Guide to MCSE 70-290, Enhanced
4-1
Chapter 4: Implementing and Managing Group and
Computer Accounts
Objectives
After reading the chapter and completing the exercises, students should be able to:





Understand the purpose of using group accounts to simplify administration
Create group objects using both graphical and command-line tools
Manage security groups and distribution groups
Explain the purpose of the built-in groups created when Active Directory is installed
Create and manage computer accounts
Teaching Tips
Introduction to Group Accounts
1.
Start by defining what a group account is, and why it is important from an administrative viewpoint. Note
the comparison to Organizational Units.
Group Types
1.
Introduce the concept of group type and note the two different types available.
Security Groups
1.
Describe the features and purpose of a security group. Ensure that students know that if a group will be
assigned permissions, it must be a security group. Mention that it can also be used as an e-mail entity.
Distribution Groups
1.
Describe the purpose and features of a distribution group and note that if a group will never be used for
security purposes, it should be a distribution group.
Group Scopes
1.
Introduce the concept of group scope and note the three possible scopes.
Guide to MCSE 70-290, Enhanced
4-2
Global Groups
1.
2.
3.
4.
5.
Explain the purpose of a global group. It is important to note that global groups can only contain objects
from within the same domain.
Discuss why an administrator would create a global group and give examples such as the marketing
example in the text.
Describe the concept of domain functional level and go over the three possible levels. Make sure that
students understand the relationship between the domain controllers in the environment and the domain
functional level that can be supported.
Note that students can get more information on this topic (and many others) in the Help and Support
Center.
Going back to global groups, describe the impact of the domain functional level on the capabilities that are
supported for global groups at each level.
Domain Local Groups
1.
2.
3.
Explain the purpose of a domain local group. Note that these groups are created on domain controllers, and
can be assigned rights and permissions to resources in the same domain only. However, they can contain
groups from other domains.
Give an example to help clarify these concepts.
Note how the domain functional level affects the membership rules for domain local groups.
Universal Groups
1.
2.
3.
4.
Explain the purpose of universal groups. Note that this type of group is used for aggregating users and
groups from different domains and for assigning rights and permissions for resources anywhere in the
Active Directory forest.
Give an example to help clarify why this might be important.
Note that universal groups do not exist at the Windows 2000 mixed domain functional level and mention
the membership rules for the Windows 2000 native and Windows Server 2003 levels.
Caution students about the use of universal groups due to replication of information across global catalogs.
Teaching
Tip
Go over the Table 4-1 to summarize the Group Scope discussions. This is a difficult topic
where the details are important. It is worth taking extra time to ensure students understand the
relationship between scope and domain functional level.
Creating Group Objects
1.
2.
Note that group accounts are stored in the Active Directory database as are user accounts. The same tools
that are used to create and manage user accounts are also used for creating and managing group accounts.
Note that the main graphical tool to be used is Active Directory Users and Computers. The command-line
tools are also available for group accounts. Reiterate the reasons that an administrator might choose one or
the other.
Guide to MCSE 70-290, Enhanced
4-3
Active Directory Users and Computers
1.
2.
Discuss how Active Directory Users and Computers is used to create group accounts in fundamentally the
same way it is used to create user accounts. Note where group accounts can be created.
Go over the steps needed to create a group account, the properties dialog box, and the information that is
associated with the tabs in properties.
Activity 4-1: Creating and Adding Members to Global Groups
1.
The purpose of this activity is to explore the use of Active Directory Users and Computers to create global
group accounts. Students should take advantage of this opportunity to explore some of the different options
of scope, type, and group membership.
Activity 4-2: Creating and Adding Members to Domain Local
Groups
1.
The purpose of this activity is to explore the use of Active Directory Users and Computers to create domain
local group accounts. Students should take advantage of this opportunity to explore some of the different
options of scope, type, and group membership.
Activity 4-3: Changing the Functional Level of a Domain and
Creating and Adding Members to Universal Groups
1.
The purpose of this activity is to change the functional level of a domain to Windows Server 2003 and use
Active Directory Users and Computers to create universal group accounts. Reiterate why you might have
to change the functional level to create universal groups. Again, students will have the opportunity to
explore scope, type, and group membership options while creating new groups.
Converting Group Types
1.
Explain why an administrator might want to convert the type of a group and give an example. Note that
group type cannot be changed in the Windows 2000 mixed domain functional level.
Activity 4-4: Converting Group Types
1.
In this activity, students use Active Directory Users and Computer to create a group, change its type, and
verify the change.
Guide to MCSE 70-290, Enhanced
4-4
Converting Group Scopes
1.
2.
Explain why an administrator might want to convert the scope of a group. Note that group scope cannot be
changed in the Windows 2000 mixed domain functional level.
Go over the various group scope changes that are supported along with the restrictions based on group
membership.
Activity 4-5: Converting Group Scopes
1.
In this activity, students use Active Directory Users and Computer to create a global group, add a member
group, and change its scope to universal. Students should note the membership rules governing the scope
change as discussed in the exercise.
Quick Quiz
1.
Which group type has an associated SID?
Answer: security group
2.
True or False: A universal group can only be created when the domain functional level is at least at the
Windows 2000 native level.
Answer: True
3.
True or False: A domain local group can be assigned rights and permission to any resource in the Active
Directory forest.
Answer: False, a domain local group can be assigned rights and permissions to any resource in the same
domain only
4.
What is the scope of a group created on a Windows Server 2003 member server?
Answer: local
Command Line Utilities
1.
Introduce the command-line utilities that can be used with the GROUP option.
DSADD
1.
Note that the DSADD GROUP command is very similar to the DSADD USER command in purpose but
has different switches that are appropriate for configuring group rather than user properties. Go over basic
syntax and give an example. Discuss the switches that are shown in the chapter and ensure that students
know where to look for more information on switches and options.
Teaching
Tip
Be sure that students know how to get additional information about switches and options for all
the command-line utilities from the Windows Server 2003 Help and Support Center and from
command-line help.
Guide to MCSE 70-290, Enhanced
4-5
Activity 4-6: Creating Groups Using DSADD
1.
In this activity, students create new group accounts of different types and scopes using DSADD GROUP
along with the switches that can be used to configure group accounts.
DSMOD
1.
Explain the use of the DSMOD command and provide examples. Describe the basic syntax for DSMOD
GROUP and what the required arguments are. Go over the switches that are shown in the chapter and
make sure students know where to get more information as necessary.
Activity 4-7: Modifying Groups Using DSMOD
1.
In this activity, students will modify the properties of existing group accounts and add and remove group
members with DSMOD. The changes are then reviewed using Active Directory Users and Computers.
DSQUERY
1.
2.
3.
Explain the use of the DSQUERY command and provide examples of group queries. Note that DSQUERY
is a search utility and returns useful values rather than creating or modifying objects. Also mention that it
supports the use of the wildcard character (*) in queries.
Describe the basic syntax and show an example.
Note that the output from DSQUERY can be piped to other command-line utilities and show an example.
DSMOVE
1.
2.
3.
Explain the use of the DSMOVE command and provide an example. Be sure to point out that this utility
can either be used to move a group or rename a group.
Describe the basic syntax and show an example. Go over the switches associated with the Group form of
this command.
Note that it can only be used to move groups within the same domain and that another command,
MOVETREE, is needed to move groups between domains.
DSRM
1.
Explain the use of DSRM. Describe the basic syntax and give an example. Note the use of the –noprompt
switch and caution students to be careful with it.
Guide to MCSE 70-290, Enhanced
4-6
Managing Security Groups
1.
2.
3.
This section introduces an acronym that is intended to help students remember a recommended strategy for
implementing security groups. Go over the strategy and discuss why it is important to do the steps in the
suggested order.
Go through the example from the chapter to explain the use of nesting groups and when it is possible to use
nesting groups.
Note that when working in a single domain, global and universal groups can be used interchangeable.
Discuss why that is true.
Determining Group Membership
1.
2.
3.
Discuss with students how to determine group membership through Active Directory Users and Computers.
Note that the Member Of tab of a user account only shows groups that a user has been added to directly and
does not reflect groups that those groups then belong to. Discuss how to go to the group account to follow
through on this information if needed.
Explain the use of the DSGET command to determine a user’s group membership. Go over the basic
syntax and switches used with this command for both GROUP and USER options. Give examples.
Note how to redirect output to a text file.
Built-In Groups
1.
2.
Explain the concept and use of built-in groups. Note that using these groups (rather than custom groups)
can make administration easier and create less administrative overhead.
Introduce the two built-in containers that are used to store the built-in groups.
The Builtin Container
1.
2.
Note that the built-in groups in this container are configured as domain local groups that are allocated
different user rights based on common administrative or network-related tasks. Go through Table 4-2 and
introduce the different groups that are described there.
Note that the groups that appear on a specific computer are affected by the services that are installed and
configured on the server, so not all of the described groups will necessarily appear.
The Users Container
1.
Note that the groups in the User container are domain local and global groups. Go over Table 4-3 to
introduce the groups that are available.
Creating and Managing Computer Accounts
1.
2.
Introduce computer accounts and note the operating systems that require them.
Discuss the tools that can be used to create and manage computer accounts. Students should be very
familiar with Active Directory Users and Computers and with the command-line tools already.
Guide to MCSE 70-290, Enhanced
4-7
Activity 4-8: Creating and Managing Computer Accounts
1.
The purpose of this activity is to create and manage a computer account using Active Directory Users and
Computers. Students will create an account and explore various properties of the account. Note the
definition of a managed computer in the exercise.
Resetting Computer Accounts
1.
2.
Explain why computer accounts need to be reset occasionally and the symptoms that this problem has
occurred.
Discuss the two methods for resetting an account that are described in the text.
Quick Quiz
1.
Name three switches that can be used with the DSADD command.
Answer: -secgrp, -scope, -memberof, -members
2.
When using the DSMOVE command to rename a group, what switch would you use to specify the new
name of the group?
Answer: -newname
3.
What is the acronym used to represent a general strategy for implementing groups?
Answer: A G U DL P
4.
Where would you find the Administrators group account?
Answer: the Builtin Container
Class Discussion Topics
1.
2.
3.
Why are group accounts useful? What are the longer-term implications of using group organization as opposed
to managing individual user accounts?
Discuss the differences between local, global, domain local, and universal groups. Can you clearly articulate
when each scope is appropriate? If you needed to create a new group, how would you decide what the scope of
the group should be?
Having used both Active Directory Users and Computers and the command-line utilities fairly extensively in
the exercises, which are students more comfortable with and why? Is one type of tool better for particular
situations?
Additional Projects
1.
Check the Builtin Container in your environment. Are all of the groups listed in Table 4-2 present?
2.
The command-line utilities have a number of switches and options that are not discussed in this chapter.
Research one of the commands for group accounts using Windows Server 2003 Help and Support. Also try the
command line help to see what is available using this method. Now research the same command for user and
computer accounts and compare the options available for each type of account.
Guide to MCSE 70-290, Enhanced
4-8
Solutions to Additional Projects
1.
Students should be familiar with these groups – it is easy to create new groups that are unnecessary with all of
the administrative headaches that come with that. Ensure that they are aware of what built-in groups are
available.
2.
It is important for students to be able to find help for the in-line commands since there are a number of options,
some of which are not discussed. Comparing the options for different types of accounts makes it clear that they
are specific for each type.