Chapter 4 – Implementing
and Managing Group and
Computer Accounts
MIS 431 – Created Spring 2006
MIS 431 - Chapter 4
1
WS03 Groups
 A group is a container object used to
organize a collection of users, computers, or
other groups
 Groups can have permissions for resources
 Group types in Active Directory


Security groups – most popular type in AD
Distribution groups – cannot have permissions
but used for email distribution lists
MIS 431 - Chapter 4
2
Group Scopes
 Global Groups – organizing objects within the same
domain within the AD forest


Usually combines objects from same geographic
location or job function
Type of objects depends on the domain function level:
 Windows 2000 Native – supports domain controllers
from Windows 2000 and Windows 2003
 Windows 2000 Mixed (default) – includes NT Server
4.0, Windows 2000 Server and WS03
 Windows Server 2003 only – supports only WS03
domain controllers
MIS 431 - Chapter 4
3
Group Scopes, contd.
 Domain Local Groups – permissions are for
resources in a single domain but can contain
groups from other domains.
 Universal Groups – for aggregating objects
from different domains in the AD forest.
 Local Groups – on the server only
 See Table 4-1 on p. 149 for groups summary
MIS 431 - Chapter 4
4
Creating Group Objects
 As with users, WS03 AD has several tools to create
groups


Click on Group icon in toolbar within AD Users and
Computers MMC
Right-click a container and click Group
 You name the group, give its scope and group type,
and then can access it properties



Can say who its members are
Can also place a user into a group from the User
dialog box
Who manages the group
MIS 431 - Chapter 4
5
Changing Domains and Groups
 You can change the domain functional level
of a domain (Activity 4-3 p. 155)
 You can convert a group type (Act. 4-4)
 You can convert a group scope (Act. 4-5)
MIS 431 - Chapter 4
6
Command Line Utilities
 Like the Users function, there are command
line utilities to add, modify, and delete groups





DSADD
DSMOD
DSQUERY
DSMOVE7
DSRM
 See examples on pp. 160-167
MIS 431 - Chapter 4
7
Managing Security Groups
 Text uses A G U DL and P acronym:




A – create user Accounts and organize them
Into G – global groups or
Into DL – domain local groups and
Assign Permissions to the domain local
groups
 Who is in a group?


View the Group properties or
Use the DSGET GROUP command
MIS 431 - Chapter 4
8
Built-In Groups
 Built-In Container Local Groups (Table 4-2)





Account operators
Administrators
Backup operators
Guests
Incoming forest trust builders
MIS 431 - Chapter 4
9
Built-In Groups, contd.
 Built-In Container Domain Local Groups (Table 4-3)
 Network configuration operators
 Performance log users
 Performance monitor users
 Pre-Windows 2000 compatible access
 Print operators
 Remote desktop users
 Replicators
 Server operators
 Terminal Server license servers
 Users
 Windows authorization access group
MIS 431 - Chapter 4
10
Built-In Groups, contd.
 The Users container domain local and global groups (Table 4-3)













Cert publishers
DnsAdmins
DnsUpdateProxy
Domain admins
Domain computers
Domain controllers
Domain guests
Domain users
Enterprise Admins
Group policy creator owners
RAS and IAS servers
Schema admins
WINS users
MIS 431 - Chapter 4
11
Creating and Managing Computer
Accounts
 Computer accounts are created automatically
during NOS installation


Only Windows NT 4.0 and higher
Windows 95 and 98 are not given computer
accounts because they don’t support the
advanced security model
 Can be added manually (Act. 4-8)


Use AD Users and Computers MMC
Use System applet from the Control Panel
MIS 431 - Chapter 4
12
Resetting Computer Accounts
 Computers that are members of a domain
use a secure channel to communicate with a
DC



PW for that account is changed every 30 days
and synchronized automatically with DC
If the computer has not been connected to the
network for 30 days, may be unable to talk
Use AD Users and Computers to reset the
password or the Netdom reset command
MIS 431 - Chapter 4
13