1 Course 290: Chapter 7: WORKING WITH GROUPS Assigning Permissions in Server 2003 For users to be able to access resources on an Active Directory network, they must have the appropriate permissions. Shared folders and drives, printers, and virtually all other resources on a network have an access control list (ACL). An ACL is a list of objects that are permitted to access the resource, along with the degree of access that each object is permitted. The objects in an ACL are referred to as security principals Using Groups for permissions A group is simply a list of users that functions as a security principal. In Active Directory, group objects can contain user objects, computers, contacts, and, under certain conditions, even other groups. When you use a group object as a security principal by adding it to an ACL, all of the group’s members receive the permissions that you assigned to the group UNDERSTANDING GROUPS User Rights Groups also make it possible to assign user rights to multiple users at once. In Windows Server 2003, rights are distinctly different from permissions. A user right grants a user or group the ability to perform a particular system task, such as access the computer from the network, change the system time, or take ownership of files and other objects. Groups vs. Group Policies The structure of the Active Directory hierarchy is a critical part of the domain user account creation process because rights and permissions granted to a container object are inherited by the objects they contain, including user objects Group inheritance works the same: the members receive the settings assigned to the group. The main difference between a group and a container is that the group is not restricted by the structure of the Active Directory tree. You can create groups with members anywhere in the domain, and even in other domains, and grant them all privileges in one quick step. GROUP POLICIES Group policies and groups are not related. Group policies cannot be directly applied to a group. A Group policy can only be applied to an Active Directory site, domain, or OU DOMAIN FUNCTIONAL LEVELS The Domain Functional Level determines the level of functionality used by Active Directory The different versions of Windows have slightly different capabilities built into their Active Directory implementations. Each successive version has some new features that are not usable when some of the domain controllers in a domain are running older versions of Windows Changing the domain functional level informs the operating system that all of the domain controllers are compatible and that it is safe to activate the version-specific features The Functional level can be raised but not lowered DOMAIN FUNCTIONAL LEVELS Windows 2000 mixed default functional level of a domain controller Supports universal distribution groups but not universal security groups Global groups cannot have other groups as members (group nesting). Windows 2000 native Supports Server 2000 and 2003 Supports universal security and distribution groups. Allows groups to be members of other groups. Allows conversions between security groups and distribution groups. Windows Server 2003 interim Used only when upgrading domain controllers in Windows NT 4 domains to Windows Server 2003 domain controllers. Windows Server 2003 Same as Server 2000 native, but only supports Server 2003 Managing the Functional Domain Level Use the Active Directory Domains And Trusts console You cannot lower the functional level after you raise it, except by reinstalling Active Directory on all of your domain controllers Once the functional level is raised on that one domain controller, the change is replicated to all of the other domain controllers in the domain. Local vs. Domain groups Windows Server 2003 supports local groups and domain groups. A local group is a collection of local user accounts on a particular computer. Local groups perform the same basic function as all groups: they enable you to assign permissions to multiple users in one step. Local groups are created using the Local Users And Groups snap-in, which is integrated into the Computer Management console When you create a local group, the system stores it in the local Security Accounts Manager (SAM) database Restrictions on LOCAL GROUPS You can use local groups only on the computer where you create them. Only local users from the same computer can be members of local groups. When the computer is a member of a domain, local group members can include users and global groups from the domain or any trusted domain. Local groups cannot have other local groups as members. Local group permissions provide access only to resources on the computer where you created the local group. You cannot create local groups on a Windows Server 2003 computer that is functioning as a domain controller. ACTIVE DIRECTORY GROUPS Active Directory groups are characterized by their type and their scope Types Security Distribution Scopes Local Global Universal ACTIVE DIRECTORY GROUP TYPES Security Groups: used to assign access permissions for network resources Membership depends on the type of security group and the domain functional level. Can also be used as a distribution group. The most common type of group created and used in Active Directory. Distribution Groups: Used to group users together for use by applications in non-security-related functions You use distribution groups when the only function of the group is not security-related, such as sending e-mail messages to a group of users at the same time. Can be used only by directory-aware applications Can be converted to a security group ACTIVE DIRECTORY GROUP SCOPES Group scopes define how permissions are assigned to the group members The 3 Scope Levels are: Domain local Global Universal DOMAIN LOCAL GROUPS Domain local groups are most often used to assign access permissions to network resources, like printers or shared folders, in a single domain Available in all domain functional levels Can only be used to assign permissions to resources in the domain where they are created Permitted membership depends on domain functional level In Windows 2000 mixed or Windows 2003 interim functional level, members can include user and computer accounts and global groups from any domain in the forest. In Windows 2000 native or Windows Server 2003 functional level, members can include user and computer accounts, global and universal groups from any domain in the forest, and other domain local groups from the same domain GLOBAL GROUPS Used to collect users or computers in the same domain that share the same job, role, or function Global Groups are given access to network resources by making the group a member of a Domain Local group Most commonly used to manage permissions for directory objects, such as user and computer accounts, that require frequent maintenance. More efficient than using Universal groups because they are not replicated outside of their domain. This minimizes the amount of replication traffic to the global catalog, Available in all functional levels Can include only members from within their domain Actual membership depends on domain functional level Can be granted access permissions to resources in any domain in the forest, and in domains in other trusted forests UNIVERSAL GROUPS Used primarily to grant access to related resources in multiple domains. Generally used to consolidate groups that span multiple domains To use universal groups effectively, the best practice is to create a global group in each domain, with user or computer accounts as members, and then make the global groups members of a universal group Available only in the Windows 2000 native and Windows Server 2003 domain functional levels Can be granted access permissions for resources in any domain in the forest, and in domains in other trusted forests Can be converted to domain local groups or to global groups, as long as they do not have other universal groups as members NESTING GROUPS •Nesting Groups is the ability to make groups members of other groups •a single level of nesting is sufficient for most networks Group Scope Domain Local Members Allowed in Windows 2000 Mixed or Windows Server 2003 Interim Functional Level User and computer accounts and global groups from any domain Global User and computer accounts from the same domain Universal Not available Members Allowed in Windows 2000 Native or Windows Server 2003 Functional Level User and computer accounts, universal groups, and global groups from any domain; other domain local groups from the same domain User and computer accounts and other global groups from the same domain User and computer accounts, other universal groups, and global groups from any domain CONVERTING GROUPS • In a domain using the Windows 2000 native or Windows Server 2003 functional level, you can convert groups to different scopes at any time From Domain Local From Global From Universal To Domain Local Not applicable To Global Not permitted To Universal Permitted only when the domain local group does not have other domain local groups as members Not permitted Not applicable Permitted only when the global group is not a member of another global group No restrictions Permitted only when the universal group does not have other universal groups as members Not applicable PLANNING GLOBAL AND DOMAIN LOCAL GROUPS Step 1—Create domain local groups for resources to be shared. Step 2—Assign resource permissions to the domain local group. Step 3—Create global groups for users with common job responsibilities. Step 4—Add global groups that need access to resources to the appropriate domain local group. WINDOWS SERVER 2003 DEFAULT GROUPS 1. Built-in local groups 2. Predefined Active Directory groups 3. Built-in Active Directory groups 4. Special identities BUILT-IN LOCAL GROUPS Built-in local groups give users the rights to perform system tasks on a single computer backing up and restoring files, changing the system time, and administering system resources Some of these groups have default privileges granted to them through the assignment of user rights to the group Administrators, Backup Operators, Users, Power User, Remote Desktop Users Only on Windows Server 2003 standalone servers and member servers. Domain controllers do not have local groups (or local users) because their SAM is converted for Active Directory use. Located in the Groups folder in the Local Users And Groups snap-in. BUILT-IN LOCAL GROUPS PREDEFINED ACTIVE DIRECTORY GROUPS Predefined groups: security groups, most with a global scope, that are intended to group together common types of domain user accounts. By default, Windows Server 2003 automatically adds members to some predefined global groups. You can add user objects to these predefined groups to provide additional users with the privileges and permissions assigned to the group Created in the domain’s Users container Domain Admins, Domain Controllers, Domain Computers, Domain users By default, they do not have any inherent rights or permissions You can assign rights or permissions to them by adding the predefined global groups to domain local groups or by explicitly assigning rights or permissions to the predefined global groups. By default some of the predefined Active Directory groups have privileges granted to them through the assignment of user rights. Domain Admins and Enterprise Admins ONLY PREDEFINED ACTIVE DIRECTORY GROUPS BUILT-IN ACTIVE DIRECTORY GROUPS Every Active Directory domain has a Built-in container in which the system creates a series of security groups, all of which have a domain local scope. The Built-In groups provide users with user rights and permissions to perform tasks on domain controllers and in the Active Directory tree. Built-in domain local groups provide predefined rights and permissions to user accounts when you add user objects or global groups as members. Account Operators, Administrators, Users, Guests BUILT-IN ACTIVE DIRECTORY GROUPS SPECIAL IDENTITIES Special identities exist on all computers running Windows Server 2003. These are not really groups because you cannot create them, delete them, or directly modify their memberships. They are like placeholders for one or more users Special identities do not appear in the Local Users And Groups snap-in or the Active Directory Users and Computers console You can use them like groups, by adding them to the ACLs of system and network resources Examples: Everyone, Authenticated Users, Creator Owner SPECIAL IDENTITIES CREATING LOCAL GROUPS WORKING WITH ACTIVE DIRECTORY GROUPS Active Directory Users and Computers console: Create security groups Manage group membership Nest groups Change group types and scopes Delete a group CREATING SECURITY GROUPS •The Active Directory Users and Groups console lets you create group objects anywhere you want •Groups should always be created in an OU so that you can assign user rights to them NESTING GROUPS Both groups must be created separately, and then one is made a member of the other. Possible nestings depend on the domain functional level and scope type. Observe rules on group nesting. CHANGING GROUP TYPES AND SCOPES DELETING A GROUP Deletes only the group object, not the members of the group. Deletes the SID for the group. The SID cannot be re-created. Removes ACL entries for the group – all permissions for that group are deleted and are NOT restore even if you make a new group with the same name AUTOMATING GROUP MANAGEMENT The following command-line utilities can be used in scripts and batch files to automate group management: Dsadd.exe: Used to create new group objects Dsmod.exe: Used to configure existing group objects Dsget.exe: Used to locate groups in Active Directory CREATING GROUP OBJECTS WITH DSADD.EXE Allows groups to be created from a command line Useful when scripting group creation for large numbers of groups Can be used only to create new groups, not modify existing groups Syntax: dsadd group GroupDN [parameters] Ex: Create a new group called Sales in the Users container and make the Administrator user a member dsadd group "CN=Sales,CN=Users,DC=contoso,DC=com" –member "CN=Administrator,CN=Users,DC=contoso,DC=com" MANAGING GROUP OBJECTS WITH DSMOD.EXE Can be used to configure group objects, including: Setting the group scope Adding and removing individual group members Replacing the entire group membership Syntax: dsmod group GroupDN [parameters] Example: Add the Administrator user to the Guests group dsmod group "CN=Guests,CN=Builtin,DC=contoso,DC=com" – addmbr "CN=Administrator,CN=Users,DC=contoso,DC=com" FINDING OBJECTS WITH DSGET.EXE Command-line utility Used to locate and show information on an object Cannot be used to create, modify, or delete an object Syntax: dsget objectclass ObjectDN [parameters] Example: Display a list of the groups of which a user is a member dsget user "CN=Administrator,CN=Users,DC=contoso,DC=com" - memberof