Chapter 9
Chapter 9:
Managing Groups, Folders,
Files, and Object Security
Learning Objectives
Chapter 9


Set up groups, including local, domain
local, global, and universal groups, and
convert Windows NT groups to
Windows 2000 groups
Manage objects, such as folders,
through user rights, attributes
permissions, share permissions,
auditing, and Web permissions
Learning Objectives (continued)
Chapter 9


Troubleshoot a security conflict
Determine how creating, moving, and
copying folders and files affect security
Managing Resources
Chapter 9

Three ways of managing resources and
user accounts include:
 By
individual user
 By resource
 By group

Managing resources by groups is one
effective way to reduce time spent on
management
Scope of Influence
Chapter 9

Scope of influence: The reach of a type
of group, such as access to resources in
a single domain or access to all
resources in all domains in a forest
Types of Security Groups
Chapter 9


Local: Used on standalone servers
that are not part of a domain
Domain local: Used in a single domain
or to manage resources in a domain
so that global and universal groups
can access those resources
Types of Security
Groups (continued)
Chapter 9


Global: Used to manage accounts
from the same domain and to access
resources in the same and other
domains
Universal: Used to provide access to
resources in any domain within a
forest
Local Security Group
Chapter 9

Use local groups on a standalone server
(Active Directory not implemented),
such as to manage multiple accounts in
a small office
Domain Local Security Group
Chapter 9


Typically a domain local security group is on
the ACLs of resources such as folders,
shared folders, printers, and other
resources. Global security groups in the
same or in a different domain gain access to
those resources by becoming members of
the domain local group.
Domain local groups can contain accounts,
but usually that is not the best approach.
Membership Capabilities of a
Domain Local Group
Chapter 9
Active Directory Objects That Can Be Members of a Domain
Local Group
User accounts in the same domain
Domain local groups in the same domain
Global groups in any domain in a tree or forest (as long as there
are transitive or two-way trust relationships maintained)
Universal groups in any domain in a tree or forest (as long as
there are transitive or two-way trust relationships maintained)
Active Directory Objects That a Domain
Local Group Can Join as a Member
Access control lists for objects in the same
domain, such as permissions to access a folder,
shared folder, or printer
Domain local groups in the same domain
Table 9-1 Membership Capabilities of a Domain Local Group
Implementing Global Groups
Chapter 9

Use global groups to contain accounts
for accessing resources in the same and
in other domains via domain local groups
Membership Capabilities of a
Global Group
Chapter 9
Active Directory Objects That Can Be
Members of a Global Group
User accounts from the domain in which the
global group was created
Other global groups that have been created
in the same domain
Levels of global groups, so that global
groups can be nested to reflect the structure
of organizational units (OUs) in a domain
Active Directory Objects That a
Global Group Can Join as a Member
Access control lists for objects in any
domain in a forest (as long as a transitive
trust is maintained between domains)
Domain local groups in any domain in a
forest
Global groups in any domain in a forest
Universal groups in a forest
Table 9-2 Membership Capabilities of a Global Group
Nesting Global Groups
Chapter 9

Global groups can be nested to reflect
the structure of OUs
Nesting Example
Chapter 9
*Managers global group (top level global group)
Amber Richards
Joe Scarpelli
Kathy Brown
Sam Rameriz
**Finance global group (second level global group)
Martin LeDuc
Sarah Humphrey
Heather Shultz
Sam Weisenberg
Jason Lew
***Budget global group (third level global group)
Michele Gomez
Kristin Beck
Chris Doyle
Figure 9-1 Nested global groups
Budget***
Finance**
Managers*
Planning Tip
Chapter 9


Plan nesting to take into account that
you may want to later convert specific
global groups, because a global group
cannot be converted if it is a member of
another global group
Keep in mind that global groups can
only be nested in native mode domains
Global Group Example
Chapter 9
Figure 9-2
Managing security
through domain local
and global groups
students.college.edu
LocalExec
domain
local group
research.college.edu
LocalExec
domain local
group
college.edu
LocalExec
domain local
group
GlobalExec
global
group
Implementing Universal Groups
Chapter 9


Use universal groups to provide access
to forest-wide resources (to be included
on the ACLs of resources such as
servers, shared folders, and printers)
Universal groups enable the scope of
influence to span domains and trees
Membership Capabilities of
a Universal Group
Chapter 9
Active Directory Objects That Can Be
Active Directory Objects That a Universal
Members of a Universal Group
Local Group Can Join as a Member
Accounts from any domain in a forest
Access control lists for objects in any domain
in a forest
Global groups from any domain in a forest
Any domain local group in a forest
Universal groups from any domain in a forest Any universal group in a forest
Table 9-3 Membership Capabilities of a Universal Group
Guidelines for Using Groups
Chapter 9


Use global groups to hold accounts as
members. Give accounts access by joining
them to a global group and then placing
that global group into a domain local or
universal group or both.
Use domain local groups to provide access
to resources in a specific domain by
adding them to the ACLs of those
resources.
Guidelines for Using
Groups (continued)
Chapter 9

Use universal groups to provide extensive
access to resources, such as when the
Active Directory contains trees and forests.
Make universal groups members of ACLs
for objects in any domain, tree, or forest.
Manage user account access by placing
accounts in global groups and joining
those global groups to domain local or
universal groups.
Example Universal Group Setup
Chapter 9
students.college.edu
Figure 9-3
Managing security
through universal
and global groups
UniExec
a universal group with access to
resources in all three domains
research.college.edu
college.edu
GlobalExec
global
group
Creating a Group
Chapter 9

To create a group:
 Click
the container in which to create the
group
 Click the Create a new group in current
container icon
 Enter the name of the group
 Select the group scope
 Select the group type
 Click OK
Entering the Group Parameters
Chapter 9
Figure 9-4 Creating a group
Group Properties Tabs
Chapter 9






General: Used to enter a description, set the
scope, and set the group type
Members: Used to add group members
Member Of: Used to join another group
Managed By: Establishes who will manage
the group
Object: Provides information about the group
as an object (on newer versions of Windows
2000)
Security: Enables you to set up security (on
newer versions of Windows 2000)
Converting NT Groups to
Windows 2000 Server Groups
Chapter 9




Existing NT local groups on a PDC are
converted to domain local groups
Existing NT global groups on a PDC are
converted to global groups
If still running in mixed mode, universal
groups are not recognized
If running in native mode, but there are still
Windows NT servers, the NT servers treat
Windows 2000 universal groups as NT global
groups
Windows 2000 Predefined
Security Groups
Chapter 9
Security Group
Scope
Active Directory
Description
Container Location/Default
Members
Account Operators
Built-in local 1
Builtin
Used for administration of user
accounts and groups
Administrators
Backup Operators
Built-in local 1
Built-in local 1
Builtin/Administrator account;
Provides complete access to all
Domain Admins and Enterprise
local computer and/or domain
Admins groups
resources
Builtin
Enables members to back up any
folders and files on the computer
Cert Publishers
Global 1
Users
Used to manage enterprise
certification services for security
1The
group scope cannot be changed
Table 9-4 Windows 2000 Predefined Security Groups
Windows 2000 Predefined
Security Groups (continued)
Chapter 9
Security Group
Scope
Active Directory
Description
Container
Location/Default
Members
DCHP Administrators
DCHP Users
Domain local
Domain local
Users/Domain
Used to manage the DHCP server services
Admins group
(when DHCP server services are installed)
Users
Enables users to access DHCP services
when DHCP is enabled at the client (when
DHCP server services are installed)
DNSAdmins
Domain local
Users
Used to manage the DNS server services
(when DNS server services are installed)
1The
group scope cannot be changed
Windows 2000 Predefined
Security Groups (continued)
Chapter 9
Security Group
Scope
Active Directory
Description
Container
Location/Default
Members
DNSUpdateProxy
Global
Users
Enables each user access as an update
proxy, so that a DHCP client can
automatically update the DNS server
information with its IP address
Domain Admins
Global 1
Users/Administrator
account
1The
group scope cannot be changed
Used to manage resources in a domain
Windows 2000 Predefined
Security Groups (continued)
Chapter 9
Security Group
Scope
Active Directory
Description
Container
Location/Default
Members
Domain Computers
Global 1
Users
Used to manage all workstations and servers that
join the domain
Domain Controllers
Global 1
Users/all DC
Used to manage all domain controllers in a domain
computers
Domain Guests
Global 1
Users/Guest account
Used to manage all domain guest-type accounts,
such as for temporary employees
Domain Users
Global 1
Users/all user
accounts
1The
group scope cannot be changed
Used to manage all domain user accounts
Windows 2000 Predefined
Security Groups (continued)
Chapter 9
Security Group
Scope
Active Directory
Description
Container
Location/Default
Members
Enterprise Admins
Everyone
Universal 1
Built-in local 1
Users/Administrat Used to manage all resources in an
or account
enterprise
Does not appear
Used to manage default access to
in a container and
local or domain resources and all
cannot be deleted
user accounts are automatically
members
Group Policy Creator
Global 1
Owners
1The
group scope cannot be changed
Users/Administrat Enables members to manage group
or account
policy
Windows 2000 Predefined
Security Groups (continued)
Chapter 9
Security Group
Scope
Active Directory
Description
Container
Location/Default
Members
Guests
Pre-windows 2000
Built-in local 1
Built-in local 1
Compatible Access
Builtin/Guest and IIS
Used to manage guest accounts and
accounts, Domain
to prevent access to install software
Guests group
or change system settings
Builtin/pre-Windows
Used for backward compatibility to
2000 Everyone group
the Everyone group on Windows NT
servers and limits access to read
Print Operators
Built-in local 1
Builtin
Members can manage printers on the
local computer or in the domain
1The
group scope cannot be changed
Windows 2000 Predefined
Security Groups (continued)
Chapter 9
Security Group
Scope
Active Directory
Description
Container
Location/Default
Members
RAS and IAS Servers
Domain local 1
Users
Enables member servers to have access to remote
access properties that are associated with user
accounts, such as security properties
Replicator
Built-in local 1
Builtin
Used with the Windows File Replication service
to replicate designated folders and files
1The
group scope cannot be changed
Windows 2000 Predefined
Security Groups (continued)
Chapter 9
Security Group
Scope
Active Directory
Description
Container Location/Default
Members
SchemaAdmins
Universal 1
Users/Administrator account
Members have access to modify
schema in the Active Directory
Server Operators
Built-in local 1
Builtin
Used for common day-to-day server
management tasks
Users
Built-in local 1
Builtin/Domain Users group
Used to manage general user access,
including the ability to be
authenticated as a user and to
communicate interactively
1The
group scope cannot be changed
Rights Security
Chapter 9

User rights: Enable an account or group
to perform predefined tasks, such as the
right to access a server or to increase
disk quotas
Rights Security
Chapter 9
Privileges
Logon Rights
Act as part of the operating system (a program process can gain
Access this computer from the
security access as a user)
network
Add workstations to a domain
Deny access to this computer from the
network
Backup files and directories
Deny logon as a batch job
Bypass traverse checking (enables a user to move through a
Deny logon as a service
folder that the user has no permission to access, if it is on the
route to one that they do have permission to access)
Change the system time
Deny logon locally
Table 9-5 Rights Security
Rights Security (continued)
Chapter 9
Privileges
Logon Rights
Create a pagefile
Log on as a batch job
Create a token object (a process can create a security access token to
Log on as a service
use any local resource; normally should be reserved for
administrators)
Create permanent shared objects
Debug programs (can install and use a process debugger to trace
problems; normally should be reserved for administrators)
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Log on locally
Rights Security (continued)
Chapter 9
Privileges
Increase quotas
Increase scheduling priority
Load and unload device drivers
Lock pages in memory (included for backward compatibility
with Windows NT and should not be used because it degrades
performance)
Manage auditing and security log
Modify firmware environment variables
Profile single process (can monitor non-system processes)
Profile system performance (can monitor system processes)
Logon Rights
Rights Security (continued)
Chapter 9
Privileges
Remove computer from docking station
Replace a process level token (enables a
process to replace a security token on one
or more of its subprocesses)
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Logon Rights
Inherited Rights
Chapter 9

Inherited rights: User rights that are
assigned to a group and that
automatically apply to all members of
that group
Configuring Rights
Chapter 9

To configure rights in a domain:
 Open
the Active Directory Users and Computers
tool
 Right-click a domain or OU, for example
 Click Properties, click the Group Policy tab, click the
group policy, and click Edit
 Double-click (if necessary) Computer
Configuration,Windows Settings, Security Settings,
and Local Policies
 Double-click User Rights Assignment
 Double-click any policies to configure them
Configuring Rights (continued)
Chapter 9
Figure 9-6 Configuring user rights as part of group policy
File and Folder Attributes
Chapter 9

Attributes: A characteristic associated
with a folder or file used to help manage
access and backups
FAT Attributes
Chapter 9



Read-only
Hidden
Archive
FAT Attributes (continued)
Chapter 9
Figure 9-7 Attributes of a folder on a FAT-formatted disk
NTFS Attributes
Chapter 9

Regular attributes
 Read-only
 Hidden
 Archive

Extended attributes
 Index
 Compress
 Encrypt
NTFS Attributes (continued)
Chapter 9
Figure 9-8 Attributes of a folder on an NTFS-formatted disk
Troubleshooting Tip
Chapter 9

If you configure the Index attribute, but
indexing it is not working check the
following:
 Make
sure that the Indexing Service is
installed
 Makes sure that the Indexing Service is
started and set to start automatically
Troubleshooting Tip
Chapter 9

Files that are compressed cannot be
encrypted
Encrypting File System
Chapter 9

The encrypt attribute uses Microsoft
Encrypting File System (EFS) that sets
a unique private encryption key that is
associated with the user account that
encrypted the file or folder. Only that
account has access to the encrypted file
or folder contents.
Troubleshooting Tip
Chapter 9

De-encrypt an encrypted file or folder
before you move it to another location,
or else the file or folder remains
encrypted in the new location
Permissions
Chapter 9

Permissions: Privileges to access and
manipulate resource objects, such as
folders and printers; for example, privilege
to read a file, or to create a new file
Auditing
Chapter 9

Auditing: Tracking the success or failure
of events associated with an object, such
as writing to a file, and recording the
audited events in an event log of a
Windows 2000 server or workstation
Ownership
Chapter 9

Ownership: Having the privilege to
change permissions and to fully
manipulate an object. The account that
creates an object, such as a folder or
printer, initially has ownership.
Design Tip
Chapter 9


If possible, set permissions on folders and
not on individual files, so you can minimize
the number of permission exceptions to
remember
One variance from this recommendation is
large database files that may require
individual security
Security Options
Chapter 9
Figure 9-9 Configuring security options
Inherited Permissions
Chapter 9

Inherited permissions: Permissions of a
parent object that also apply to child
objects of the parent, such as to
subfolders within a folder
Configuring Permissions
Chapter 9
Figure 9-10 Configuring permissions by groups and users
Configuring Inherited
Permissions
Chapter 9
Figure 9-11 Configuring inherited permissions
NTFS Folder and
File Permissions
Chapter 9
Permission
Description
Applies to
Full Control
Can read, add, delete, execute, and modify files plus
Folders and files
change permissions and attributes, and take ownership
List Folder
Can list (traverse) files in the folder or switch to a
Contents
subfolder, view folder attributes and permissions, and
Folders only
execute files, but cannot view file contents
Modify
Can read, add, delete, execute, and modify files; but
Folders and files
cannot delete subfolders and their file contents, change
permissions, or take ownership
Table 9-6 NTFS Folder and File Permissions
NTFS Folder and
File Permissions (continued)
Chapter 9
Permission
Description
Applies to
Read
Can view file contents, view folder attributes and
Folders and files
permissions, but cannot traverse folders or execute
files
Read & Execute
Implies the capabilities of both List Folder Contents
Folders and files
and Read (traverse folders, view file contents, view
attributes and permissions, and execute files)
Write
Can create files, write data to files, appended data to
files, create folders, delete files (but not subfolders and
their files), and modify folder and file attributes
Folders and files
Special Permissions
Chapter 9

You can customize permissions to meet
particular security needs by using
special permissions
Configuring Special Permissions
Chapter 9
Figure 9-12 Configuring special permissions
NTFS Folder and File
Special Permissions
Chapter 9
Permission
Description
Applies to
Traverse Folder/Execute File
Can list the contents of a folder and execute program files in
Folders/files
that folder; keep in mind that all users are automatically granted
Table
9-7
this permission via the Everyone and Users groups, unless it is
removed or denied by you
List Folder/Read Data
Can list the contents of folders and subfolders and read the
Folders/files
contents of files
Read Attributes
Can view folder and file attributes (Read-only and Hidden)
Folders and files
Read Extended Attributes
Enables the viewing of extended attributes (Archive, Index,
Folders and files
Compress, Encrypt)
Create Files/Write Data
Can add new files to a folder and modify, append to, or write
Folders/files
over file contents
Create Folders/Append Data
Can add new folders and add new data at the end of files (but
otherwise not delete, write over, or modify data)
Folders/files
NTFS Folder and File
Special Permissions (continued)
Chapter 9
Permission
Description
Applies to
Write Attributes
Can add or remove the Read-only and Hidden attributes
Folders and files
Write Extended
Can add or remove the Archive, Index, Compress, and Encrypt
Folders and files
Attributes
attributes
Delete Subfolders and
Can delete subfolders and files (the following Delete
Files
permission is not required)
Delete
Can delete the specific subfolder or file to which this
Folders and files
Folders and files
permission is attached
Read Permissions
Can view the permissions (ACL information) associated with a
Folders and files
folder or file (but does not imply you can change them)
Change Permissions
Can change the permissions associated with a folder or file
Folders and files
Take Ownership
Can take ownership of the folder or file (Read Permissions and
Folders and files
Change Permissions automatically accompany this permission)
Example Guidelines for
Setting Permissions
Chapter 9



Protect the Winnt folder by allowing
limited access, such as Read & Execute
Protect server utility folders, such as
folders containing backup software, with
access for Administrators only
Protect software application folders with
access such as Read & Execute (and
Write if necessary for temporary or
configuration files)
Example Guidelines for
Setting Permissions (continued)
Chapter 9



Set up publicly used folders with Modify
for broad user access
Give users Full Control of their own
home folders
Remove groups such as Everyone and
Users from confidential folders
Planning Tip
Chapter 9

Err on the side of too much security at
first, because it is easier to give users
more permissions later than to take
away permissions after users are used
to having them
Configuring Auditing
Chapter 9


Start by configuring a group policy for
auditing
Configure auditing on an as needed
basis for particular objects, such as a
folder or file
Folder Auditing
Chapter 9
Figure 9-13 Configuring folder auditing
Setting an Audit Policy
Chapter 9
Figure 9-14
Configuring audit policy as part of the default domain policy
Ownership
Chapter 9

Guidelines for ownership:
 The
account that creates an object is the
initial owner
 Ownership is changed by first having
permission to take ownership and then by
taking ownership
 Full Control permissions are required to
take ownership (or the special permission,
Take Ownership)
Share Permissions
Chapter 9

Share permissions: Limited permissions
that apply to a particular shared object,
such as a shared folder or printer
Configuring Share Permissions
Chapter 9
Figure 9-15 Configuring a shared folder
Share Permissions for a Folder
Chapter 9



Read: Permits groups or users to read
and execute files
Change: Enables users to read, add,
modify, execute, and delete files
Full Control: Permits full access to the
folder, including the ability to take
ownership control or change
permissions
Offline Access to a Folder
through Caching
Chapter 9


Use the Caching button in the folder
Properties dialog box on the the Sharing
tab to set up a folder for offline access
via caching
Caching a folder means that it can be
accessed by a client even when the
client computer is not connected to the
network
Folder Caching Options
Chapter 9



Automatic Caching for Documents:
Documents are cached without using
intervention – all files in the folder that are
opened by the client are cached automatically
Manual Caching for Documents: documents
are cached only per the user’s request
Automatic Caching of Programs: document
and program files are automatically cached
when opened, but cannot be modified
Troubleshooting Tip
Chapter 9

If the Sharing tab is not displayed, make
sure that the Server service is started
Web Sharing
Chapter 9

Use the Web Sharing tab in a folder’s
properties to configure that folder for
Web access
Configuring Web Sharing
Chapter 9
Figure 9-16 Entering Web sharing permissions
Web Sharing Access Permissions
Chapter 9
Access Permission Description
Read
Enables clients to read and display the contents of folders and files
via an Internet or intranet
Write
Enables clients to modify the contents of folders and files;
including the ability to upload files through FTP
Script source
Enables clients to view the contents of scripts containing
access
commands to execute Web functions
Directory browsing
Enables clients to browse the folder and subfolders, such as for
FTP access
Table 9-8 Web Sharing Access Permissions
Web Sharing
Application Permissions
Chapter 9
Application
Description
Permission
None
No access to execute a script or application
Scripts
Enables the client to run scripts to perform Web-based functions
Execute (includes
Enables clients to execute programs and scripts via an Internet or
scripts)
intranet connection
Table 9-9 Web Sharing Application Permissions
Troubleshooting a
Security Conflict
Chapter 9


Check the groups to which a user or
group belongs
Look for group permissions that conflict,
particularly because the Deny box is
checked for a permission
Moving and Copying
Files and Folders
Chapter 9



A newly created file inherits the permissions
already set up in a folder
A file copied from one folder to another on the
same volume inherits the permissions of the
folder to which it is copied
A folder that is moved from one folder to
another on the same volume takes with it the
permissions it had in the original folder
Moving and Copying
Files and Folders (continued)
Chapter 9



A file or folder that is moved or copied to a
folder on a different volume inherits the
permissions of the folder to which it is moved
or copied
A file or folder that is moved or copied from an
NTFS volume to a shared FAT folder inherits
the share permissions of the FAT folder
A file or folder moved from a FAT to an NTFS
folder inherits the NTFS permissions of that
folder
Chapter Summary
Chapter 9


Without the Active Directory, use local
groups to manage access to resources
With the Active Directory implemented,
use domain local, global, and universal
groups to manage resources
Chapter Summary
Chapter 9


Windows 2000 Server objects are
secured through ACLs, user rights,
permissions, inherited rights and
permissions, share permissions, Web
permissions, auditing, and ownership
Troubleshoot permissions conflicts by
examining the security assigned to all
groups to which a user account or group
belongs