70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment
Download
1 / 50

Lecture Notes - PowerPoint PPT Presentation


  • 804 Views
  • Updated On :

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts Objectives Understand the purpose of using group accounts to simplify administration Create group objects using both graphical and command-line tools

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Lecture Notes' - jacob


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 EnvironmentChapter 4:Implementing and Managing Group and Computer Accounts


Objectives l.jpg
Objectives 2003 Environment

  • Understand the purpose of using group accounts to simplify administration

  • Create group objects using both graphical and command-line tools

  • Manage security groups and distribution groups

  • Explain the purpose of the built-in groups created when Active Directory is installed

  • Create and manage computer accounts

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Introduction to group accounts l.jpg
Introduction to Group Accounts 2003 Environment

  • A group is a container object

    • Used to organize collections of users, computers, contacts, other groups

    • Used to simplify administration

  • Similar to Organizational Units except

    • OUs are not security principals, groups are

    • OUs can only contain objects from their parent domain, groups can contain objects from within forest

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Group types l.jpg
Group Types 2003 Environment

  • Security groups

    • Defined by Security Identifier (SID)

    • Can be assigned permissions for resources

      • In discretionary access control lists (DACLs)

    • Can be assigned rights to perform different tasks

    • Can also be used as e-mail entities

  • Distribution groups

    • Primarily used as e-mail entities

    • Do not have associated SID

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Group scopes l.jpg
Group Scopes 2003 Environment

  • Scope refers to logical boundary of permissions to specific resources

  • Both Security and Distribution Groups have three scopes:

    • Global

    • Domain local

    • Universal

      Objects possible within each scope depend on the configured functional level of a domain

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Group scopes continued l.jpg
Group Scopes (continued) 2003 Environment

  • Three domain functional levels:

    • Windows 2000 mixed: default configuration, supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers

    • Windows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers

    • Windows Server 2003: supports Windows Server 2003 domain controllers only

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Global groups l.jpg
Global Groups 2003 Environment

  • Organize groups of users, computers, groups within the same domain

  • Usually represents a geographic location or job function group

  • Types of objects in group related to configured functional level of the domain

    • Depends on the types of domain controllers in environment

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Domain local groups l.jpg
Domain Local Groups 2003 Environment

  • Created on domain controllers

  • Can be assigned rights and permissions to any resource within the same domain

  • Can contain groups from other domains

  • Specific objects allowed in group related to configured functional level of the domain

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Universal groups l.jpg
Universal Groups 2003 Environment

  • Typically created to aggregate users or groups in different domains

  • Stored on domain controllers configured as global catalog servers (global catalogs are shared throughout the forest)

  • Can be assigned rights and permissions for any resource within a forest

  • Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Universal groups continued l.jpg
Universal Groups (continued) 2003 Environment

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Creating group objects l.jpg
Creating Group Objects 2003 Environment

  • Group objects are stored in Active Directory database

  • Variety of tools can be used for creation and management

    • Active Directory Users and Computers

    • Command-line utilities

      • DSADD, DSMOD, DSQUERY, etc.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Active directory users and computers l.jpg
Active Directory Users and Computers 2003 Environment

  • Primary tool

    • To create group accounts

    • Can also be used to configure properties of group accounts

  • Groups can be created in any built-in containers, at root of the domain object, or in custom OU objects

  • Possible group scopes determined by the functional level the domain is configured to

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Active directory users and computers continued l.jpg
Active Directory Users and Computers (continued) 2003 Environment

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Converting group types l.jpg
Converting Group Types 2003 Environment

  • May need to change a security group to a distribution group or vice versa

  • Type of group can only be changed if domain functional level is Windows 2000 native or above

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Converting group scopes l.jpg
Converting Group Scopes 2003 Environment

  • Scope of a group can be changed

  • Domain functional level must be at least Windows 2000 native

  • Supported changes

    • Global to universal

    • Domain local to universal

    • Universal to global

    • Universal to domain local

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 1 creating and adding members to global groups l.jpg
Activity 4-1: Creating and Adding Members to Global Groups 2003 Environment

  • Objective: Use Active Directory Users and Computers to create global groups

  • Start  Administrative Tools  Active Directory Users and Computers  Users container  New  Group

  • Follow directions to create several global groups and add user accounts to the groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 1 continued l.jpg
Activity 4-1 (continued) 2003 Environment

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 2 creating and adding members to domain local groups l.jpg
Activity 4-2: Creating and Adding Members to Domain Local Groups

  • Objective: Use Active Directory Users and Computers to create domain local groups

  • Active Directory  Users  New  Group

  • Follow directions to create new Domain Local groups and add global groups to them

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Slide19 l.jpg
Activity 4-3: Changing the Functional Level of a Domain and Creating and Adding Members to Universal Groups

  • Objective: Change the functional level of a domain to Windows Server 2003 and use Active Directory Users and Computers to create universal groups

  • Open your domain object in Active Directory Users and Computers

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 3 continued l.jpg
Activity 4-3 (continued) Creating and Adding Members to Universal Groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 3 continued21 l.jpg
Activity 4-3 (continued) Creating and Adding Members to Universal Groups

  • Follow directions to raise the functional level of your domain to Windows Server 2003

  • Continue the exercise to create a new universal group

  • Continue the exercise to add existing groups to the new group

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 3 continued22 l.jpg
Activity 4-3 (continued) Creating and Adding Members to Universal Groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 4 converting group types l.jpg
Activity 4-4: Converting Group Types Creating and Adding Members to Universal Groups

  • Objective: Use Active Directory Users and Computers to change group types

  • Follow directions to create a new global group with distribution type

  • Verify type of new group

  • Continue exercise to change type to security and to verify the change

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 4 continued l.jpg
Activity 4-4 (continued) Creating and Adding Members to Universal Groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 4 continued25 l.jpg
Activity 4-4 (continued) Creating and Adding Members to Universal Groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 5 converting group scopes l.jpg
Activity 4-5: Converting Group Scopes Creating and Adding Members to Universal Groups

  • Objective: Use Active Directory Users and Computers to change group scopes

  • Follow directions to create a new global group

  • Add a member group

  • Note restrictions and warnings that follow from group scope structure as described in exercise

  • Change the scope of the group to universal

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Command line utilities l.jpg
Command Line Utilities Creating and Adding Members to Universal Groups

  • An alternative to Active Directory Users and Computers

    • Some administrators have a preference for command-line utilities

    • Command-line utilities are more flexible for group management and creation in some situations

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Dsadd l.jpg
DSADD Creating and Adding Members to Universal Groups

  • Introduced in Windows Server 2003

  • Used to create new user and group accounts

  • Syntax is

    • dsadd group distinguished-name switches

  • Switches include: -secgrp, -scope, -memberof, -members

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or at command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Dsadd continued l.jpg
DSADD (continued) Creating and Adding Members to Universal Groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 6 creating groups using dsadd l.jpg
Activity 4-6: Creating Groups Using DSADD Creating and Adding Members to Universal Groups

  • Objective: Use the DSADD GROUP command to add groups of different types and scopes

  • Follow directions to execute dsadd group command to create a new global group

  • Verify group creation with Active Directory Users and Computers

  • Create a domain local group with members using dsadd group and verify that group was properly created

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Dsmod l.jpg
DSMOD Creating and Adding Members to Universal Groups

  • Also introduced in Windows Server 2003

  • Allows various object types to be modified from the command line

  • Syntax is

    • dsmod group distinguished-name switches

  • Switches include: -desc, -rmmbr, -addmbr

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Dsmod continued l.jpg
DSMOD (continued) Creating and Adding Members to Universal Groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 7 modifying groups using dsmod l.jpg
Activity 4-7: Modifying Groups Using DSMOD Creating and Adding Members to Universal Groups

  • Objective: Use the DSMOD GROUP command to modify group accounts

  • Follow directions to execute dsmod group command to add a description to an existing group

  • Verify modification with Active Directory Users and Computers

  • Modify group by adding and removing members and verify changes

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Dsquery l.jpg
DSQUERY Creating and Adding Members to Universal Groups

  • Also introduced in Windows Server 2003

  • Used to query various object types from the command line, returns values

  • Syntax for groups is

    • dsquery group query

  • Supports wildcard character (*)

  • Output can be piped as input to other command-line tools

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Dsmove l.jpg
DSMOVE Creating and Adding Members to Universal Groups

  • Used to move or rename various object types from the command line

  • Syntax for groups is

    • dsmove group distinguished-name switches

  • Switches include: -newparent, -newname

  • Can only be used for groups within a single domain

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or at the command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Slide36 l.jpg
DSRM Creating and Adding Members to Universal Groups

  • Used to delete various object types from the command line

  • Syntax for groups is

    • dsrm group distinguished-name switches

  • Switches include: -noprompt

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Managing security groups l.jpg
Managing Security Groups Creating and Adding Members to Universal Groups

  • Strategy for managing security groups uses acronym A G U DL P:

    • Create user Accounts (A) and organize them within Global groups (G)

    • Optional: Create Universal groups (U) and place global groups from any domain in universal groups

    • Create Domain Local groups (DL) and add global and universal groups

    • Assign Permissions (P) to the domain local groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Determining group membership l.jpg
Determining Group Membership Creating and Adding Members to Universal Groups

  • Important task for administrators is to ensure that users are members of correct groups

  • One method is via Member Of tab in the properties of a user account

    • Only shows first level of groups (not groups of groups)

  • Second method is to use DSGET

  • Returns values to a query

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Determining group membership continued l.jpg
Determining Group Membership (continued) Creating and Adding Members to Universal Groups

  • Syntax is

    • dsget group distinguished-name switches

  • Switches include: -members, -memberof

  • Can also be used as dsget user to get membership information about a specific user

  • Output can be saved to a file:

    • dsget group distinguished-name switches >> filename

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Built in groups l.jpg
Built-In Groups Creating and Adding Members to Universal Groups

  • When Windows Server 2003 Active Directory is installed

    • Built-in groups are created automatically

    • Rights are pre-assigned

    • Stored in Builtin container and Users container

  • Use built-in groups where possible

    • Eases implementation of security rights

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


The builtin container l.jpg
The Builtin Container Creating and Adding Members to Universal Groups

  • Contains a number of domain local group accounts

  • Allocated different user rights based on common administrative or network-related tasks

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


The builtin container continued l.jpg
The Builtin Container (continued) Creating and Adding Members to Universal Groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


The users container l.jpg
The Users Container Creating and Adding Members to Universal Groups

  • Contains a number of domain local and global group accounts

  • Some groups only found in the root domain of an Active Directory forest rather than in individual domains

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


The users container continued l.jpg
The Users Container (continued) Creating and Adding Members to Universal Groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Creating and managing computer accounts l.jpg
Creating and Managing Computer Accounts Creating and Adding Members to Universal Groups

  • Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003

  • Can be created during installation or added manually later

  • Creation and management tools

    • Active Directory Users and Computers

    • System applet in Control Panel

    • Command-line utilities

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 8 creating and managing computer accounts l.jpg
Activity 4-8: Creating and Managing Computer Accounts Creating and Adding Members to Universal Groups

  • Objective: Use Active Directory Users and Computers to create and manage computer accounts

  • Follow directions to create a new computer account from Active Directory Users and Computers

  • Configure and review the account as directed

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Activity 4 8 continued l.jpg
Activity 4-8 (continued) Creating and Adding Members to Universal Groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Resetting computer accounts l.jpg
Resetting Computer Accounts Creating and Adding Members to Universal Groups

  • Secure channel

    • Used by computers that are domain members to communicate with domain controller

    • Uses password that is changed every 30 days

    • Automatically synchronized between domain controller and workstation

  • Occasional synchronization issues arise

    • Administrator must reset computer account

    • Using Active Directory Users and Computers or Netdom.exe command from Windows Support Tools

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Summary l.jpg
Summary Creating and Adding Members to Universal Groups

  • Group accounts reduce administrative effort by enabling assignment of common rights and permissions to multiple users simultaneously

  • Two group security types:

    • Security groups

    • Distribution groups

  • Three types of scoping possible for groups

    • Global groups

    • Domain local groups

    • Universal groups

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


Summary continued l.jpg
Summary (continued) Creating and Adding Members to Universal Groups

  • Group and computer accounts can be created and managed

    • From Active Directory Users and Computers

    • From command-line utilities

  • Builtin and User groups and containers are automatically created at installation with specific pre-assigned rights and permissions

  • Windows NT 4.0, 2000, XP, and Server 2003 require computer accounts in Active Directory

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment


ad