Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 44 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
44
Dung lượng
0,97 MB
Nội dung
CHAPTER 7: WORKING WITH GROUPS 213 ■ Windows Server 2003 interim Supports domain controllers running Windows Server 2003 and Windows NT 4. This functional level is used only when upgrading domain controllers in Windows NT 4 domains to Windows Server 2003 domain controllers. ❑ Provides no additional features. ■ Windows Server 2003 Supports domain controllers running Windows Server 2003 only. ❑ Supports universal security and distribution groups. ❑ Allows groups to be members of other groups (group nesting). ❑ Allows conversions between security groups and distribution groups. ❑ Allows migration of security principals from one domain to another (SID history). NOTE Domain Functional-Level Features The previous lists contain only the Active Directory features of the functional levels that pertain to group objects and their operations. Raising the domain functional level also activates other features, such as the ability to rename domains. Additional Active Directory features are activated when you raise the forest functional level on your network, when all the domain controllers in the entire forest are running Windows Server 2003. None of these features affects the use of group objects, however. To manage the functional level in Windows Server 2003, you use the Active Directory Domains And Trusts console, which is accessible from the Administrative Tools program group. To view the current functional levels of your domain and forest, select the domain object in the scope pane and, from the Action menu, select Properties. The Properties dialog box for the domain displays the current functional levels on the General tab, as shown in Figure 7-3. Ft07cr03 Figure 7-3 A domain’s Properties dialog box 214 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS To change the functional level, select the domain object and, from the Action menu, select Raise Domain Functional Level to display the dialog box shown in Figure 7-4. In the Select An Available Domain Functional Level drop-down list, choose the functional level you want to use and click Raise. As stated earlier, you cannot lower the functional level after you raise it, except by reinstalling Active Directory on all of your domain controllers, so the program cautions you to be sure before committing yourself. Once the functional level is raised on that one domain controller, the change is replicated to all of the other domain controllers in the domain. Ft07cr04 Figure 7-4 The Raise Domain Functional Level dialog box NOTE Raising the Forest Functional Level To raise the forest functional level, select the Active Directory Domains and Trusts object in the scope pane and, from the Action menu, select Raise Forest Functional Level. USING LOCAL GROUPS In Chapter 6, you learned that Windows Server 2003 supports both local user accounts and domain user accounts. The same is true for groups. Windows Server 2003 supports local groups and domain groups. A local group is a collection of local user accounts on a particular computer. Local groups perform the same basic function as all groups: they enable you to assign permissions to multiple users in one step. You create local groups using the Local Users And Groups snap-in, which is integrated into the Computer Management console (which is accessible from the Administra- tive Tools program group), as shown in Figure 7-5. When you create a local group, the system stores it in the local Security Accounts Manager (SAM) database. Local groups are subject to restrictions, just as local users are. The local group restrictions are as follows: ■ You can use local groups only on the computer where you create them. ■ Only local users from the same computer can be members of local groups. CHAPTER 7: WORKING WITH GROUPS 215 ■ When the computer is a member of a domain, local group members can include users and global groups from the domain or any trusted domain. ■ Local groups cannot have other local groups as members. ■ Local group permissions provide access only to resources on the computer where you created the local group. ■ You cannot create local groups on a Windows Server 2003 computer that is functioning as a domain controller. Ft07cr05 Figure 7-5 The Local Users And Groups snap-in USING ACTIVE DIRECTORY GROUPS Active Directory groups are characterized by their type and their scope. There are two types of Active Directory groups, each with three distinct scopes. Under- standing the constructions of these groups within the correct scope ensures the best use of administrative resources when you create, assign, and manage access to resources. The possibilities of group construction also depend on the functional level of the domain in which the groups are created. Windows Server 2003 comes with a large number of groups created, and you can create as many additional groups as you need. Active Directory groups, no matter what their type or scope, take the form of objects in the Active Directory database, just as user accounts and containers are objects. Compared to user objects, group objects are quite simple. Instead of the dozens of attributes you find in a user object, a group object consists of only a few attributes, the most important of which is its member list. As the name implies, the member list is simply a list of objects, such as users, other groups, computers, and contacts, that are members of the group. All permissions and rights assigned to the group are inherited by every object in the member list. You create and manage all Active Directory groups using the Active Directory Users And Computers console, which is accessible from the Administrative Tools program group in Windows Server 2003, as shown in Figure 7-6. As with any Active Directory object, to create and manage groups you must have the appropriate permissions for the containers where the groups are located. 216 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS Ft07cr06 Figure 7-6 The Active Directory Users And Computers console Active Directory Group Types There are two types of Active Directory group objects: security groups and distribution groups. Security Groups Security groups are the ones you use to assign access permissions for network resources. When someone speaks of a group in relation to Windows Server 2003 or Active Directory, they are usually speaking of a security group. Programs that are designed to work with Active Directory can also use security groups for nonsecurity-related purposes, such as retrieving user information for use in a Web application. NOTE Windows Server 2003 Uses Only Security Groups Security groups can be used as distribution groups, but distribution groups cannot be used as security groups. Windows Server 2003 itself can only make use of security groups, but because security groups have all the capabilities of distribution groups, this is not a shortcoming. Distribution Groups Distribution groups are intended for use by applications as lists for nonsecurity- related functions. You use distribution groups when the only function of the group is not security-related, such as sending e-mail messages to a group of users at the same time. You cannot use distribution groups to assign rights and permissions. Only applications that are designed to work with Active Directory can use distribution groups. For example, Microsoft Exchange uses distribution groups as mailing lists for sending e-mail messages. Active Directory Group Scopes Group scopes define how permissions are assigned to the group members. All Active Directory groups, both security and distribution groups, can be classified into one of three scopes: domain local, global, and universal. CHAPTER 7: WORKING WITH GROUPS 217 Domain Local Groups Domain local groups are most often used to assign access permissions to resources, either directly or by adding a domain local group to a global group. Domain local groups have the following characteristics: ■ Domain local groups are available in all functional levels: Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. ■ You can use a domain local group to grant access permissions to resources only in the same domain where you create the domain local group. ■ When you use the Windows 2000 mixed or Windows 2003 interim func- tional level, domain local group members can include user and computer accounts and global groups from any domain in the forest. No other group nesting is permitted. ■ When you use the Windows 2000 native or Windows Server 2003 func- tional level, domain local group members can include user and computer accounts, global and universal groups from any domain in the forest, and other domain local groups from the same domain. Domain local groups can be converted to the universal scope as long as they do not have other domain local groups as members. NOTE Local Groups and Domain Local Groups Because Active Directory groups with a domain local scope are sometimes referred to as local groups, be sure to distinguish between a local group on a particular computer (sometimes called a machine local group) and an Active Directory group with a domain local scope. Domain local groups are most commonly used to control access to resources within a single domain. For example, you might create a domain local group with permissions that grant members access to a particular printer. Then you can add users in the domain directly to the domain local group, or you can create a global group containing users that need printer access and make the global group a member of the domain local group. Global Groups Global groups are used primarily to provide categorized membership in domain local groups for individual security principals or for direct permission assignment (particularly in the case of a network using the Windows 2000 mixed or Windows Server 2003 interim domain functional level). Often, global groups are used to collect users or computers in the same domain that share the same job, role, or function or that have similar network access requirements. Global groups have the following characteristics: ■ Global groups are available in all functional levels: Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. ■ Global groups can only include members from within their domain. 218 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS ■ When you use the Windows 2000 native or Windows Server 2003 functional level, global group members can include user and computer accounts as well as other global groups from the same domain. ■ Global groups can be converted to universal groups as long as the group is not a member of any other global group. ■ When you use the Windows 2000 mixed functional level, global group mem- bers can include user and computer accounts from the same domain only. ■ Global groups can be members of machine local or domain local groups. ■ Global groups can be granted access permissions for resources in any domain in the forest, and in trusted domains in other forests. Global groups are most commonly used to manage permissions for directory objects, such as user and computer accounts, that require frequent maintenance. On a network consisting of multiple domains, the main advantage of using global groups for this purpose rather than universal groups is that global groups are not replicated outside of their domain. This minimizes the amount of replication traffic to the global catalog, which is a directory of resources for the entire forest. Global groups are preferable to domain local groups when you assign permissions for any objects replicated to the global catalog. Universal Groups Universal groups are used primarily to grant access to related resources in multiple domains. Universal groups have the following characteristics: ■ Universal groups are available only in the Windows 2000 native and Windows Server 2003 functional levels. ■ Universal group members can include user and computer accounts, global groups, and other universal groups from any domain in the forest. Universal groups can be converted to domain local groups or to global groups as long as they do not have other universal groups as members. ■ When you use the Windows 2000 mixed functional level, you cannot create universal groups. ■ Universal groups can be granted access permissions for resources in any domain in the forest and in domains in other trusted forests. The primary function of universal groups is to consolidate groups that span multiple domains. Universal groups are generally not needed on single-domain networks. To use universal groups effectively, the best practice is to create a global group in each domain, with user or computer accounts as members, and then make the global groups members of a universal group. This enables you to create a single universal group that is usable throughout the enterprise, but with a mem - bership that does not change frequently. This method is preferable to adding users and computers to the universal group directly because every change to the universal group’s membership causes the entire membership to be replicated to the global catalog, throughout the forest. Managing the users and computers in the global groups does not affect the universal group’s membership and therefore generates no additional replication traffic. CHAPTER 7: WORKING WITH GROUPS 219 Universal groups are also useful when you want to grant users access to resources that are located in more than one domain. Unlike domain local groups, you can assign permissions to universal groups for resources in any domain on your network. For example, if executives need access to printers throughout your network, you can create a universal group for this purpose and assign it permissions enabling its members to use all of the printers in all of your domains. Nesting Groups As you learned in the previous sections, the ability to make groups members of other groups is one of the most powerful features of Active Directory’s group object implementation. This practice is called group nesting. Nesting groups enables you to manage resource permissions efficiently for an entire enterprise without generating inordinate amounts of replication traffic. As mentioned earlier, your domain must be using the Windows 2000 native or Windows Server 2003 functional level to take full advantage of Active Directory’s group nesting capabilities, and even then, there are restrictions on the nesting of the various group scopes. These nesting restrictions, along with all membership restrictions for the three group scopes, are summarized in Table 7-1. The membership rules in this table are an essential element of proper group management. If you encounter a situation where you cannot add a particular member to a group or use a group to provide access to a particular resource, the troubleshooting process should begin with an examination of the group’s scope and the domain’s functional level, to determine if you are actually supposed to be able to perform the task you are attempting. Although group nesting is a valuable tool, administrators should be careful not to get carried away with its capabilities. While it is possible to nest groups many layers deep, this practice can make it difficult to keep track of the group memberships and how permissions are being disseminated throughout the network. As a general rule, a single level of nesting is sufficient for most environments and is easier to maintain. Table 7-1 Group Scope Membership Rules Group Scope Members Allowed in Windows 2000 Mixed or Windows Server 2003 Interim Functional Level Members Allowed in Windows 2000 Native or Windows Server 2003 Functional Level Domain Local User and computer accounts and global groups from any domain User and computer accounts, univer- sal groups, and global groups from any domain; other domain local groups from the same domain Global User and computer accounts from the same domain User and computer accounts and other global groups from the same domain Universal Not available User and computer accounts, other universal groups, and global groups from any domain 220 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS Converting Groups When you create a group, you must specify its type and its scope. However, in a domain using the Windows 2000 native or Windows Server 2003 functional level, you can convert groups to different scopes at any time, subject to certain member - ship restrictions. Table 7-2 summarizes the group scope conversions that are allowable and the conditions under which you can perform the conversion. Planning Global and Domain Local Groups It is a good idea to have a group strategy in place before you begin to create Active Directory groups. Creating groups of the wrong type or with the wrong scope can result in a failure of the groups to perform as expected. For most network installations, the most common method of deploying groups is to use global and domain local groups in the following manner: ■ Create domain local groups for resources to be shared Identify the resources, such as shared folders or printers, to which users need access, and then create one or more domain local groups for those resources. For example, if you have a number of color printers in your company, create a domain local group called Color Printers. ■ Assign resource permissions to the domain local group Assign the permissions needed for access to the resources to the appropriate domain local group. For example, you should assign the permissions needed to use the color printers to the Color Printers group. ■ Create global groups for users with common job responsibilities Identify users with common job responsibilities and add their user objects to a global group. For example, in an accounting department, add the user objects for all of the accountants to a global group called Accounting. ■ Add global groups that need access to resources to the appropriate domain local group Identify all global groups that require access to a particular resource, and make the global groups members of the appro- priate domain local group. For example, to provide the accountants with access to the color printers, add the Accounting global group to the Color Printers domain local group. Users in the Accounting group then receive the permissions granted to the Color Printers group. Table 7-2 Active Directory Group Scope Conversion Restrictions To Domain Local To Global To Universal From Domain Local Not applicable Not permitted Permitted only when the domain local group does not have other domain local groups as members From Global Not permitted Not applicable Permitted only when the global group is not a mem- ber of another global group From Universal No restrictions Permitted only when the universal group does not have other universal groups as members Not applicable CHAPTER 7: WORKING WITH GROUPS 221 Once you have created your groups in this manner, you modify the domain local group permissions when resource requirements change and modify the global group memberships when there are personnel changes. It might seem as though using both domain local groups and global groups is unnecessary. After all, it would be possible just to create a single domain local or global group, grant it the permissions needed to access resources, and add the user objects of the people needing those resources as members. However, there are distinct drawbacks to this strategy, whether you use domain local groups or global groups. ■ Placing user objects in domain local groups and assigning per- missions to the domain local groups This strategy does not enable you to assign permissions for resources outside of the domain, which reduces the flexibility of your group strategy when your network grows. ■ Placing user accounts in global groups and assigning permissions to the global groups This strategy can complicate administration when you are using multiple domains. If global groups from multiple domains require the same permissions, you have to assign permissions for each global group. WINDOWS SERVER 2003 DEFAULT GROUPS Windows Server 2003 automatically creates a large number of groups in which it places its built-in user accounts. You can use these groups as they are, modify them as needed (in some cases), or create new groups of your own. There are four default group types in Windows Server 2003: built-in local groups, which exist only on computers that are not domain controllers, and three types of default groups in Active Directory—predefined groups, built-in groups, and special identities. These default groups are discussed in the following sections. Built-In Local Groups Windows Server 2003 standalone servers and member servers all have built-in local groups. Domain controllers do not have local groups (or local users) because their SAM is converted for Active Directory use. Built-in local groups give users the rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. The built-in local groups are located in the Groups folder in the Local Users And Groups snap-in. The Windows Server 2003 built-in local groups and their capabilities are as follows. Except where noted, no initial members exist in these groups. ■ Administrators Members have complete and unrestricted access to the computer and the domain, enabling them to perform all administrative tasks. By default, the computer’s built-in Administrator local user account is a member. When the computer joins a domain, Windows Server 2003 adds the Domain Admins predefined global group to the local Administrators group. 222 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS ■ Backup Operators Members have user rights that enable them to override security restrictions for the sole purpose of backing up and restoring files. ■ Guests Members can perform only tasks for which you have specifi- cally granted rights and can access only resources for which you have assigned permissions; members cannot make permanent changes to their desktop environment. By default, the computer’s built-in Guest local user account is a member. When the computer joins a domain, Windows Server 2003 adds the Domain Guests predefined global group to the local Guests group. ■ Network Configuration Operators Members of this group have limited administrative privileges enabling them to make changes to TCP/IP settings, and to renew and release IP addresses. ■ Performance Log Users Members of this group are granted privileges enabling them to manage performance counters, logs, and alerts on the computer, both locally and from remote locations. ■ Performance Monitor Users Members of this group are granted privileges enabling them to monitor performance counters on the computer, both locally and from remote locations. ■ Power Users Members can create local user and group accounts on the computer and modify the users and groups they have created. They can also add or remove users from the Power Users, Users, and Guests local groups, create share resources, and administer the shared resources they have created. Power Users cannot take ownership of files, back up or restore folders, load or unload device drivers, or manage security logs. ■ Print Operators Members can manage printers and print queues on the computer. ■ Remote Desktop Users Members can log on to the computer remotely using Terminal Services. ■ Replicator This group is intended to support directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users to this group. ■ Users Members can perform tasks such as running applications, using local and network printers, and locking the server. Users cannot share directories or create local printers. All new local user accounts created on the computer are automatically added to the local Users group. When the computer joins a domain, Windows Server 2003 adds the Domain Users, Authenticated Users, and Interactive groups to the local Users group. As a result, all domain user accounts become members of this group as well. In most cases, the privileges possessed by these local groups are granted by the assignment of user rights to the group. Table 7-3 lists the user rights assigned [...]... the various types and scopes available, the procedures for creating and managing them are still rather simple In the following sections, you learn how to use the Active Directory Users and Computers console to create new groups, manage their memberships, and modify their properties 233 234 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS Exam Objectives The objectives for exam 70- 290 require... begin actually creating the groups you need Fortunately, the process of creating groups is far easier than learning about them and their capabilities The following sections describe some of the most common group administration activities that system and network administrators have to perform on a regular basis Exam Objectives The objectives for exam 70- 290 require that students be able to “create and manage... 228 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS ■ Users Members of this group can perform most common tasks, such as running applications, using local and network printers, and locking the server By default, the Domain Users group and the Authenticated Users and Interactive special identities are members of this group Therefore, any user account created in the domain becomes a member... Directory domain ■ Create and manage computer objects ■ Troubleshoot computer accounts 247 248 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS UNDERSTANDING COMPUTER OBJECTS In the default configuration of Windows Server 2003 and all other Windows operating systems, the computer belongs to a workgroup As you learned in Chapter 6, workgroup computers authenticate users with accounts stored... Domain local with a nested global group Scenario 7-2: Creating Groups Using Dsadd.exe You are a network administrator who is building an Active Directory on a new network for a company called Fabrikam, Inc., and you have to create user objects for the 75 users in the Inside Sales department You have already created the fabrikam.com domain and an OU called Inside Sales for this purpose The human resources... identity can change, as users log on and log off 229 230 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS The exact list of users substituted for the Authenticated Users placeholder is determined at the time a resource is accessed and its ACL processed, not at the time the special identity is added to the ACL The special identities included in Windows Server 2003 are as follows: ■ Anonymous... resources department has provided you with a list of the users’ names and has instructed you to create the account names by using the first initial and the last name Each user object must also have the value Inside Sales in the Department property and Fabrikam, Inc in the Company property Using the first name in the list, Mark Lee, as an example, which of the following command-line formats would enable you... Windows Authorization Access Group Members have access to the computed tokenGroupsGlobalAndUniversal attribute on domain User objects Built-In Local Groups and Domain Local Groups Several of the built-in domain local groups, such as Backup Operators, Network Configuration Operators, and Remote Desktop Users, are virtual duplicates of the built-in local groups with the same names on Windows Server 2003. .. display a list of the groups of which a user is a member, use the following command: dsget user "CN=Administrator,CN=Users,DC=contoso,DC=com" -memberof Exam Objectives The objectives for exam 70- 290 require that students be able to “find domain groups in which a user is a member.” NOTE 241 242 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS SUMMARY ■ A group is an object that consists of a. .. Gt07cr02 In the Local Users And Groups snap-in, users and groups have their own separate folders; they are not mixed together in containers as in Active Directory 231 232 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS 4 From the Action menu, select New Group The New Group dialog box appears 5 In the Group Name text box, type a name for the group you are creating Gt07cr03 6 Click Add The Select . from the same domain Universal Not available User and computer accounts, other universal groups, and global groups from any domain 220 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS Converting. 7 -6. As with any Active Directory object, to create and manage groups you must have the appropriate permissions for the containers where the groups are located. 2 16 PART 2: MANAGING AND MAINTAINING. joins a domain, Windows Server 2003 adds the Domain Admins predefined global group to the local Administrators group. 222 PART 2: MANAGING AND MAINTAINING USERS, GROUPS, AND COMPUTERS ■ Backup