Implementing and Managing Group and Computer Accounts Domain User Accounts Allow users to log on to the domain and gain access to resources anywhere on the network Created in an OU in the Active Directory store Replicated to all domain controllers 2 Local User Accounts Allow users to log on to and gain access to resources on the computer where they log in Created in the computer s security database Not replicated to domain controllers 3 Introduction to Group Accounts A group is a container object Used to organize collections of users computers contacts other groups Used to simplify administration Similar to Organizational Units except OUs are not security principals groups are OUs can only contain objects from their parent domain groups can contain objects from within forest 4 Introduction to Groups Groups simplify administration of user permissions Users can be members of more than one group When you assign permissions you give users the capability to gain access to specific resources 5 Group Types Security groups Defined by Security Identifier SID Can be assigned permissions for resources In discretionary access control lists DACLs Can be assigned rights to perform different tasks Can also be used as e mail entities Distribution groups Primarily used as e mail entities Do not have associated SID 6 Group Scopes Scope refers to logical boundary of permissions to specific resources Both Security and Distribution Groups have scopes Three scopes Objects possible within each scope dependent on configured functional level of a domain Scope types are global domain local and universal 7 Group Scopes continued Three domain functional levels Windows 2000 mixed default configuration supports a combination of Windows NT Server 4 0 2000 Server and Server 2003 domain controllers Windows 2000 native supports a combination of Windows 2000 Server and Server 2003 domain controllers Windows Server 2003 supports Windows Server 2003 domain controllers only 8 Global Groups Organize groups of users computers groups within the same domain Use global groups to contain accounts for accessing resources in the same and in other domains via domain local groups Usually represents a geographic location or job function group Types of objects in group related to configured functional level of the domain Depends on the types of domain controllers in environment 9 Domain Local Groups Created on domain controllers Can be assigned rights and permissions to any resource within the same domain Can contain groups from other domains Specific objects allowed in group related to configured functional level of the domain 10 Domain Local Group Example Managing security through domain local and global groups s tu d e n ts c o lle g e e d u L o c a lE x e c d o m a in lo c a l g r o u p r e s e a r c h c o lle g e e d u L o c a lE x e c d o m a in lo c a l g ro u p c o lle g e e d u L o c a lE x e c d o m a in lo c a l g ro u p G lo b a lE x e c g lo b a l g ro u p 11 Universal Groups Typically created to aggregate users or groups in different domains Stored on domain controllers configured as global catalog servers Can be assigned rights and permissions for any resource within a forest Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level 12 Universal Groups continued 13 Creating Group Objects Group objects are stored in Active Directory database Variety of tools can be used can be used for creation and management Active Directory Users and Computers Command line utilities DSADD DSMOD DSQUERY etc 14 Active Directory Users and Computers Primary tool To create group accounts Can also be used to configure properties of group accounts Groups can be created in any built in containers at root of the domain object or in custom OU objects Possible group scopes determined by the functional level the domain is configured to 15 Managing Groups 16 Raising Functional Level 17 Creating Groups 18 Converting Group Types May need to change a security group to a distribution group or vice versa Type of group can only be changed if domain functional level is Windows 2000 native or above 19 Converting Group Types 20 Converting Group Scopes Scope of a group can be changed Domain functional level must be at least Windows 2000 native Supported changes Global to universal Group can not be a member of another Global Group would result in a Universal Group being a member of a Global Group Domain local to universal Cannot contain other Domain Local Groups Universal Groups cannot contain Domain Local Groups 21 Converting Group Scopes con t Universal to global Cannot contain other Universal Groups Result would be a Global Group containing a Universal Group Universal to domain local No Restrictions 22 Group Scope Scope Membership Global Same Domain Any Domain DL s same Domain Any Domain No DL s Domain Local Universal Resource Access Any Domain Same Domain Any Domain 23 Command Line Utilities An alternative to Active Directory Users and Computers Some administrators have a preference for command line utilities Command line utilities are more flexible for group management and creation in some situations 24 DSADD Introduced in Windows Server 2003 Used to create new user and group accounts Syntax is dsadd group distinguished name switches Switches include secgrp scope memberof members More help is available for switches and options at Windows Server 2003 Help and Support Center or at command line 25 DSADD continued 26 DSMOD Allows various object types to be modified from the command line Syntax is dsmod group distinguished name switches Switches include desc rmmbr addmbr chmbr 27 DSMOD continued 28 DSQUERY Used to query various object types from the command line returns values Syntax for groups is dsquery group query Supports wildcard character Output can be piped as input to other command line tools Sent to a file 29 DSMOVE Used to move or rename various object types from the command line Syntax for groups is dsmove group distinguished name switches Switches include newparent newname Can only be used for groups within a single domain 30 DSRM Used to delete various object types from the command line Syntax for groups is dsrm group distinguished name switches Switches include noprompt 31 Managing Security Groups Strategy for managing security groups uses acronym A G U DL P 1 2 3 4 5 Create user Accounts A Organize them within Global groups G Optional Create Universal groups U and place global groups from any domain