![Page 1: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/1.jpg)
Administering Groups Chapter Eight
![Page 2: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/2.jpg)
Exam Objectives In this Chapter: Plan a security group hierarchy based upon
delegation requirements Plan a security group strategy
![Page 3: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/3.jpg)
In this Chapter: Understanding Groups Creating and Administering Groups Administration Strategies
![Page 4: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/4.jpg)
To Complete this Chapter: Prepare your test environment according to the descriptions given in the
"Getting Started" section of "About This Book" Complete the practices for installing and configuring Active Directory as
discussed in Chapter 2, "Installing and Configuring Active Directory" Learn to use Active Directory administration tools as discussed in
Chapter 3, "Administering Active Directory" Complete the practices for configuring sites and replication as discussed
in Chapter 5, "Configuring Sites and Managing Replication" Complete the practices for implementing an organizational unit (OU)
structure as discussed in Chapter 6, "Implementing an OU Structure" Complete the practices for creating and maintaining user accounts as
discussed in Chapter 7, "Administering User Accounts"
![Page 5: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/5.jpg)
Groups A group is a collection of user accounts. Groups simplify administration by allowing
you to assign permissions and rights to a group of users rather than having to assign permissions and rights to each individual user account
![Page 6: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/6.jpg)
Groups and Permissions
![Page 7: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/7.jpg)
Group Types Security Groups
Use to assign permissions to gain access to resources.
Distribution Groups Use distribution groups when the only function of
the group is nonsecurity related
![Page 8: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/8.jpg)
Group Scopes
![Page 9: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/9.jpg)
Group Scopes Global Groups
Global security groups are most often used to organize users who share similar network access requirements.
Limited membership. Only from the domain in which you create the global
group. Access to resources in any domain.
Assign permissions to gain access to resources that are located in any domain in the tree or forest.
![Page 10: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/10.jpg)
Domain Local Groups Domain local security groups are most often
used to assign permissions to resources. Open membership.
Members from any domain.
Access to resources in one domain. Permissions to gain access to resources that are located
only in the same domain where you create the domain local group
![Page 11: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/11.jpg)
Universal Groups Universal security groups are most often used to
assign permissions to related resources in multiple domains. Open membership.
Members from any domain in the forest. Access to resources in any domain.
Assign permissions to gain access to resources that are located in any domain in the forest.
Only available in native mode. Not available in domains with the domain functional level set to
Windows 2000 mixed.
![Page 12: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/12.jpg)
Group Nesting Adding groups to other groups, or nesting,
creates a consolidated group and can reduce network traffic between domains and simplify administration in a domain tree. Minimize levels of nesting. Document group membership to keep track of
permissions assignments.
![Page 13: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/13.jpg)
Rules for Group Membership The group scope determines the membership
of a group. Membership rules determine the members that
a group can contain. Group members can be user accounts and
other groups.
![Page 14: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/14.jpg)
Local Groups A local group is a collection of user accounts
on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Guidelines on page 8-8
![Page 15: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/15.jpg)
CAUTION Because Active Directory groups with a
“domain local” scope are sometimes referred to as “local groups,” it is important to distinguish between a local group and a group with a domain local scope.
![Page 16: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/16.jpg)
Possible limitations Placing user accounts in domain local groups
and assigning permissions to the domain local groups.
Placing user accounts in global groups and assigning permissions to the global groups.
![Page 17: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/17.jpg)
Using Universal Groups Use universal groups to give users access to
resources that are located in more than one domain.
Use universal groups only when their membership is static.
Add global groups from several domains to a universal group, and then assign permissions for access to a resource to the universal group.
![Page 18: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/18.jpg)
Default Groups Windows 2003 has four categories of default
groups: Groups in the Builtin folder, Groups in the User Folder, Special identity, and Default local groups.
![Page 19: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/19.jpg)
Groups in the Built-In folder These groups provide users with user rights
and permissions to perform tasks on domain controllers and in Active Directory.
Built-in domain local groups give predefined rights and permissions to user accounts when you add user accounts or global groups as members.
Table 8-2 describes the default groups in the built-in folder
![Page 20: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/20.jpg)
Create a list of groups You can use the Net Localgroup and Net Group
commands. For example, you could open a command prompt
and type net localgroup > C:\localgroups.txt to create a list of local groups in a file named C:\localgroups.txt.
As another example of how the Net commands work, examine and run the batch file named Grouplistings.bat on the Supplemental CD-ROM in the \70-294\ Labs\Chapter08 folder.
![Page 21: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/21.jpg)
Groups in the User Folder Windows Server 2003 creates default security
groups in the Users folder in the Active Directory Users And Computers console.
The groups in the Users folder are primarily used to assign default sets of permissions to users who have administrative responsibilities in the domain. Table 8-3 describes the default groups in the Users Folder
![Page 22: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/22.jpg)
Special Identity Groups These groups do not have specific memberships that
you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource.
You do not see special identity groups when you administer groups, but they are available for use when you assign rights and permissions to resources. Table 8-4 describes Special Identity Groups
![Page 23: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/23.jpg)
Anonymous Users In Windows Server 2003, the Anonymous Logon
group is no longer a member of the Everyone group. Therefore, anonymous users attempting to access
resources hosted on computers running Windows Server 2003 will be impacted.
![Page 24: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/24.jpg)
Built-In Local Groups
All stand-alone servers, member servers, and computers running Windows 2003 Professional have built-in local groups.
Built-in local groups give users the rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Table 8-5 describes Built-in Local Groups
![Page 25: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/25.jpg)
Exam Tip Be familiar with the groups in each category
![Page 26: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/26.jpg)
Planning a Group Strategy1. Assign users with common job
responsibilities to global groups. 2. Create a domain local group for resources to
be shared. 3. Add global groups that need access to the
resources to the domain local group. 4. Assign resource permissions to the domain
local group.
![Page 27: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/27.jpg)
Planning a Group Strategy
![Page 28: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/28.jpg)
Practice: Planning New Group Accounts
Exercise 1 Page 8-17
![Page 29: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/29.jpg)
Creating and Deleting Groups Use the Active Directory Users and Computers
console to create and delete groups. When you create groups, create them in the
Users container or in another container or an organizational unit (OU) that you have created specifically for groups.
![Page 30: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/30.jpg)
Creating a Group In Active Directory Universal groups are
not available in Pre-2000 Mixed Mode
![Page 31: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/31.jpg)
Deleting Groups As your organization grows and changes, you
may discover that there are groups that you no longer need.
Be sure that you delete groups when you no longer need them.
![Page 32: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/32.jpg)
Adding Members to a Group Members of groups can include user accounts,
contacts, other groups, and computers. You can add a computer to a group to give one
computer access to a shared resource on another computer—for example, for remote backup.
![Page 33: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/33.jpg)
Adding Members Choose:
Object type Location Select Advanced to
search Check Names to verify
the correct group name
![Page 34: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/34.jpg)
Changing the Group Scope to Universal Group scopes may be changed to universal
only when operating in Windows 2000 or 2003 native modes.
![Page 35: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/35.jpg)
Changing the Group Type Group types may be changed only when
operating in Windows 2000 native mode.
![Page 36: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/36.jpg)
Practice: Creating and Administering Groups
Exercise 1: Creating a Global Group and Adding Members
Exercise 2: Creating a Domain Local Group and Adding Members
Page 8-27
![Page 37: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/37.jpg)
Administration Strategies Running Windows Server 2003 as an administrator
makes the system vulnerable to Trojan horse attacks and other security risks.
The simple act of visiting an Internet site can be extremely damaging to the system.
An unfamiliar Internet site might contain Trojan horse code that can be downloaded to the system and executed.
Therefore you Should Not Run Your Computer as an Administrator
![Page 38: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/38.jpg)
Using Run As to Start a Program To run a program that requires you to be
logged on as an administrator, you can use the Run As program.
This program allows you to run administrative tools with either local or domain administrator rights and permissions while logged on as a normal user.
![Page 39: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/39.jpg)
NOTERun As is usually used to run programs
as an administrator, although it is not limited to administrator accounts. Any user with multiple accounts can use
Run As to run a program, MMC tool, or Control Panel item with alternate credentials.
![Page 40: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/40.jpg)
Two ways to Run As By Right-Click on any
program and select the option to Run as…
![Page 41: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/41.jpg)
RUNAS Command
runas [{/profile|/noprofile}] [/env] [/netonly] [/savedcreds] [/smartcard] [/showtrustlevels] [/trustlevel] /user:UserAccountName program program
Switches are defined on page 8-32 RUNAS Examples
On page 8-33
![Page 42: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/42.jpg)
Practice: Using Run As to Start a Program as an
Administrator Exercise: Using Run As to Start a Program as an
Administrator Page 8-33
![Page 43: Administering Groups Chapter Eight. Exam Objectives In this Chapter: Plan a security group hierarchy based upon delegation requirements Plan a security](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfef1a28abf838cba51f/html5/thumbnails/43.jpg)
Summary Case Scenario Exercise
Pages 35 – 37. Troubleshooting Lab
Pages 37 - 38 Exam Highlights
Key points (p. 8-39) Key terms (p. 8-39)