1
Course 290:
Chapter 7:
WORKING WITH
GROUPS
Assigning Permissions in Server 2003
 For users to be able to access resources on an
Active Directory network, they must have the
appropriate permissions.
 Shared folders and drives, printers, and virtually all
other resources on a network have an access
control list (ACL).
 An ACL is a list of objects that are permitted to
access the resource, along with the degree of
access that each object is permitted.
 The objects in an ACL are referred to as security
principals
Using Groups for permissions
 A group is simply a list of users that functions as a
security principal.
 In Active Directory, group objects can contain user
objects, computers, contacts, and, under certain
conditions, even other groups.
 When you use a group object as a security principal
by adding it to an ACL, all of the group’s members
receive the permissions that you assigned to the
group
UNDERSTANDING GROUPS
User Rights
 Groups also make it possible to assign user rights to
multiple users at once.
 In Windows Server 2003, rights are distinctly
different from permissions.
 A user right grants a user or group the ability to
perform a particular system task, such as access
the computer from the network, change the system
time, or take ownership of files and other objects.
Groups vs. Group Policies
 The structure of the Active Directory hierarchy is a
critical part of the domain user account creation
process because rights and permissions granted to
a container object are inherited by the objects they
contain, including user objects
 Group inheritance works the same: the members
receive the settings assigned to the group.
 The main difference between a group and a
container is that the group is not restricted by the
structure of the Active Directory tree.
 You can create groups with members anywhere in the
domain, and even in other domains, and grant them all
privileges in one quick step.
GROUP POLICIES
 Group policies and groups are not related.
 Group policies cannot be directly applied to a group.
 A Group policy can only be applied to an Active
Directory site, domain, or OU
DOMAIN FUNCTIONAL LEVELS
 The Domain Functional Level determines the level of
functionality used by Active Directory
 The different versions of Windows have slightly
different capabilities built into their Active Directory
implementations.
 Each successive version has some new features that are
not usable when some of the domain controllers in a
domain are running older versions of Windows
 Changing the domain functional level informs the
operating system that all of the domain controllers
are compatible and that it is safe to activate the
version-specific features
 The Functional level can be raised but not lowered
DOMAIN FUNCTIONAL LEVELS
 Windows 2000 mixed
 default functional level of a domain controller
 Supports universal distribution groups but not universal security
groups
 Global groups cannot have other groups as members (group nesting).
 Windows 2000 native
 Supports Server 2000 and 2003
 Supports universal security and distribution groups.
 Allows groups to be members of other groups.
 Allows conversions between security groups and distribution groups.
 Windows Server 2003 interim
 Used only when upgrading domain controllers in Windows NT 4
domains to Windows Server 2003 domain controllers.
 Windows Server 2003
 Same as Server 2000 native, but only supports Server 2003
Managing the Functional Domain Level
 Use the Active Directory Domains And Trusts console
 You cannot lower the functional level after you raise it,
except by reinstalling Active Directory on all of your domain
controllers
 Once the functional level is raised on that one domain
controller, the change is replicated to all of the other domain
controllers in the domain.
Local vs. Domain groups
 Windows Server 2003 supports local groups and
domain groups.
 A local group is a collection of local user accounts
on a particular computer.
 Local groups perform the same basic function as all
groups: they enable you to assign permissions to
multiple users in one step.
 Local groups are created using the Local Users And
Groups snap-in, which is integrated into the
Computer Management console
 When you create a local group, the system stores it
in the local Security Accounts Manager (SAM)
database
Restrictions on LOCAL GROUPS
 You can use local groups only on the computer where you
create them.
 Only local users from the same computer can be members
of local groups.
 When the computer is a member of a domain, local group
members can include users and global groups from the
domain or any trusted domain.
 Local groups cannot have other local groups as members.
 Local group permissions provide access only to resources on
the computer where you created the local group.
 You cannot create local groups on a Windows Server 2003
computer that is functioning as a domain controller.
ACTIVE DIRECTORY GROUPS
 Active Directory groups are characterized by their
type and their scope
 Types
 Security
 Distribution
 Scopes
 Local
 Global
 Universal
ACTIVE DIRECTORY GROUP TYPES
 Security Groups: used to assign access permissions for
network resources
 Membership depends on the type of security group and the domain
functional level.
 Can also be used as a distribution group.
 The most common type of group created and used in Active Directory.
 Distribution Groups: Used to group users together for use by
applications in non-security-related functions
 You use distribution groups when the only function of the group is not
security-related, such as sending e-mail messages to a group of users
at the same time.
 Can be used only by directory-aware applications
 Can be converted to a security group
ACTIVE DIRECTORY GROUP SCOPES
 Group scopes define how permissions are assigned
to the group members
 The 3 Scope Levels are:
 Domain local
 Global
 Universal
DOMAIN LOCAL GROUPS
 Domain local groups are most often used to assign access
permissions to network resources, like printers or shared
folders, in a single domain
 Available in all domain functional levels
 Can only be used to assign permissions to resources in the domain
where they are created
 Permitted membership depends on domain functional level
 In Windows 2000 mixed or Windows 2003 interim functional level,
members can include user and computer accounts and global groups
from any domain in the forest.
 In Windows 2000 native or Windows Server 2003 functional
 level, members can include user and computer accounts, global and
universal groups from any domain in the forest, and other domain
local groups from the same domain
GLOBAL GROUPS
 Used to collect users or computers in the same domain that
share the same job, role, or function
 Global Groups are given access to network resources by
making the group a member of a Domain Local group
 Most commonly used to manage permissions for directory
objects, such as user and computer accounts, that require
frequent maintenance.
 More efficient than using Universal groups because they are
not replicated outside of their domain. This minimizes the
amount of replication traffic to the global catalog,
 Available in all functional levels
 Can include only members from within their domain
 Actual membership depends on domain functional level
 Can be granted access permissions to resources in any domain in the
forest, and in domains in other trusted forests
UNIVERSAL GROUPS
 Used primarily to grant access to related resources in
multiple domains.
 Generally used to consolidate groups that span multiple
domains
 To use universal groups effectively, the best practice is to
create a global group in each domain, with user or computer
accounts as members, and then make the global groups
members of a universal group
 Available only in the Windows 2000 native and Windows Server 2003
domain functional levels
 Can be granted access permissions for resources in any domain in the
forest, and in domains in other trusted forests
 Can be converted to domain local groups or to global groups, as long
as they do not have other universal groups as members
NESTING GROUPS
•Nesting Groups is the ability to make groups members
of other groups
•a single level of nesting is sufficient for most networks
Group Scope
Domain
Local
Members Allowed in Windows 2000
Mixed or Windows Server 2003
Interim Functional Level
User and computer accounts
and global groups from
any domain
Global
User and computer accounts
from the same domain
Universal
Not available
Members Allowed in Windows 2000
Native or Windows Server 2003
Functional Level
User and computer accounts,
universal groups, and global groups
from any domain; other domain
local groups from the same domain
User and computer accounts and
other global groups from the same
domain
User and computer accounts, other
universal groups, and global groups
from any domain
CONVERTING GROUPS
• In a domain using the Windows 2000 native or Windows
Server 2003 functional level, you can convert groups to
different scopes at any time
From Domain
Local
From Global
From Universal
To Domain Local
Not applicable
To Global
Not permitted
To Universal
Permitted only when the
domain local group does not
have other domain local
groups as members
Not permitted
Not applicable
Permitted only when the
global group is not a member
of another global group
No restrictions
Permitted only when
the universal group
does not have other
universal groups as
members
Not applicable
PLANNING GLOBAL AND DOMAIN LOCAL
GROUPS
 Step 1—Create domain local groups for resources to
be shared.
 Step 2—Assign resource permissions to the domain
local group.
 Step 3—Create global groups for users with common
job responsibilities.
 Step 4—Add global groups that need access to
resources to the appropriate domain local group.
WINDOWS SERVER 2003 DEFAULT GROUPS
1. Built-in local groups
2. Predefined Active Directory groups
3. Built-in Active Directory groups
4. Special identities
BUILT-IN LOCAL GROUPS
 Built-in local groups give users the rights to perform system
tasks on a single computer
 backing up and restoring files, changing the system time, and
administering system resources
 Some of these groups have default privileges granted to
them through the assignment of user rights to the group
 Administrators, Backup Operators, Users, Power User, Remote Desktop
Users
 Only on Windows Server 2003 standalone servers and
member servers.
 Domain controllers do not have local groups (or local users) because
their SAM is converted for Active Directory use.
 Located in the Groups folder in the Local Users And Groups
snap-in.
BUILT-IN LOCAL GROUPS
PREDEFINED ACTIVE DIRECTORY GROUPS
Predefined groups: security groups, most with a global scope, that are
intended to group together common types of domain user accounts.
 By default, Windows Server 2003 automatically adds members to some
predefined global groups.

 You can add user objects to these predefined groups to provide additional
users with the privileges and permissions assigned to the group

Created in the domain’s Users container
 Domain Admins, Domain Controllers, Domain Computers, Domain users

By default, they do not have any inherent rights or permissions
 You can assign rights or permissions to them by adding the predefined global
groups to domain local groups or by explicitly assigning rights or permissions
to the predefined global groups.

By default some of the predefined Active Directory groups have privileges
granted to them through the assignment of user rights.

Domain Admins and Enterprise Admins ONLY
PREDEFINED ACTIVE DIRECTORY GROUPS
BUILT-IN ACTIVE DIRECTORY GROUPS
 Every Active Directory domain has a Built-in
container in which the system creates a series of
security groups, all of which have a domain local
scope.
 The Built-In groups provide users with user rights
and permissions to perform tasks on domain
controllers and in the Active Directory tree.
 Built-in domain local groups provide predefined
rights and permissions to user accounts when you
add user objects or global groups as members.
 Account Operators, Administrators, Users, Guests
BUILT-IN ACTIVE DIRECTORY GROUPS
SPECIAL IDENTITIES
 Special identities exist on all computers running
Windows Server 2003.
 These are not really groups because you cannot
create them, delete them, or directly modify their
memberships.
 They are like placeholders for one or more users
 Special identities do not appear in the Local Users And
Groups snap-in or the Active Directory Users and
Computers console
 You can use them like groups, by adding them to
the ACLs of system and network resources
 Examples: Everyone, Authenticated Users, Creator
Owner
SPECIAL IDENTITIES
CREATING LOCAL GROUPS
WORKING WITH ACTIVE DIRECTORY GROUPS
 Active Directory Users and Computers console:
 Create security groups
 Manage group membership
 Nest groups
 Change group types and scopes
 Delete a group
CREATING SECURITY GROUPS
•The Active Directory Users and Groups console lets
you create group objects anywhere you want
•Groups should always be created in an OU so that you
can assign user rights to them
NESTING GROUPS
 Both groups must be created separately, and then
one is made a member of the other.
 Possible nestings depend on the domain functional
level and scope type.
 Observe rules on group nesting.
CHANGING GROUP TYPES AND SCOPES
DELETING A GROUP
 Deletes only the group object, not the members of
the group.
 Deletes the SID for the group. The SID cannot be
re-created.
 Removes ACL entries for the group – all permissions
for that group are deleted and are NOT restore even
if you make a new group with the same name
AUTOMATING GROUP MANAGEMENT
The following command-line utilities can be used
in scripts and batch files to automate group
management:
 Dsadd.exe: Used to create new group objects
 Dsmod.exe: Used to configure existing group objects
 Dsget.exe: Used to locate groups in Active Directory
CREATING GROUP OBJECTS WITH DSADD.EXE
 Allows groups to be created from a command line
 Useful when scripting group creation for large
numbers of groups
 Can be used only to create new groups, not modify
existing groups
 Syntax:
 dsadd group GroupDN [parameters]
 Ex: Create a new group called Sales in the Users
container and make the Administrator user a
member
 dsadd group "CN=Sales,CN=Users,DC=contoso,DC=com" –member
"CN=Administrator,CN=Users,DC=contoso,DC=com"
MANAGING GROUP OBJECTS WITH
DSMOD.EXE
Can be used to configure group objects, including:
 Setting the group scope
 Adding and removing individual group members
 Replacing the entire group membership
 Syntax:
 dsmod group GroupDN [parameters]
 Example: Add the Administrator user to the Guests
group
 dsmod group "CN=Guests,CN=Builtin,DC=contoso,DC=com" –
addmbr "CN=Administrator,CN=Users,DC=contoso,DC=com"
FINDING OBJECTS WITH DSGET.EXE
 Command-line utility
 Used to locate and show information on an object
 Cannot be used to create, modify, or delete an
object
 Syntax:
 dsget objectclass ObjectDN [parameters]
 Example: Display a list of the groups of which a user
is a member
 dsget user "CN=Administrator,CN=Users,DC=contoso,DC=com" -
memberof