Professional Documents
Culture Documents
in
Active Directory
Managing Groups
Module Overview
www.technocorp.co.in
Overview of Groups
Access Management Without Groups Benefits of Using Groups Role-Based Management: Role Groups and Rule Groups Define Group Naming Conventions Group Type Group Scope Local Groups Domain Local Groups Global Groups Universal Groups Summary of Group Scope Possibilities Develop a Group Management Strategy Default Groups Special Identities
www.technocorp.co.in
Identity
Access Management
Resource
www.technocorp.co.in
Identity
Resources
Role-Based Management
www.technocorp.co.in
Identity
Role Group
Rule Group
Access Management
Resources
Name properties
Group name: cn and name of group must be unique within OU Group name (pre-Windows 2000 Server): sAMAccountName of group must be unique in domain Use the same name (unique in the domain) for both properties
Naming conventions
Role groups: Simple, unique name, such as Sales or Consultants Management groups: For example, ACL_Sales Folders_Read
Prefix: Management purpose of group, such as ACL Resource identifier: What is managed, such as Sales Folders Suffix: Access level, such as Read Delimiter: Separates name components, such as underscore (_)
Group Type
Distribution groups
www.technocorp.co.in
Used only with e-mail applications Not security-enabled (no SID); cannot be given permissions
Security groups Security principal with a SID; can be given permissions Can also be email enabled
Group Scope
www.technocorp.co.in
Local Groups
www.technocorp.co.in
Replication
Defined in the SAM database of a domain member or workgroup computer Membership not replicated to any other system Any security principals from the domain: users (U), computers (C), global groups (GG), or domain local groups (DLG) U, C, GG from any domain in the forest U, C, GG from any trusted domain Universal groups (UG) defined in any domain in the forest Limited to the machine on which the group is defined; can be used for ACLs on the local machine only Cannot be a member of any other group
Availability/scope
Replication
Defined in the domain naming context Group and membership replicated to every DC in domain Any security principals from the domain: U, C, GG, DLG U, C, GG from any domain in the forest U, C, GG from any trusted domain UG defined in any domain in the forest
Availability/scope
Can be on ACLs on any resource on any domain member Can be a member of other domain local groups or of machine local groups
Global Groups
www.technocorp.co.in
Replication
Defined in the domain naming context Group and membership is replicated to every DC in domain
Availability/scope
Available for use by all domain members, all other domains in the forest, and all trusting external domains Can be on ACLs on any resource on any computer in any of those domains Can be a member of any DLG or UG in the forest, and of any DLG in a trusting external domain
Universal Groups
www.technocorp.co.in
Replication
Defined in a single domain in the forest Replicated to the global catalog (forest-wide) U, C, GG, and UG from any domain in the forest
Local
U, C, GG U, C, GG N/A
On the local computer only Anywhere in the domain Anywhere in the forest
Global
U, C, GG
U C GG DLG UG User Computer Global Group Domain Local Group Universal Group
N/A
N/A
www.technocorp.co.in
Default Groups
www.technocorp.co.in
Enterprise Admins, Schema Admins, Administrators, Domain Admins, Server Operators, Account Operators, Backup Operators, Print Operators Know these rights for the certification exams Highly overdelegated Protected
Best practice: Keep these groups empty and create custom groups with the rights and privileges you require
Special Identities
www.technocorp.co.in
Examples
Anonymous Logon: Represents connections to a computer without a user name and password Authenticated Users: Represents identities that have been authenticated, but does not include the Guest identity Everyone: Includes Authenticated Users and Guest (but not Anonymous Logon by default in Windows Server 2003/2008) Interactive: Users logged on locally or with Remote Desktop Network: Users accessing a resource over the network
Administer Groups
Tools for Group Management Demonstration: Create a Group Object Manage Group Membership Import Groups with CSVDE Import Groups with LDIFDE Convert Group Type and Scope Modify Group Membership with LDIFDE Copy Group Membership Delete Groups
www.technocorp.co.in
To create and manage groups in AD DS, you can use : Active Directory Users and Computers
GUI-based console for management of Active Directory objects
DS commands
Old command-line based tools
In this demonstration, you will learn: How to create a group by using Active Directory Users and Computers How to configure group properties How to change group scope by using Windows PowerShell with Active Directory Module
Methods
The group's Members tab (Add/Remove) The member's Member Of tab (Add/Remove) The member's Add to a group command (Add)
Example
In Active Directory Users and Computers, you can change the group scope:
Global to universal Domain local to universal Universal to global Universal to domain local You cannot change DL G or G DL directly, but you can change DL U G or G U DL. Change prevented if memberships are invalidfix, then retry
LDIF file
dn: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=com changetype: modify add: member member: CN=April Stewart,OU=Employees,OU=User Accounts, dc=contoso,dc=com member: CN=Mike Fitzmaurice,OU=Employees,OU=User Accounts, dc=contoso,dc=com -
changetype: modify Third line: What type of change? Add a value to member
To delete a member, just change to delete: member
Delete Groups
www.technocorp.co.in
SID is lost and cannot be re-established by re-creating group Tip: First, record all members and delete all members for a test period, to evaluate any unintended side effects
Best Practices for Group Documentation Protect Groups from Accidental Deletion Delegate Membership Management with the Managed By Tab
1. In the Active Directory Users and Computers snap-in, click the View menu and make sure that Advanced Features is selected. 2. Open the Properties dialog box for a group. 3. On the Object tab, select the Protect Object From Accidental Deletion check box. 4. Click OK.
Tips
Must click OK (not just Apply) to change the ACL on the group To set a group in the Name box, click Change, click Object Types, and then click Groups