Chapter 4

1
Chapter 4 Implementing and Managing Group and
Computer Accounts

• MIS 431 Created Spring 2006

2
WS03 Groups

• A group is a container object used to organize a
  collection of users, computers, or other groups
• Groups can have permissions for resources
• Group types in Active Directory
• Security groups most popular type in AD
• Distribution groups cannot have permissions but
  used for email distribution lists

3
Group Scopes

• Global Groups organizing objects within the
  same domain within the AD forest
• Usually combines objects from same geographic
  location or job function
• Type of objects depends on the domain function
  level
• Windows 2000 Native supports domain controllers
  from Windows 2000 and Windows 2003
• Windows 2000 Mixed (default) includes NT Server
  4.0, Windows 2000 Server and WS03
• Windows Server 2003 only supports only WS03
  domain controllers

4
Group Scopes, contd.

• Domain Local Groups permissions are for
  resources in a single domain but can contain
  groups from other domains.
• Universal Groups for aggregating objects from
  different domains in the AD forest.
• Local Groups on the server only
• See Table 4-1 on p. 149 for groups summary

5
Creating Group Objects

• As with users, WS03 AD has several tools to
  create groups
• Click on Group icon in toolbar within AD Users
  and Computers MMC
• Right-click a container and click Group
• You name the group, give its scope and group
  type, and then can access it properties
• Can say who its members are
• Can also place a user into a group from the User
  dialog box
• Who manages the group

6
Changing Domains and Groups

• You can change the domain functional level of a
  domain (Activity 4-3 p. 155)
• You can convert a group type (Act. 4-4)
• You can convert a group scope (Act. 4-5)

7
Command Line Utilities

• Like the Users function, there are command line
  utilities to add, modify, and delete groups
• DSADD
• DSMOD
• DSQUERY
• DSMOVE7
• DSRM
• See examples on pp. 160-167

8
Managing Security Groups

• Text uses A G U DL and P acronym
• A create user Accounts and organize them
• Into G global groups or
• Into DL domain local groups and
• Assign Permissions to the domain local groups
• Who is in a group?
• View the Group properties or
• Use the DSGET GROUP command

9
Built-In Groups

• Built-In Container Local Groups (Table 4-2)
• Account operators
• Administrators
• Backup operators
• Guests
• Incoming forest trust builders

10
Built-In Groups, contd.

• Built-In Container Domain Local Groups (Table
  4-3)
• Network configuration operators
• Performance log users
• Performance monitor users
• Pre-Windows 2000 compatible access
• Print operators
• Remote desktop users
• Replicators
• Server operators
• Terminal Server license servers
• Users
• Windows authorization access group

11
Built-In Groups, contd.

• The Users container domain local and global
  groups (Table 4-3)
• Cert publishers
• DnsAdmins
• DnsUpdateProxy
• Domain admins
• Domain computers
• Domain controllers
• Domain guests
• Domain users
• Enterprise Admins
• Group policy creator owners
• RAS and IAS servers
• Schema admins
• WINS users

12
Creating and Managing Computer Accounts

• Computer accounts are created automatically
  during NOS installation
• Only Windows NT 4.0 and higher
• Windows 95 and 98 are not given computer accounts
  because they dont support the advanced security
  model
• Can be added manually (Act. 4-8)
• Use AD Users and Computers MMC
• Use System applet from the Control Panel

13
Resetting Computer Accounts

• Computers that are members of a domain use a
  secure channel to communicate with a DC
• PW for that account is changed every 30 days and
  synchronized automatically with DC
• If the computer has not been connected to the
  network for 30 days, may be unable to talk
• Use AD Users and Computers to reset the password
  or the Netdom reset command