70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Download
1 / 50

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts - PowerPoint PPT Presentation

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts Objectives Understand the purpose of using group accounts to simplify administration Create group objects using both graphical and command-line tools

Related searches for 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 EnvironmentChapter 4:Implementing and Managing Group and Computer Accounts


Objectives

  • Understand the purpose of using group accounts to simplify administration

  • Create group objects using both graphical and command-line tools

  • Manage security groups and distribution groups

  • Explain the purpose of the built-in groups created when Active Directory is installed

  • Create and manage computer accounts

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Introduction to Group Accounts

  • A group is a container object

    • Used to organize collections of users, computers, contacts, other groups

    • Used to simplify administration

  • Similar to Organizational Units except

    • OUs are not security principals, groups are

    • OUs can only contain objects from their parent domain, groups can contain objects from within forest

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Group Types

  • Security groups

    • Defined by Security Identifier (SID)

    • Can be assigned permissions for resources

      • In discretionary access control lists (DACLs)

    • Can be assigned rights to perform different tasks

    • Can also be used as e-mail entities

  • Distribution groups

    • Primarily used as e-mail entities

    • Do not have associated SID

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Group Scopes

  • Scope refers to logical boundary of permissions to specific resources

  • Both Security and Distribution Groups have three scopes:

    • Global

    • Domain local

    • Universal

      Objects possible within each scope depend on the configured functional level of a domain

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Group Scopes (continued)

  • Three domain functional levels:

    • Windows 2000 mixed: default configuration, supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers

    • Windows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers

    • Windows Server 2003: supports Windows Server 2003 domain controllers only

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Global Groups

  • Organize groups of users, computers, groups within the same domain

  • Usually represents a geographic location or job function group

  • Types of objects in group related to configured functional level of the domain

    • Depends on the types of domain controllers in environment

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Domain Local Groups

  • Created on domain controllers

  • Can be assigned rights and permissions to any resource within the same domain

  • Can contain groups from other domains

  • Specific objects allowed in group related to configured functional level of the domain

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Universal Groups

  • Typically created to aggregate users or groups in different domains

  • Stored on domain controllers configured as global catalog servers (global catalogs are shared throughout the forest)

  • Can be assigned rights and permissions for any resource within a forest

  • Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Universal Groups (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Creating Group Objects

  • Group objects are stored in Active Directory database

  • Variety of tools can be used for creation and management

    • Active Directory Users and Computers

    • Command-line utilities

      • DSADD, DSMOD, DSQUERY, etc.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Active Directory Users and Computers

  • Primary tool

    • To create group accounts

    • Can also be used to configure properties of group accounts

  • Groups can be created in any built-in containers, at root of the domain object, or in custom OU objects

  • Possible group scopes determined by the functional level the domain is configured to

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Active Directory Users and Computers (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Converting Group Types

  • May need to change a security group to a distribution group or vice versa

  • Type of group can only be changed if domain functional level is Windows 2000 native or above

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Converting Group Scopes

  • Scope of a group can be changed

  • Domain functional level must be at least Windows 2000 native

  • Supported changes

    • Global to universal

    • Domain local to universal

    • Universal to global

    • Universal to domain local

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-1: Creating and Adding Members to Global Groups

  • Objective: Use Active Directory Users and Computers to create global groups

  • Start  Administrative Tools  Active Directory Users and Computers  Users container  New  Group

  • Follow directions to create several global groups and add user accounts to the groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-1 (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-2: Creating and Adding Members to Domain Local Groups

  • Objective: Use Active Directory Users and Computers to create domain local groups

  • Active Directory  Users  New  Group

  • Follow directions to create new Domain Local groups and add global groups to them

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-3: Changing the Functional Level of a Domain and Creating and Adding Members to Universal Groups

  • Objective: Change the functional level of a domain to Windows Server 2003 and use Active Directory Users and Computers to create universal groups

  • Open your domain object in Active Directory Users and Computers

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-3 (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-3 (continued)

  • Follow directions to raise the functional level of your domain to Windows Server 2003

  • Continue the exercise to create a new universal group

  • Continue the exercise to add existing groups to the new group

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-3 (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-4: Converting Group Types

  • Objective: Use Active Directory Users and Computers to change group types

  • Follow directions to create a new global group with distribution type

  • Verify type of new group

  • Continue exercise to change type to security and to verify the change

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-4 (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-4 (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-5: Converting Group Scopes

  • Objective: Use Active Directory Users and Computers to change group scopes

  • Follow directions to create a new global group

  • Add a member group

  • Note restrictions and warnings that follow from group scope structure as described in exercise

  • Change the scope of the group to universal

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Command Line Utilities

  • An alternative to Active Directory Users and Computers

    • Some administrators have a preference for command-line utilities

    • Command-line utilities are more flexible for group management and creation in some situations

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


DSADD

  • Introduced in Windows Server 2003

  • Used to create new user and group accounts

  • Syntax is

    • dsadd group distinguished-name switches

  • Switches include: -secgrp, -scope, -memberof, -members

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or at command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


DSADD (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-6: Creating Groups Using DSADD

  • Objective: Use the DSADD GROUP command to add groups of different types and scopes

  • Follow directions to execute dsadd group command to create a new global group

  • Verify group creation with Active Directory Users and Computers

  • Create a domain local group with members using dsadd group and verify that group was properly created

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


DSMOD

  • Also introduced in Windows Server 2003

  • Allows various object types to be modified from the command line

  • Syntax is

    • dsmod group distinguished-name switches

  • Switches include: -desc, -rmmbr, -addmbr

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


DSMOD (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-7: Modifying Groups Using DSMOD

  • Objective: Use the DSMOD GROUP command to modify group accounts

  • Follow directions to execute dsmod group command to add a description to an existing group

  • Verify modification with Active Directory Users and Computers

  • Modify group by adding and removing members and verify changes

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


DSQUERY

  • Also introduced in Windows Server 2003

  • Used to query various object types from the command line, returns values

  • Syntax for groups is

    • dsquery group query

  • Supports wildcard character (*)

  • Output can be piped as input to other command-line tools

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


DSMOVE

  • Used to move or rename various object types from the command line

  • Syntax for groups is

    • dsmove group distinguished-name switches

  • Switches include: -newparent, -newname

  • Can only be used for groups within a single domain

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or at the command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


DSRM

  • Used to delete various object types from the command line

  • Syntax for groups is

    • dsrm group distinguished-name switches

  • Switches include: -noprompt

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Managing Security Groups

  • Strategy for managing security groups uses acronym A G U DL P:

    • Create user Accounts (A) and organize them within Global groups (G)

    • Optional: Create Universal groups (U) and place global groups from any domain in universal groups

    • Create Domain Local groups (DL) and add global and universal groups

    • Assign Permissions (P) to the domain local groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Determining Group Membership

  • Important task for administrators is to ensure that users are members of correct groups

  • One method is via Member Of tab in the properties of a user account

    • Only shows first level of groups (not groups of groups)

  • Second method is to use DSGET

  • Returns values to a query

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Determining Group Membership (continued)

  • Syntax is

    • dsget group distinguished-name switches

  • Switches include: -members, -memberof

  • Can also be used as dsget user to get membership information about a specific user

  • Output can be saved to a file:

    • dsget group distinguished-name switches >> filename

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Built-In Groups

  • When Windows Server 2003 Active Directory is installed

    • Built-in groups are created automatically

    • Rights are pre-assigned

    • Stored in Builtin container and Users container

  • Use built-in groups where possible

    • Eases implementation of security rights

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


The Builtin Container

  • Contains a number of domain local group accounts

  • Allocated different user rights based on common administrative or network-related tasks

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


The Builtin Container (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


The Users Container

  • Contains a number of domain local and global group accounts

  • Some groups only found in the root domain of an Active Directory forest rather than in individual domains

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


The Users Container (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Creating and Managing Computer Accounts

  • Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003

  • Can be created during installation or added manually later

  • Creation and management tools

    • Active Directory Users and Computers

    • System applet in Control Panel

    • Command-line utilities

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-8: Creating and Managing Computer Accounts

  • Objective: Use Active Directory Users and Computers to create and manage computer accounts

  • Follow directions to create a new computer account from Active Directory Users and Computers

  • Configure and review the account as directed

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4-8 (continued)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Resetting Computer Accounts

  • Secure channel

    • Used by computers that are domain members to communicate with domain controller

    • Uses password that is changed every 30 days

    • Automatically synchronized between domain controller and workstation

  • Occasional synchronization issues arise

    • Administrator must reset computer account

    • Using Active Directory Users and Computers or Netdom.exe command from Windows Support Tools

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Summary

  • Group accounts reduce administrative effort by enabling assignment of common rights and permissions to multiple users simultaneously

  • Two group security types:

    • Security groups

    • Distribution groups

  • Three types of scoping possible for groups

    • Global groups

    • Domain local groups

    • Universal groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Summary (continued)

  • Group and computer accounts can be created and managed

    • From Active Directory Users and Computers

    • From command-line utilities

  • Builtin and User groups and containers are automatically created at installation with specific pre-assigned rights and permissions

  • Windows NT 4.0, 2000, XP, and Server 2003 require computer accounts in Active Directory

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


ad
  • Login