizational unit, you use

either the Active Directory Users and Computers console or the new Group Policy Management console (GPMC), which must be downloaded from Microsoft

Types of GPOsLocalActive Directory-based

(Skill 6)




Creating Group Policy Objects (6)

Group Policy Management Console (GPMC) Designed as a comprehensive tool for Group Policy

administration for Windows Server 2003 and Windows 2000 domains

Provides administrators with the ability to back up, restore, import, and copy/paste GPOs, as well as create, delete, and rename them

Used to link GPOs, search for GPOs, and to delegate Group Policy-related features

(Skill 6)




Figure 7-28 Download the GPMC

(Skill 6)




Figure 7-29 Creating a GPO

(Skill 6)




Figure 7-30 The New GPO dialog box

(Skill 6)




Figure 7-31 New Group Policy Object in a domain The new GPO, as listed in the

Group Policy Object Links column

(Skill 6)




Identifying the Types of Group Policies

Types of Group Policies In the Windows Server 2003 environment, there are

different types of Group Policies categorized according to the different network components and Active Directory objects they influence

Most Group Policies are used to update and manage Registry configuration data

Use the Group Policy Object Editor snap-in to modify the default settings for Group Policies according to your requirements

(Skill 7)




Identifying the Types of Group Policies (2)

Group Policy Object EditorComputer Configuration node

Software Settings configuration setting nodeWindows Settings nodeAdministrative Templates node

User Configuration node Group Policy settings applied in the Computer

Configuration node affect the computer objects to which they are applied

(Skill 7)




Figure 7-33 Security Settings for computers

(Skill 7)





Group Policy Can be applied to users and computers Can be applied at the site, domain, or OU level Application of Group Policy Objects

Every computer has one Group Policy Object that is stored locally

The Local Group Policy Object (LPGO) is applied first Then, GPOs assigned to the site are processed Next, policies assigned to the domain are processed Finally, policies assigned to OUs and child OUs are processed

Policy settings are cumulative due to inheritance

(Skill 7)





Understanding how GPO settings are applied If a GPO is assigned to the parent container, but not the

child container, the parent container GPO setting applies If a GPO is assigned to both the parent container and the

child container, and there is no conflict, both parent and child GPOs apply

If a GPO is assigned to both the parent container and the child container, and there is a conflict, the child container setting applies

These are the rules unless there is a conflict between a user setting and a computer setting; then the computer setting is applied

(Skill 7)





Blocking inheritance You can modify the default behavior or inheritance by

using the Block Inheritance option You can block inheritance for the GPO links for an entire

domain, for all domain controllers, or for a particular OU

(Skill 7)




Figure 7-39 Blocking Inheritance

(Skill 7)




Modifying Software Settings Using GPO Software Policies

Group Policies are used to assign and publish applications to groups of users or computers

Applications can be assigned to either users or computers, but they can be published only to users

After you have created the GPO, you can manage the software deployed to users and computers centrally in the Group Policy Object Editor

The Group Policy Object Editor has two parent nodes used to set Group Policies for users or computers: User Configuration and Computer Configuration

(Skill 8)




Modifying Software Settings Using GPO Software Policies (2)

User Configuration node Used to set Group Policies for users, which are applied

when the user logs on to the domain Used to modify the settings for the desktop, applications,

and security Used to assign and publish applications, set Group

Policies to redirect folders, and set scripts for the logon and logoff processes

(Skill 8)




Modifying Software Settings Using GPO Software Policies (3)

Computer Configuration node Used to set Group Policies for computers that are

members of the domain, OU, or site, depending on where the GPO is configured

These Group Policies are applied when the operating system initializes

Used to modify Group Policies related to the operating system, applications, and security controls for a computer

(Skill 8)




Figure 7-45 The Deploy Software dialog box

Select to publish

and assign

applications

Select to publish

applications

Select to assign

applications

(Skill 8)




Figure 7-46 A published application in the Group Policy Object Editor

Used to assign or

publish applications

to users

Deployment state

of the application

(Skill 8)




Redirecting Folders Using GPOs

Folder Redirection Allows you to take the most common folders and redirect

them to a network server This means that rather than downloading the full folder at

logon, your users are browsing the remote folder, just as if they were browsing a network share

When a user opens an item in a redirected folder, the individual item is downloaded

(Skill 9)




Redirecting Folders Using GPOs (2)

Folder Redirection Saves considerable network bandwidth Significantly reduces the logon time for users with large

profiles You can redirect folders over a network using the Folder

Redirection extension located in the Windows Settings folder.

This folder resides in the User Configuration node in the Group Policy Object Editor

(Skill 9)




Figure 7-47 Special folders available for redirection

(Skill 9)




Figure 7-48 The Target tab

The Basic setting will

redirect everyone’s folder

to the same location

(Skill 9)




Figure 7-49 The Specify Group and Location dialog box

Use to specify the

security group for

Folder Redirection

Use to specify the location

of the redirection folder on

the network

(Skill 9)




Figure 7-50 Entering the security group and the location of the redirection folder

The security groups to

which Folder Redirection

is applied can be selected,

edited, or removed here

(Skill 9)




Figure 7-51 The Settings tab

(Skill 9)

This option leaves the

redirected folder in the

new location even

after GPO is removed

identifying the types of group accounts

Documents