www.technocorp.co.

in

Active Directory
Managing Groups

Module Overview
www.technocorp.co.in

Overview of Groups Administer Groups Best Practices for Group Management

Overview of Groups
Access Management Without Groups Benefits of Using Groups Role-Based Management: Role Groups and Rule Groups Define Group Naming Conventions Group Type Group Scope Local Groups Domain Local Groups Global Groups Universal Groups Summary of Group Scope Possibilities Develop a Group Management Strategy Default Groups Special Identities

www.technocorp.co.in

Access Management Without Groups

www.technocorp.co.in

Identity

Access Management

Resource

Benefits of Using Groups

Groups Add Manageability and Scalability

www.technocorp.co.in

Identity

Group Access Management

Resources

Role-Based Management
www.technocorp.co.in

Identity

Role Group

Rule Group
Access Management

Resources

Define Group Naming Conventions

www.technocorp.co.in

Name properties
Group name: cn and name of group must be unique within OU Group name (pre-Windows 2000 Server): sAMAccountName of group must be unique in domain Use the same name (unique in the domain) for both properties

Naming conventions
Role groups: Simple, unique name, such as Sales or Consultants Management groups: For example, ACL_Sales Folders_Read
Prefix: Management purpose of group, such as ACL Resource identifier: What is managed, such as Sales Folders Suffix: Access level, such as Read Delimiter: Separates name components, such as underscore (_)

Group Type
Distribution groups

www.technocorp.co.in

Used only with e-mail applications Not security-enabled (no SID); cannot be given permissions

Security groups Security principal with a SID; can be given permissions Can also be email enabled

Group Scope
www.technocorp.co.in

Four group scopes

Local Global Domain Local Universal

Characteristics that distinguish each scope

Replication: Where are the group and its membership stored? Membership: What types of objects, and from which domains, can be members of the group? Availability (Scope): Where can the group be used? In what scopes of groups can the group be a member? Can the group be added to an ACL?

Local Groups
www.technocorp.co.in

Replication

Defined in the SAM database of a domain member or workgroup computer Membership not replicated to any other system Any security principals from the domain: users (U), computers (C), global groups (GG), or domain local groups (DLG) U, C, GG from any domain in the forest U, C, GG from any trusted domain Universal groups (UG) defined in any domain in the forest Limited to the machine on which the group is defined; can be used for ACLs on the local machine only Cannot be a member of any other group

Membership: Local group can include as members

Availability/scope

Domain Local Groups

www.technocorp.co.in

Replication

Defined in the domain naming context Group and membership replicated to every DC in domain Any security principals from the domain: U, C, GG, DLG U, C, GG from any domain in the forest U, C, GG from any trusted domain UG defined in any domain in the forest

Membership: Domain local group can include as members

Availability/scope

Can be on ACLs on any resource on any domain member Can be a member of other domain local groups or of machine local groups

Well-suited for defining business management rules

Global Groups
www.technocorp.co.in

Replication
Defined in the domain naming context Group and membership is replicated to every DC in domain

Membership: Global group can include as members

Only security principals from the same domain: U, C, GG, DLG

Availability/scope
Available for use by all domain members, all other domains in the forest, and all trusting external domains Can be on ACLs on any resource on any computer in any of those domains Can be a member of any DLG or UG in the forest, and of any DLG in a trusting external domain

Well-suited for defining roles

Universal Groups
www.technocorp.co.in

Replication

Defined in a single domain in the forest Replicated to the global catalog (forest-wide) U, C, GG, and UG from any domain in the forest

Membership: Universal group can include as members Availability/scope

Available to every domain and domain member in the forest Can be on ACLs on any resource on any system in the forest Can be a member of other UGs or DLGs anywhere in the forest Defining roles that include members from multiple domains Defining business management rules that manage resources in multiple domains in the forest

Useful in multidomain forests

Summary of Group Scope Possibilities

www.technocorp.co.in
Group Scope Members from Same Domain

Members from Domain in Same Forest

Members from Trusted External Domain

Can be Assigned Permissions to Resources

Local

U, C, GG, DLG, UG and local users U, C, GG, DLG, UG U, C, GG, UG

U, C, GG, UG U, C, GG, UG U, C, GG, UG

U, C, GG U, C, GG N/A

On the local computer only Anywhere in the domain Anywhere in the forest

Domain Local Universal

Global

U, C, GG
U C GG DLG UG User Computer Global Group Domain Local Group Universal Group

N/A

N/A

Anywhere in the domain or a trusted domain

Develop a Group Management Strategy

Identities (users or computers) are members of Global groups that collect members based on those members' roles, which are members of Domain Local groups that provide management of some kind, such as management of resource access which are Assigned Access to a resource (for example, on an ACL) Multidomain forest: IGUDLA

www.technocorp.co.in

Default Groups
www.technocorp.co.in

Default local groups in the BUILTIN and Users containers

Enterprise Admins, Schema Admins, Administrators, Domain Admins, Server Operators, Account Operators, Backup Operators, Print Operators Know these rights for the certification exams Highly overdelegated Protected

Reference to their rights and privileges in Student Handbook

Issues with these groups
Account Operators, for example, can log on to a DC
Users who are members of these groups become protected and are not unprotected when removed

Best practice: Keep these groups empty and create custom groups with the rights and privileges you require

Special Identities
www.technocorp.co.in

Membership is controlled by Windows:

Cannot be viewed, edited, or added to other groups Can be used on ACLs

Examples
Anonymous Logon: Represents connections to a computer without a user name and password Authenticated Users: Represents identities that have been authenticated, but does not include the Guest identity Everyone: Includes Authenticated Users and Guest (but not Anonymous Logon by default in Windows Server 2003/2008) Interactive: Users logged on locally or with Remote Desktop Network: Users accessing a resource over the network

Administer Groups
Tools for Group Management Demonstration: Create a Group Object Manage Group Membership Import Groups with CSVDE Import Groups with LDIFDE Convert Group Type and Scope Modify Group Membership with LDIFDE Copy Group Membership Delete Groups
www.technocorp.co.in

Tools for Group Management

www.technocorp.co.in

To create and manage groups in AD DS, you can use : Active Directory Users and Computers
GUI-based console for management of Active Directory objects

Active Directory Administrative Center (R2 only)

New GUI-based console built on PowerShell

Windows PowerShell with Active Directory Module (R2 only)

New command-line based tool

DS commands
Old command-line based tools

Demonstration: Create a Group Object

www.technocorp.co.in

In this demonstration, you will learn: How to create a group by using Active Directory Users and Computers How to configure group properties How to change group scope by using Windows PowerShell with Active Directory Module

Manage Group Membership

www.technocorp.co.in

Methods
The group's Members tab (Add/Remove) The member's Member Of tab (Add/Remove) The member's Add to a group command (Add)

You are always changing the member attribute

memberOf is a backlink attribute updated by Active Directory

Changes to membership do not take effect immediately

Requires logon (for a user) or startup (for a computer) Token built with SIDs of member groups at those times Account for replication of membership change to the user or computer's domain controller Tip: Change group membership on a DC in the user's site

Import Groups with CSVDE

Comma-separated values (csv) file format www.technocorp.co.in
Comma-separated list of attributes Groups to create, one per line, with all attributes listed on the first line
objectClass,sAMAccountName,DN,member group,Marketing,"CN=Marketing,OU=Role,OU=Groups, DC=contoso,DC=com", "CN=Linda Mitchell,OU=Employees,OU=User Accounts, DC=contoso,DC=com;CN=Scott Mitchell,OU=Employees, OU=User Accounts,DC=contoso,DC=com"

Example

csvde -i -f "filename" [-k]

-i. Import; default mode is export -f. File name -k. Continue on error, such as object already exists

CSVDE can create groups, not modify existing groups

Import Groups with LDIFDE

LDIF file www.technocorp.co.in
DN: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=com changeType: add CN: Finance description: Finance Users objectClass: group sAMAccountName: Finance DN: CN=Research,OU=Role,OU=Groups,DC=contoso,DC=com changeType: add CN: Research description: Research Users objectClass: group sAMAccountName: Research

Ldifde -i -f "filename" [-k]

-i. Import (default mode is export) -f. File name -k. Continue on error, such as object already exists

Convert Group Type and Scope

In Active Directory Users and Computers, you can change group type: www.technocorp.co.in
Security to distribution (* lose permissions assigned to group) Distribution to security

In Active Directory Users and Computers, you can change the group scope:
Global to universal Domain local to universal Universal to global Universal to domain local You cannot change DL G or G DL directly, but you can change DL U G or G U DL. Change prevented if memberships are invalidfix, then retry

dsmod group GroupDN secgrp { yes | no } scope { l | g | u }

Modify Group Membership with LDIFDE

www.technocorp.co.in

LDIF file
dn: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=com changetype: modify add: member member: CN=April Stewart,OU=Employees,OU=User Accounts, dc=contoso,dc=com member: CN=Mike Fitzmaurice,OU=Employees,OU=User Accounts, dc=contoso,dc=com -

changetype: modify Third line: What type of change? Add a value to member
To delete a member, just change to delete: member

Change operation is terminated with line containing only

Copy Group Membership

www.technocorp.co.in

Copy members from one group to another

dsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" addmbr

Copy memberships of one user to another

dsget user "SourceUserDN" memberof | dsmod group addmbr "TargetUserDN"

Delete Groups
www.technocorp.co.in

Active Directory Users and Computers: Right-click, Delete DSRm command

-noprompt prevents prompting to confirm each deletion -c continues if an error occurs (such as access denied) -subtree deletes the object and all child objects -subtree -exclude deletes all child objects but not the object itself

dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c]

dsrm "CN=Public Relations,OU=Role,OU=Groups, DC=contoso,DC=com"

Deleting a security group has significant impact

SID is lost and cannot be re-established by re-creating group Tip: First, record all members and delete all members for a test period, to evaluate any unintended side effects

Best Practices for Group Management

www.technocorp.co.in

Best Practices for Group Documentation Protect Groups from Accidental Deletion Delegate Membership Management with the Managed By Tab

Best Practices for Group Documentation

Why document groups?
www.technocorp.co.in
Easier to find them when you need them Easier to understand how and when to use a group Prefix, for example, helps distinguish APP_Budget from ACL_Budget_Edit Prefix helps you find the group in the Select dialog box Appears in Active Directory Users and Computers details pane

Establish and adhere to a strict naming convention

Summarize a group's purpose with its description

Detail a group's purpose in its Notes field

Protect Groups from Accidental Deletion

www.technocorp.co.in

1. In the Active Directory Users and Computers snap-in, click the View menu and make sure that Advanced Features is selected. 2. Open the Properties dialog box for a group. 3. On the Object tab, select the Protect Object From Accidental Deletion check box. 4. Click OK.

Delegate Membership Management with the Managed By Tab

www.technocorp.co.in

The Managed By tab serves two purposes:

Provide contact information for who manages the group Allow specified user (or group) to modify group membership if Manager Can Update Membership List is selected

Tips
Must click OK (not just Apply) to change the ACL on the group To set a group in the Name box, click Change, click Object Types, and then click Groups