70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts

1
70-290 MCSE Guide to Managing a Microsoft
Windows Server 2003 EnvironmentChapter
4Implementing and Managing Group and Computer
Accounts
2
Objectives

• Understand the purpose of using group accounts to
  simplify administration
• Create group objects using both graphical and
  command-line tools
• Manage security groups and distribution groups
• Explain the purpose of the built-in groups
  created when Active Directory is installed
• Create and manage computer accounts

3
Introduction to Group Accounts

• A group is a container object
• Used to organize collections of users, computers,
  contacts, other groups
• Used to simplify administration
• Similar to Organizational Units except
• OUs are not security principals, groups are
• OUs can only contain objects from their parent
  domain, groups can contain objects from within
  forest

4
Group Types

• Security groups
• Defined by Security Identifier (SID)
• Can be assigned permissions for resources
• In discretionary access control lists (DACLs)
• Can be assigned rights to perform different tasks
• Can also be used as e-mail entities
• Distribution groups
• Primarily used as e-mail entities
• Do not have associated SID

5
Group Scopes

• Scope refers to logical boundary of permissions
  to specific resources
• Both Security and Distribution Groups have scopes
• Three scopes
• Objects possible within each scope dependent on
  configured functional level of a domain
• Scope types are global, domain local, and
  universal

6
Group Scopes (continued)

• Three domain functional levels
• Windows 2000 mixed default configuration,
  supports a combination of Windows NT Server 4.0,
  2000 Server, and Server 2003 domain controllers
• Windows 2000 native supports a combination of
  Windows 2000 Server and Server 2003 domain
  controllers
• Windows Server 2003 supports Windows Server 2003
  domain controllers only

7
Global Groups

• Organize groups of users, computers, groups
  within the same domain
• Usually represents a geographic location or job
  function group
• Types of objects in group related to configured
  functional level of the domain
• Depends on the types of domain controllers in
  environment

8
Domain Local Groups

• Created on domain controllers
• Can be assigned rights and permissions to any
  resource within the same domain
• Can contain groups from other domains
• Specific objects allowed in group related to
  configured functional level of the domain

9
Universal Groups

• Typically created to aggregate users or groups in
  different domains
• Stored on domain controllers configured as global
  catalog servers
• Can be assigned rights and permissions for any
  resource within a forest
• Can only be created at the Windows 2000 native or
  Windows Server 2003 domain functional level

10
Universal Groups (continued)
11
Creating Group Objects

• Group objects are stored in Active Directory
  database
• Variety of tools can be used can be used for
  creation and management
• Active Directory Users and Computers
• Command-line utilities
• DSADD, DSMOD, DSQUERY, etc.

12
Active Directory Users and Computers

• Primary tool
• To create group accounts
• Can also be used to configure properties of group
  accounts
• Groups can be created in any built-in containers,
  at root of the domain object, or in custom OU
  objects
• Possible group scopes determined by the
  functional level the domain is configured to

13
Converting Group Types

• May need to change a security group to a
  distribution group or vice versa
• Type of group can only be changed if domain
  functional level is Windows 2000 native or above

14
Converting Group Scopes

• Scope of a group can be changed
• Domain functional level must be at least Windows
  2000 native
• Supported changes
• Global to universal
• Domain local to universal
• Universal to global
• Universal to domain local

15
Command Line Utilities

• An alternative to Active Directory Users and
  Computers
• Some administrators have a preference for
  command-line utilities
• Command-line utilities are more flexible for
  group management and creation in some situations

16
DSADD

• Introduced in Windows Server 2003
• Used to create new user and group accounts
• Syntax is
• dsadd group distinguished-name switches
• Switches include -secgrp, -scope, -memberof,
  -members
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  at command-line

17
DSADD (continued)
18
DSMOD

• Also introduced in Windows Server 2003
• Allows various object types to be modified from
  the command line
• Syntax is
• dsmod group distinguished-name switches
• Switches include -desc, -rmmbr, -addmbr
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  command-line

19
DSMOD (continued)
20
DSQUERY

• Also introduced in Windows Server 2003
• Used to query various object types from the
  command line, returns values
• Syntax for groups is
• dsquery group query
• Supports wildcard character ()
• Output can be piped as input to other
  command-line tools
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  command-line

21
DSMOVE

• Used to move or rename various object types from
  the command line
• Syntax for groups is
• dsmove group distinguished-name switches
• Switches include -newparent, -newname
• Can only be used for groups within a single
  domain
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  at the command-line

22
DSRM

• Used to delete various object types from the
  command line
• Syntax for groups is
• dsrm group distinguished-name switches
• Switches include -noprompt
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  command-line

23
Managing Security Groups

• Strategy for managing security groups uses
  acronym A G U DL P
• Create user Accounts (A) and organize them within
  Global groups (G)
• Optional Create Universal groups (U) and place
  global groups from any domain in universal groups
• Create Domain Local groups (DL) and add global
  and universal groups
• Assign Permissions (P) to the domain local groups

24
Determining Group Membership

• Important task for administrators is to ensure
  that users are members of correct groups
• One method is via Member Of tab in the properties
  of a user account
• Only shows first level of groups (not groups of
  groups)
• Second method is to use DSGET
• Returns values to a query

25
Determining Group Membership (continued)

• Syntax is
• dsget group distinguished-name switches
• Switches include -members, -memberof
• Can also be used as dsget user to get membership
  information about a specific user
• Output can be saved to a file
• dsget group distinguished-name switches gtgt
  filename

26
Built-In Groups

• When Windows Server 2003 Active Directory is
  installed
• Built-in groups are created automatically
• Rights are pre-assigned
• Stored in Builtin container and Users container
• Use built-in groups where possible
• Eases implementation of security rights

27
The Builtin Container

• Contains a number of domain local group accounts
• Allocated different user rights based on common
  administrative or network-related tasks

28
The Builtin Container (continued)
29
The Users Container

• Contains a number of domain local and global
  group accounts
• Some groups only found in the root domain of an
  Active Directory forest rather than in individual
  domains

30
The Users Container (continued)
31
Creating and Managing Computer Accounts

• Computer accounts needed on Windows NT 4.0, 2000,
  XP, Server 2003
• Can be created during installation or added
  manually later
• Creation and management tools
• Active Directory Users and Computers
• System applet in Control Panel
• Command-line utilities

32
Resetting Computer Accounts

• Secure channel
• Used by computers that are domain members to
  communicate with domain controller
• Uses password that is changed every 30 days
• Automatically synchronized between domain
  controller and workstation
• Occasional synchronization issues arise
• Administrator must reset computer account
• Using Active Directory Users and Computers or
  Netdom.exe command from Windows Support Tools

33
Summary

• Group accounts reduce administrative effort by
  enabling assignment of common rights and
  permissions to multiple users simultaneously
• Two group security types
• Security groups
• Distribution groups
• Three types of scoping possible for groups
• Global groups
• Domain local groups
• Universal groups

34
Summary (continued)

• Group and computer accounts can be created and
  managed
• From Active Directory Users and Computers
• From command-line utilities
• Builtin and User groups and containers are
  automatically created at installation with
  specific pre-assigned rights and permissions
• Windows NT 4.0, 2000, XP, and Server 2003 require
  computer accounts in Active Directory