Module 5: Managing Access to Resources by Using Groups

1
Module 5 Managing Access to Resources by Using
Groups
2
Overview

• Introduction to Windows 2000 Groups
• Implementing Groups in a Workgroup
• Implementing Groups in a Domain
• Best Practices

3
Introduction to Window 2000 Groups

• How Windows 2000 Groups Work
• Groups in Workgroups and Domains

4
How Windows 2000 Groups Work

• Group Members Have the Rights and Permissions
  Granted to the Group
• Users Can Be Members of Multiple Groups
• Groups and Computers Can Also Be Members of a
  Group

5
Groups in Workgroups and Domains
Workgroup

• Created on Computers That Are Not Domain
  Controllers
• Reside in SAM
• Used to Control Access to Resources for the
  Computer

Domain

• Created on Domain Controllers
• Reside in Active Directory
• Used to Control Resources in the Domain

6
Implementing Groups in a Workgroup

• Local Groups
• Built-in Local Groups
• The Strategy for Using Local Groups in a
  Workgroup
• Creating Local Groups

7
Local Groups

• The Guidelines for Local Groups
• Use local groups on computers that do not belong
  to a domain
• Use local groups to control access to resources
  and who can perform system tasks on the local
  computer
• Membership Rules for Local Groups
• Local groups can only contain local user accounts
  that are on the local computer
• Local groups cannot be a member of any other
  group
• Members of the Administrators Group or Account
  Operators Group on the Local Computer Can Create
  Local Groups

8
Built-in Local Groups
Built-in Groups Have a Predetermined Set of
Rights and They Cannot Be Deleted

• Built-in Local Groups
• Members have rights to perform system tasks
• User accounts can be added
• Special Identities (Special Groups)
• Organize users for system use
• Have automatic membership that cannot be modified

9
The Strategy for Using Local Groups in a Workgroup
L
Add
Assign
P
A
Assign
Assign
Windows 2000 Professional
Workgroup
Windows 2000 Professional
Assign
Windows 2000 Server
Windows 2000 Professional
A

P

L

User Accounts
Permissions
Local Group
10
Creating Local Groups
New Group
Required
Group name
Project1
Optional
Project1 data
Description
Members
Add or Remove Members
Remove
Add
Create
Close
11
Implementing Groups in a Domain

• Group Types and Scopes
• Built-in and Predefined Groups in a Domain
• The Strategy for Using Groups in a Single Domain
• Guidelines for Creating Domain Groups
• Creating and Deleting Domain Groups
• Adding Members to Domain Groups

12
Group Types and Scopes
Group Scopes
Global Group
Used to organize users who share similar network
access requirements
Domain Local Group
Used to assign permissions to domain resources
Universal Group
Used to assign permissions to related resources
in multiple domains
13
Built-In and Predefined Groups in a Domain

• Built-in Domain Local Groups Give Users
  Predefined Rights and Permissions to Perform
  Tasks
• On domain controllers
• In Active Directory
• Special Identities (Special Groups)
• Organize users for system use
• Membership is automatic and cannot be modified
• Predefined Global Groups Give Administrators
  Control of Domain Resources

14
The Strategy for Using Groups in a Single Domain
A
A G DL P Strategy for Groups in a Domain
G
User Accounts
Add
Global Group
Add
P
DL
Assign
Domain Local Group
15
Guidelines for Creating Domain Groups
16
Creating and Deleting Domain Groups

• You Use Active Directory Users and Computers to
  Create and Delete Groups
• When You Delete a Group Its
• Rights and permissions are removed
• Members are not deleted
• SID is never used again

17
Adding Members to Domain Groups
18
Best Practices
19
Lab A Creating a Global Group
20
Review

• Introduction to Windows 2000 Groups
• Implementing Groups in a Workgroup
• Implementing Groups in a Domain
• Best Practices