Home  
  Microsoft  
  Practice Exams  
  TechNotes  
  Links  
  Forums  
  Blogs  
  Topsites  
  Search the Web  
  Watch free videos online  
     
  Subnet Calculator  
  Online Degrees  
  Exam Vouchers  
  Free Magazines  

   
MCSA/MCSE 2003 - 70-292 TechNotes:
Managing Groups

GROUPS

The main purpose of a group is to simplify administration by allowing permissions to be assigned to a collection of users instead of individual users. A group can contain user accounts, computer accounts, or contacts, as its members. In addition to the previous, a group can also contain other groups, which is referred to as group nesting. Which items a group can contain and where they can be used for, depends on the group type, the group scope and the domain functional level.

Group Types
Windows 2003 Active Directory supports the following two group types:
Security Groups – Used for assigning permissions for directory objects and resources such as shared folders and printers. Security groups are also used for assigning right to users, for example by using Group Policies.
Distribution Groups – Used for creating e-mail distribution lists (ie. for MS Exchange server). It allows a user to send e-mail to all the members by using a single address.

You can change the group type from security to distribution, or vice versa, if the domain functional level is set to Windows 2000 native or Windows 2003. Group types cannot be changed if the domain is running in Windows 2000 mixed mode.

Group Scopes
A group scope defines from which domain from which members can be added and in which domain, tree, of forest, rights and permissions can be assigned to a group. When you create a new group, it will be a security group with global scope by default. You can modify the group scope if the domain functional level is set to Windows 2000 native or Windows Server 2003. Changing a group scope in Windows 2000 mixed mode domains is not possible.

Windows 2003 Active Directory supports the following three group scopes:
Domain Local – Used for assigning permissions within the local domain only. A domain local group can contain user accounts and global and universal groups with from any domain, and other domain local groups from the same domain. A domain local group can be changed to a universal group only if it does not have other domain local groups as its members.
Global – Used for assigning permissions throughout the entire forest. A global group can only contain user accounts and global groups from the same domain the global group is in. If the domain is running in Windows 2000 Mixed mode, you can add only user accounts to a global group. A global group can be changed to a universal group if it is not a member of another global group.
Universal – Used for assigning permissions throughout the entire forest. A universal group can contain user accounts, computer accounts, and global and universal groups from any domain in the forest. Security type universal groups can be created only when the domain functional level is set to Windows 2000 native or Windows Server 2003. Opposite to domain local and global groups, universal groups are replicated to every global catalog in the entire forest. A universal group can be changed to a domain local group at any time. A universal group can be changed to a global group only if it does not have other universal groups as its members.

The preferred method to use these group scopes is explained in the following example:
When you assign permissions to all the users in the Sales department, for a shared resource, i.e. Printer1, you should create a domain local group for the sales department, i.e. SalesPrinters, and assign it permissions for Printer1. Then you should group the users into a global group, i.e. Sales, and add the global group to the domain local group. A universal group is particularly useful when the group needs to contain members from multiple domains. Universal groups should be members of domain local groups, and have global groups as their members.

Local vs. Active Directory Groups
The group types and scopes outlined above are pertinent to Windows 2003 servers that are members or domain controllers in an Active Directory domain. They are stored in the Active Directory on domain controllers. However, groups also exist on a local machine level, even if ADS is not in use. You can create local groups on the local computer using the Local Users and Group MMC snap-in and the can be used for assigning permissions on that computer only.

Default Groups
Windows 2003 creates default groups in the Builtin container and the Users container. The following lists show the groups created in a Windows 2003 domain by default (this may vary per configuration and on the installed Windows components). The first list shows the groups in the Builtin container. These groups are all domain local groups and cannot be moved to another container or OU.
Account Operators - Members of this group can administer domain user and group accounts, log on locally, and can shutdown domain controllers. Account Operators cannot modify the Administrators or Domain Admins groups and accounts.
Administrators - Members of this group have full access to the domain or computer. By default, this group contains the Domain Admins and Enterprise Admins groups and the Administrator user account.
Backup Operators - Members of this group can back up or restore files without being limited by file permissions. Back up Operators can also log on locally and shutdown domain systems.
Guests – Members of this group have the same permissions and right as the Users group by default, The Guest user account is disabled by default. This Guests group contains the Domain Guests group as a member.
Incoming Forest Trust Builders -Members of this group can create incoming, one-way trust relationships to this forest. This group appears only in the root domain of the forest.
Network Configuration Operators - Members of this group can change the TCP/IP settings on domain controllers in the domain.
Performance Monitor Users - Members of this group can monitor performance counters on domain controllers in the domain.
Performance Log Users - Members of this group can manage performance counters, logs and alerts on domain controllers in the domain.
Pre-Windows 2000 Compatible Access - Members of this group have read access to all users and groups in the domain. This group provides backward compatibility for computers running Windows version pre-Windows 2000, such as Windows NT 4. The Everyone group is a member of this group by default.
Print Operators - Members of this group have the appropriate rights to administer printers connected to domain controllers and shared printer objects in the Active Directory. Print Operators can also log on locally and shutdown domain systems.
Remote Desktop Users - Members in this group are granted the right to logon remotely using a terminal session.
Replicator – A system group account used for file replication in a domain. This group has no members and you should not add them either.
Server Operators - Members of this group can administer shared resources on domain servers, start and stop certain services, and format hard disks. Additionally, members of this group have the same rights Backup Operators have.
Users – Members of this group have sufficient permissions and rights to run certified Windows applications, but cannot run most legacy applications. This prevents regular users from making system-wide changes.

The following default groups reside in the Users container in the Active Directory. The Users container contains domain local, global, and universal scope default groups. These groups can be moved to another OU if desired.
Cert Publishers - Members of this group can publish digital certificates for users and computers.
DnsAdmins - Members of this group have permissions to administer DNS.
DnsUpdateProxy - Members of this group can act as a DNS proxy for clients. A DHCP server that handles dynamic updates for DCHP clients should be a member of this group.
Domain Admins - Members of this group have full control of the domain. This group is a member of the Administrators group on all domain members including domain controller. The Administrator user account is a member of this group by default.
Domain Computers - This group contains all the computer accounts of the client and servers joined to the domain.
Domain Controllers - This group contains all domain controllers in the domain.
Domain Guests - This group contains all domain guests.
Domain Users - This group contains all domain users. When you create a new user account in the domain, it will automatically become a member of the Domain Users group.
Enterprise Admins - Members of this group have full control of all domains in the forest. This group is a member of the Administrators group on all domain controllers in the forest. The Administrator user account is a member of this group by default.
Group Policy Creator Owners - Members of this group can modify Group Policy settings in the domain. The Administrator user account is a member of this group by default.
IIS_WPG – A system group account used by Internet Information Services (IIS) 6.0.
RAS and IAS Servers - Servers in this group have access to the remote access properties of users. This group is used for IAS servers that perform authentication for a collection of RRAS servers.
Schema Admins - Members of this group can modify the Active Directory schema. The Administrator user account is a member of this group by default.

The following special identities can also be considered groups as they allow you to assign permissions to a dynamic group of users:
Everyone – Includes everyone with a user account.
Anonymous Logon – Includes everyone without a user account.
Network - Includes users that are currently logged on to a computer over the network. This is the opposite of the Interactive group.
Interactive – Includes users that are currently logged on to the local computer. This is the opposite of the Network group.

Managing Groups
Groups are created by using the Active Directory Users and Computers MMC snap-in. To create a new group, right-click the domain or OU in which you want to create the user, select New, and then click Group. The New Object – Group dialog, displayed below, will open. You will need to provide a name and you can choose the group scope and group type.

When you open the properties sheet of an existing group, you can associate a description and an e-mail address with the group and change the scope and type on the General tab. The Members tab of the group’s properties allows you to add members to this group, and the Member Of tab allows you to join this group to other groups. On the Managed By tab, you can specify a person that is responsible for this group, and specify whether this person should be able to add and remove members to and from this group.

You can move a group to another container, from the Users container to a departmental OU for example, by right-clicking the group and selecting Move from the context menu. With the exception of universal groups, groups can be moved within a domain only. When you move a universal group from one domain to another, you will have to reassign permissions and rights as they will be lost in the process. The member settings of the universal group will be retained.

Find domain groups in which a user is a member
On a large Active Directory with many group it can be hard to keep track of which groups a user belongs to. The Member Of tab of a user’s properties, displays a list of groups the user is a member of. It does not show groups that reside in trusted domains but the user is a member of. For a more complete list of groups a user belongs too, you can use the Dsget.exe command line utility. The syntax for displaying group membership is:
dsget user UserDN -memberof -expand

The UserDN parameter is the user’s distinguished name, for example:
dsget user "CN=Johan Hiemstra,CN=users,dc=testdomain,dc=techexams,dc=corp" -memberof -expand

Without the -expand option, only the groups the user is joined to directly are displayed. With this option, each group is expanded to determine membership through nested groups. For example, when a user is a member of the Domain Users default group, it is also a member of the Users built-in group, because the Domain Users group is a member of the Users group.
Click here for more information about the dsget command.

Automated Group Management
Instead of creating and modifying groups manually, you can also automate group management using command-line utilities. Csvde.exe is one of the tools that can be used to perform batch changes to the Active Directory. It can be used to import and export data from and to a file in comma separated value (CSV) format. Ldifde.exe is a more advanced tool that allows you to create, modify, and delete active directory objects. You can use Ldifde to extend the schema, and export and import Active Directory user and group data to or from other directories.

Click here for more information about the Csvde.exe command line utility.

Click here for more information about the Ldifde.exe command line utility.

Microsoft Virtualization Training Videos – Demand for Virtualization is escalating because it saves money, time, and makes testing and disaster recovery easier. Train Signal’s Microsoft Virtualization Course teaches you everything you need to know to utilize Virtual PC and Virtual Server!


 
Current related exam topics for the 70-292 exam:

Managing Users, Computers, and Groups

Create and manage groups
- Identify and modify the scope of a group
- Find domain groups in which a user is a member
- Manage group membership
- Create and modify groups by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in
- Create and modify groups by using automation


Click here for the complete list of exam objectives.

Discuss this TechNote here Author: Johan Hiemstra




 
Featured Sponsors

TrainSignal - “Hands On” computer training for IT professionals. Network+ Training, MCSE, Cisco & more! Visit Train Signal’s free training site to get loads of Free Computer Training, videos, articles and practice exams.



 

All images and text are copyright protected, violations of these rights will be prosecuted to the full extent of the law.
2002-2011 TechExams.Net | Advertise | Disclaimer


All trademarks, including Microsoft, MCP, MCSE, MCSA, Windows XP etc. etc. are trademarks of their respective owners.