Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

What Are Global Groups?

advertisement 
Module 3: Managing
Groups
Overview
Creating Groups
Managing Group Membership
Strategies for Using Groups
Using Default Groups
Lesson: Creating Groups
What Are Groups?
What Are Domain Functional Levels?
What Are Global Groups?
What Are Universal Groups?
What Are Domain Local Groups?
What Are Local Groups?
Guidelines for Creating and Naming Groups
Who Can Create Groups?
Practice: Creating Groups
What Are Groups?
Groups simplify administration by enabling
you to assign permissions for resources
Group
Groups are characterized by scope and type
Group type
Security
Distribution
Description
Used to assign user rights and permissions
Can be used as an e-mail distribution list
Can be used only with e-mail applications
Cannot be used to assign permissions
What Are Domain Functional Levels?
Windows 2000
mixed (default)
Windows 2000
native
Windows
Server 2003
Windows
Server 2003
interim
Windows NT
Domain
Server 4.0,
Windows 2000,
Windows Server
controllers Windows 2000, Windows Server
2003
supported Windows Server 2003
2003
Windows NT
Server 4.0,
Windows Server
2003
Group
scopes
supported
Global, domain
local
Global, domain
local
Global, domain
local, universal
Global, domain
local, universal
What Are Global Groups?
Global group rules
Membership
can include
Can be a
member of
Mixed functional level: User and computer
accounts from same domain
Native functional level: User and computer
accounts and global groups from same domain
Mixed functional level: Domain local groups
Native functional level: Universal and domain
local groups in any trusting domain and global
groups in the same domain
Scope
Visible in its own domain and all trusting domains
Permissions
All domains in the forest and trusting domains
What Are Universal Groups?
Universal group rules
Membership
can include
Can be a
member of
Mixed functional level: Not applicable
Native functional level: User accounts, global groups, and
universal groups from any domain in the forest
Mixed functional level: Not applicable
Native functional level: Domain local or universal groups in
any domain
Scope
Visible in all domains in the forest and all trusting domains
Permissions
All domains in the forest and all trusting domains
What Are Domain Local Groups?
Domain local group rules
Membership
can include
Can be a
member of
Scope
Mixed functional level and Windows interim 2003: User and
computer accounts and global groups from any trusted domain
Native functional level: User and computer accounts, global and
universal groups from any domain in the forest or trusted
domains, plus domain local groups from the same domain
Mixed functional level and Windows interim 2003: None
Native functional level: Domain local groups in the same domain
Visible only in its own domain
Permissions Domain to which the domain local group belongs
What Are Local Groups?
Local group rules
Membership can
include
Local user accounts, domain user and
computer accounts, global and universal
groups from the computer's domain and
trusted domains
Can be a member of Not applicable
Guidelines for Creating and Naming Groups
Create groups in organizational units by using the
following naming considerations:
 Naming conventions for security groups
• Incorporate the scope in the group name
• Should reflect the group ownership
• Use a descriptor to identify the assigned permissions
 Naming conventions for distribution groups
• Use short alias names
• Do not include a user’s alias name in the display name
• Allow a maximum of five co-owners of a single distribution group
Who Can Create Groups?
In the domain:
 Account Operators group
 Domain Admins group
 Enterprise Admins group
 Or users with appropriate delegated authority
On the local computer:
 Power Users group
 Administrators group on the local computer
 Or users with appropriate delegated authority
Practice: Creating Groups
In this practice, you will:
Create groups by using Active Directory
Users and Computers
Create groups by using the dsadd
command-line tool
Lesson: Managing Group Membership
Determining Group Membership
Adding and Removing Members from a Group
Practice: Managing Group Membership
Determining Group Membership
Group or Team
Global Group
Domain Local Group
Tom, Jo, and Kim
GDenver
DenverAdmins
Admins
DL OU Admins
Member Of
Members
Member Of
Members
Member Of
G Denver Admins
Tom, Jo,
Kim
DL OU Admins
Denver
OU
Admins
G Denver Admins
G Vancouver
Admins
N/A
Sam, Scott, and Amy
G Vancouver Admins
Member Of
Members
Member Of
G Vancouver Admins
Sam,
Scott,
Amy
DL OU Admins
Adding and Removing Members from a Group
Group membership can be modified by using Active
Directory Users and Computers or the dsmod command
Practice: Managing Group Membership
In this practice, you will:
Determine a user’s group membership
Add users to global groups
Add global groups to domain local groups
Lesson: Strategies for Using Groups
Multimedia: Strategy for Using Groups in a
Single Domain
What Is Group Nesting?
Group Strategies
Class Discussion: Using Groups in a Single-Domain or
Multiple-Domain Environment
Practice: Nesting Groups and Creating Universal Groups
Modifying the Scope or Type of a Group?
Why Assign a Manager to a Group?
Practice: Changing the Scope and Assigning a Manager
to a Group
Multimedia: Strategy for Using Groups in a
Single Domain
This presentation explains the A G DL P
strategy for using groups
What Is Group Nesting?
Group nesting means adding a group as a member of
another group
Group
Group
Group
Group
Group
Nest groups to consolidate group management
Nesting options depend on the domain functional level
Group Strategies
User Accounts
User
Accounts
User
User
User
Accounts
Accounts
Accounts
AAGGDL
PPPP
AAAG
UGDL
LDL
Global Groups
Global
Groups
A
G
Permissions
User
Accounts
AP
GG
G
L
Domain Local
Permissions
Groups
Permissions
Permissions
Permissions
U
U
Local Groups
Global
Groups
A
Domain Local
Groups
Local
Global
GlobalDomain
Domain Local
Global
Local
Groups
Groups Groups Groups
Groups
G
A
AA
Universal Groups
Universal
Groups
DL
DL
P
Group strategies:
DL
G AGP
LDL P
A GDL
AGP
U DL P
A G L PPP
Class Discussion: Using Groups in a Single-Domain
or Multiple-Domain Environment
Northwind Traders
to react
moredomain
quickly tothat
market
demands.inIt is
Examples
Northwind
1Traders
andwants
2 has
a single
is located
determined
that the
accounting
data
mustmanagers
be
available
to all access
Accounting
Paris,
Contoso,
France.
Ltd.,
Northwind
has
a single
Traders
domain
that
is located
need
in Paris,to
personnel. Northwind Traders wants to create the group structure for
the
France.
Inventory
Contoso
database
managers
to which
perform
need
access
theirthe
jobs.
toAccounts
the
What
Inventory
do you do
the entire
Accounting
division,
includes
Payable
to
database
to
that
perform
the managers
their
jobs.
have
What
access
do
you
todo
the
dototo
Inventory
ensure
andensure
Accounts
Receivable
departments.
What
do you
ensure
that
the managers
have thehave
required
accesstoand
there is a database?
minimum
database?
that
the managers
access
thethat
Inventory
of administration?
Place all of the managers in a global group
Example
3 that your network is running in native functional level.
Make sure
Create Ltd.,
a domain
group to
forinclude
Inventory database access
Contoso,
has local
expanded
in South
Create three global
groups called
Accountingoperations
Division, Accounts
Payable,
and
Accounts
Receivable.
America
and
Asia
and
now
has three
domains.
You need
Make
the
global
group
a member
of the
domain local
groupto
and
grant
permissions
to theglobal
domain
local
group
for
grant
access
to all IT managers
from
all
domains
to the
Place
the Accounting
Division
group
into
the domain
local
accessing
theusers
Inventory
database
group sotools
that
can folder
access
thethe
accounting
data.
IT_Admin
shared
in
Contoso
domain.
Create a domain local group called Accounting Data.
Grant this group appropriate permission for the accounting data
resources file.
Practice: Nesting Groups and Creating
Universal Groups
In this practice, you will:
Create the Contoso Managers global
group
Nest the departmental Managers global
groups into G Contoso Managers
Create an Enterprise Managers universal
group
Examine the Members and Member Of
properties
Modifying the Scope or Type of a Group?
Changing group scope
 Global to universal
 Domain local to universal
 Universal to global
 Universal to domain local
Changing group type
 Security to distribution
 Distribution to security
Why Assign a Manager to a Group?
Manager
Group
Enables you to:
 Track who is responsible for groups
 Delegate to the manager of the group the authority to
add and remove users
 Distribute the administrative responsibility to the people
who request the group
Practice: Changing the Scope and Assigning a
Manager to a Group
In this practice, you will:
Create a global group and change the
scope to universal
Assign a manager to the group
Test the group manager properties
Lesson: Using Default Groups
Default Groups on Member Servers
Default Groups in Active Directory
When to Use Default Groups
Security Considerations for Default Groups
System Groups
Class Discussion: Using Default Groups vs. Creating
New Groups
Best Practices for Managing Groups
Default Groups on Member Servers
Default Groups in Active Directory
When to Use Default Groups
Default groups are:
 Created during the installation of the operating system
or when services are added
 Automatically assigned a set of user rights
Use default groups to:
 Control access to shared resources
 Delegate specific domain-wide administration
Security Considerations for Default Groups
Place a user in a default group when you are sure that
you want to give the user all the user rights and
permissions assigned to that group in Active Directory;
otherwise, create a new security group
As a security best practice, members of default groups
should use Run as
System Groups
System groups represent different users at
different times
You can grant user rights and permissions to system
groups, but you cannot modify or view the memberships
Group scopes do not apply to system groups
Users are automatically assigned to system groups
whenever they log on or access a particular resource
Class Discussion: Using Default Groups vs.
Creating New Groups
Contoso, Ltd., has over 100 servers across the world.
You must determine:
The current tasks that administrators must perform
and what minimum level of access users need to
perform specific tasks
Whether you can use default groups or must create
groups and assign specific user rights or permissions
to the groups
Best Practices for Managing Groups
Create groups based on administrative needs
Add user accounts to the group that is most restrictive
Use the default group when possible instead of creating a
new group
Use the Authenticated Users group instead of the Everyone
group to grant most user rights and permissions
Limit the number of users in the Administrators group
Lab: Creating and Managing Groups
In this lab, you will:
Create global and domain local groups
Manage group membership
Manage default groups
Related documents
1b. Revised Project Plan C
1b. Revised Project Plan C
Permissions
Permissions
Sharepoint 101
Sharepoint 101
Robotics
Robotics
Liberty University
Liberty University
Powerpoint
Powerpoint
Managing users
Managing users
SharePoint 2013 Community Sites (HSPUG)
SharePoint 2013 Community Sites (HSPUG)
Download
advertisement