Module 3: Managing Groups - PowerPoint PPT Presentation

1 / 34

About This Presentation

Title:

Module 3: Managing Groups

Description:

Sam, Scott, and Amy. Denver OU Admins. Tom, Jo, Kim. Member Of. Members ... Grant this group appropriate permission for the accounting data resources file. ... – PowerPoint PPT presentation

Number of Views:148

Avg rating:3.0/5.0

Slides: 35

Provided by: Bwin6

Category:

more less

Transcript and Presenter's Notes

Title: Module 3: Managing Groups

1
Module 3 Managing Groups
2
Overview

Creating Groups
Managing Group Membership
Strategies for Using Groups
Using Default Groups

3
Lesson Creating Groups

What Are Groups?
What Are Domain Functional Levels?
What Are Global Groups?
What Are Universal Groups?
What Are Domain Local Groups?
What Are Local Groups?
Guidelines for Creating and Naming Groups
Who Can Create Groups?
Practice Creating Groups

4
What Are Groups?

Groups simplify administration by enabling you to
assign permissions for resources

Group
Groups are characterized by scope and type
5
What Are Domain Functional Levels?
6
What Are Global Groups?
7
What Are Universal Groups?
8
What Are Domain Local Groups?
9
What Are Local Groups?
10
Guidelines for Creating and Naming Groups

Create groups in organizational units by using
the following naming considerations
Naming conventions for security groups
Incorporate the scope in the group name
Should reflect the group ownership
Use a descriptor to identify the assigned
permissions
Naming conventions for distribution groups
Use short alias names
Do not include a users alias name in the display
name
Allow a maximum of five co-owners of a single
distribution group

11
Who Can Create Groups?

In the domain
Account Operators group
Domain Admins group
Enterprise Admins group
Or users with appropriate delegated authority
On the local computer
Power Users group
Administrators group on the local computer
Or users with appropriate delegated authority

12
Practice Creating Groups

In this practice, you will
Create groups by using Active Directory Users and
Computers
Create groups by using the dsadd command-line tool

13
Lesson Managing Group Membership

Determining Group Membership
Adding and Removing Members from a Group
Practice Managing Group Membership

14
Determining Group Membership
Group or Team
Global Group
Domain Local Group
Tom, Jo, and Kim
Denver Admins
G Denver Admins
DL OU Admins
G Vancouver Admins
Sam, Scott, and Amy
15
Adding and Removing Members from a Group
Group membership can be modified by using Active
Directory Users and Computers or the dsmod command
16
Practice Managing Group Membership

In this practice, you will
Determine a users group membership
Add users to global groups
Add global groups to domain local groups

17
Lesson Strategies for Using Groups

Multimedia Strategy for Using Groups in a
Single Domain
What Is Group Nesting?
Group Strategies
Class Discussion Using Groups in a Single-Domain
or Multiple-Domain Environment
Practice Nesting Groups and Creating Universal
Groups
Modifying the Scope or Type of a Group?
Why Assign a Manager to a Group?
Practice Changing the Scope and Assigning a
Manager to a Group

18
Multimedia Strategy for Using Groups in a Single
Domain

This presentation explains the A G DL P strategy
for using groups

19
What Is Group Nesting?

Group nesting means adding a group as a member of
another group

Group
Group
Group
Group
Group

Nest groups to consolidate group management
Nesting options depend on the domain functional
level

20
Group Strategies
21
Class Discussion Using Groups in a Single-Domain
or Multiple-Domain Environment
Northwind Traders has a single domain that is
located in Paris, France. Northwind Traders
managers need access to the Inventory database to
perform their jobs. What do you do to ensure that
the managers have access to the Inventory
database?
Northwind Traders wants to react more quickly to
market demands. It is determined that the
accounting data must be available to all
Accounting personnel. Northwind Traders wants to
create the group structure for the entire
Accounting division, which includes the Accounts
Payable and Accounts Receivable departments.
What do you do to ensure that the managers have
the required access and that there is a minimum
of administration?
Examples 1 and 2 Contoso, Ltd., has a single
domain that is located in Paris, France. Contoso
managers need access to the Inventory database to
perform their jobs. What do you do to ensure that
the managers have access to the Inventory
database? Example 3 Contoso, Ltd., has expanded
to include operations in South America and Asia
and now has three domains. You need to grant
access to all IT managers from all domains to the
IT_Admin tools shared folder in the Contoso
domain.

Place all of the managers in a global group
Create a domain local group for Inventory
database access
Make the global group a member of the domain
local group and grant permissions to the domain
local group for accessing the Inventory database

Make sure that your network is running in native
functional level.
Create three global groups called Accounting
Division, Accounts Payable, and Accounts
Receivable.
Place the Accounting Division global group into
the domain local group so that users can access
the accounting data.
Create a domain local group called Accounting
Data. Grant this group appropriate permission
for the accounting data resources file.

22
Practice Nesting Groups and Creating Universal
Groups

In this practice, you will
Create the Contoso Managers global group
Nest the departmental Managers global groups
into G Contoso Managers
Create an Enterprise Managers universal group
Examine the Members and Member Of properties

23
Modifying the Scope or Type of a Group?

Changing group scope
Global to universal
Domain local to universal
Universal to global
Universal to domain local
Changing group type
Security to distribution
Distribution to security

24
Why Assign a Manager to a Group?
Group
Manager

Enables you to
Track who is responsible for groups
Delegate to the manager of the group the
authority to add and remove users
Distribute the administrative responsibility to
the people who request the group

25
Practice Changing the Scope and Assigning a
Manager to a Group

In this practice, you will
Create a global group and change the scope to
universal
Assign a manager to the group
Test the group manager properties

26
Lesson Using Default Groups

Default Groups on Member Servers
Default Groups in Active Directory
When to Use Default Groups
Security Considerations for Default Groups
System Groups
Class Discussion Using Default Groups vs.
Creating New Groups
Best Practices for Managing Groups

27
Default Groups on Member Servers
28
Default Groups in Active Directory
29
When to Use Default Groups

Default groups are
Created during the installation of the operating
system or when services are added
Automatically assigned a set of user rights
Use default groups to
Control access to shared resources
Delegate specific domain-wide administration

30
Security Considerations for Default Groups

Place a user in a default group when you are sure
that you want to give the user all the user
rights and permissions assigned to that group in
Active Directory otherwise, create a new
security group
As a security best practice, members of default
groups should use Run as

31
System Groups

System groups represent different users at
different times
You can grant user rights and permissions to
system groups, but you cannot modify or view the
memberships
Group scopes do not apply to system groups
Users are automatically assigned to system groups
whenever they log on or access a particular
resource

32
Class Discussion Using Default Groups vs.
Creating New Groups

Contoso, Ltd., has over 100 servers across the
world.
The current tasks that administrators must
perform and what minimum level of access users
need to perform specific tasks
Whether you can use default groups or must create
groups and assign specific user rights or
permissions to the groups

You must determine
33
Best Practices for Managing Groups