Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 42 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
42
Dung lượng
1,01 MB
Nội dung
Module 3: Using Groups to Organize User Accounts Contents Overview Introduction to Groups Implementing Group Strategies Implementing Groups 11 Implementing Local Groups 16 Lab A: Creating Groups 19 Implementing Built-in Groups 22 Lab B: Using Built-in Groups 28 Best Practices 33 Review 34 This course is a prerelease course and is based on Microsoft Windows 2000 Beta software Content in the final release of the course may be different than the content included in this prerelease version All labs in the course are to be completed using the Beta version of Microsoft Windows 2000 Advanced Server Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property 1999 Microsoft Corporation All rights reserved Microsoft, MS-DOS, MS, Windows, Active Directory, PowerPoint, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners Project Lead/Senior Instructional Designer: Red Johnston Instructional Designers: Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.) Program Manager: Jim Cochran (Volt Computer) Lab Simulations Developers: David Carlile (ArtSource), Tammy Stockton (Write Stuff) Technical Contributor: Kim Ralls Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Editors: Wendy Cleary (S&T OnSite), Diana George (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Tammy Stockton (Write Stuff) Compact Disc Testing: ST Labs Production Support: Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Project Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 3: Using Groups to Organize User Accounts iii Introduction Presentation: 45 Minutes Labs: 30 Minutes This module provides students with the knowledge and skills that are necessary to implement groups in order to streamline administrative tasks The module discusses the purpose of using groups, the different types of groups and their scopes, and the effective strategies for using groups to organize user accounts The module then describes the procedures to create and delete groups and add members to groups Finally, the module covers strategies for implementing local and built-in groups.There are two labs in this module In the first lab, students will create groups in a domain and add members to them In the second lab, students will identify the membership and rights of built-in groups and use them to assign administrative capabilities to user accounts Materials and Preparation This section provides you with the materials and preparation needed to teach this module Materials To teach this module, you need the following materials: !" Microsoft® PowerPoint® file 1556A_03.ppt !" Module 3, “Using Groups to Organize User Accounts” Preparation To prepare for this module, you should: !" Read all the materials for this module !" Review the Delivery Tips and Key Points for each section and topic !" Complete the two labs !" Study the review questions and prepare alternative answers for discussion !" Anticipate questions that students may ask Write out the questions and provide answers to them iv Module 3: Using Groups to Organize User Accounts Other Activities There is a class discussion in this module, in which you will work through a scenario about applying groups in a single domain Review the slides and corresponding questions and solutions This section describes how to present this interactive discussion Class Discussion: Using Groups in a Single Domain This topic contains two slides Use the first slide (which corresponds to the illustration in the workbook) to present the question and the second slide to present the suggested solution Module 3: Using Groups to Organize User Accounts Module Strategy Use the following strategy to present this module: !" Introduction to Groups Provide an overview of the purpose of using groups to perform administrative tasks Introduce the different types of groups and then explain the concept of group scopes The topic on group scopes has four slides Use the first slide to introduce the three group scopes Then, explain each group scope in detail using the corresponding slide !" Implementing Group Strategies Explain the recommended strategies to use global and domain local groups in a domain Discuss other possible strategies and their limitations Use the class discussion topic to examine a scenario for using groups in a single domain Present the question and encourage a discussion Then present the suggested solution and discuss other possible solutions !" Implementing Groups Present the guidelines for creating groups, which include the naming convention and determining the type of the group and its scope Then explain the procedures to create and delete a group, locate a group in Active Directory™ directory service, and add members to a group !" Implementing Local Groups Define local groups and explain their uses Present their membership rules and the possible strategies for using them in a domain !" Implementing Built-in Groups In this section, describe the four types of built-in groups: global, domain local, local, and system For each type of built-in group, explain the purpose of the group and the membership of the group !" Best Practices Read the Best Practices section before you start the module, and then refer to the appropriate practice as you teach the corresponding module section Then, at the end of the module, summarize all of the best practices for the module v vi Module 3: Using Groups to Organize User Accounts Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Important The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for course 1556A, Administering Microsoft Windows 2000 Lab Setup The following list describes the setup requirements for the labs in this module Setup Requirement The labs in this module require that the Users group have the Log on locally right To prepare the student computers to meet this requirement, perform one of the following actions: !" Complete module of course 1556A, Administering Microsoft Windows 2000 !" From the Trainer Materials compact disc, run the LRights.cmd script on each domain controller in each child domain Setup Requirement The labs in this module require the following user accounts: User31A, User31B, Userr32, and User33 To prepare the student computers to meet this requirement, !" Run the script Lab031.cmd on one of the two domain controllers in each subdomain Caution If you run the script on both domain controllers, the labs will not function properly !" If you create the users manually, leave the password blank Lab Results Performing the labs in this module introduces the following configuration changes: !" The assignment of the Log on locally right to the Users group !" The addition of User31A, User31B, User32 and User33 in the Users container !" The addition of User31A and User31B in the Administrators Domain Local group Module 3: Using Groups to Organize User Accounts Overview Slide Objective To provide an overview of the module topics and objectives ! ! Implementing Groups ! Implementing Local Groups ! Implementing Built-in Groups ! In this module, you will learn how to group user accounts for easier management of user access to resources Implementing Group Strategies ! Lead-in Introduction to Groups Best Practices A group is a collection of user accounts You use groups to simplify the management of user and computer access to various shared resources Groups allow you to assign access permissions to a group of users at one time rather than multiple times to individual users After you assign the access permission to a group, you can simply add any user requiring the same permission to the group Microsoft® Windows® 2000 provides different types of groups for different tasks In this module, you will learn about the various types of groups and how to use them At the end of this module, you will be able to: !" Describe the key features of groups !" Apply group strategies to manage access to resources !" Create and delete groups !" Implement local groups !" Implement built-in groups !" Apply best practices for implementing groups Module 3: Using Groups to Organize User Accounts # Introduction to Groups Slide Objective To introduce groups Lead-in Groups simplify administration by allowing you to assign permissions once rather than multiple times This section defines groups and the group types that you can create Delivery Tip This section provides an introduction to groups, types of groups, and group scopes Prepare students for the topics by providing the following key points Key Points Windows 2000 provides two types of groups—distribution and security Each type of group has a scope attribute that identifies the range in which the group can be applied on the network Windows 2000 provides three scope types—global, domain local and universal ! Using Groups ! Group Types ! Group Scopes Before you can use groups effectively, you need to understand the functions of them and the group types that you can create Windows 2000 provides two types of groups, distribution and security, that you can create depending on the task that you need to manage Each type of group has a scope attribute, which identifies the extent to which a group is applied on the network Group scopes allow you to use groups in different ways to assign permissions Windows 2000 provides three scopes: global, domain local, and universal Module 3: Using Groups to Organize User Accounts Using Groups Slide Objective ! You use groups to combine user accounts so that you can assign rights and permissions to shared resources a single time rather than multiple times Users Can Be Members of Multiple Groups ! Lead-in Members Receive Permissions Given to Groups ! To define groups and their purpose Groups Can Be Members of Other Groups Permissions Assigned Permissions Assigned Once for a Group Once for a Group Group Group Instead of Instead of Permissions Assigned Permissions Assigned Once for Each User Account Once for Each User Account Permissions Permissions Permissions Permissions Permissions Permissions Permissions Permissions Delivery Tip You could use the following example to explain nesting of groups: Add managers in each region to a group that is specific to that region Administrators in each region control the membership of the group that represents managers in their regions Then, add all of the regional groups to another group, called Worldwide Managers When all managers need access to resources, assign permissions only to the Worldwide Managers group User User User User User User You use groups to manage user access to shared resources such as network shares, files, directories, and printer queues When assigning permissions for resources, you should assign the required permissions to a group of users rather than to individual users In this manner, you assign the permissions once to the group, instead of several times to individual users This helps simplify the maintenance and administration of a network In addition to user accounts, you can add computers and other groups to a group for organizational purposes and other administrative tasks When you add members to groups, consider the following: A user account can be a member of multiple groups When you make a user a member of a group, you give the user all the rights and permissions granted to the group However, if the user is already logged on, the rights of the newly assigned group will not take effect until the user logs off and then logs on again !" Users can be members of multiple groups This is because a group is simply a list of members, with references to the actual user accounts !" Key Point !" Groups can be members of other groups Adding groups to an existing group is called nesting Nesting creates a single, consolidated group and can reduce the number of times that you need to assign permissions You can create a nested hierarchy of groups based on the business needs of the members Module 3: Using Groups to Organize User Accounts Group Types Slide Objective To describe the two types of groups Lead-in Sometimes you create groups for security-related purposes, such as permissions assignment Other times you use them for non-security purposes, such as to send e-mail messages To facilitate this, Windows 2000 includes two group types ! Security Groups $ $ ! Used to assign permissions Can be used as an e-mail distribution list Distribution Groups $ Cannot be used to assign permissions $ Can be used as an e-mail distribution list Windows 2000 has two group types: security and distribution The group type determines the tasks that you manage with the group Both types of groups are stored in Active Directory™ directory service so that you can use them anywhere in your network Security Groups Key Points Use security groups to assign permissions Other applications use distribution groups Use distribution groups only for non-security related purposes, such as sending e-mail messages Only programs designed to work with Active Directory can use distribution groups For example, future versions of Microsoft Exchange Server will be able to use Windows 2000 groups as distribution lists for e-mail messages Use security groups for security related purposes, such as assigning permissions to gain access to resources You can also use them to send e-mail messages to multiple users Sending an e-mail message to the group sends the message to all members of the group Therefore, security groups share the capabilities of distribution groups Distribution Groups Applications use distribution groups as lists for non-security related functions, such as sending e-mail messages to groups of users The primary purpose of this type of group is to gather related objects, not to assign permissions Even though security groups have all the capabilities of distribution groups, distribution groups are still required, because some applications can only read distribution groups Note Because distribution groups reside in Active Directory, only applications that are designed to work with Active Directory can use them For example, future versions of Microsoft Exchange Server will be able to use Windows 2000 groups as distribution lists for e-mail messages 22 Module 3: Using Groups to Organize User Accounts # Implementing Built-in Groups Slide Objective To introduce the types of built-in groups Lead-in Windows 2000 uses four categories of built-in groups Built-in groups have a predetermined set of user rights or group membership Windows 2000 creates these commonly used groups for you Delivery Tip This section discusses the built-in groups in Windows 2000 Prepare students for the topics by providing the following key points Key Point Built-in groups are predefined groups and have predetermined group membership There are four types of builtin groups that can be used for commonly used functions These are global, domain local, local, and system groups ! Built-in Global Groups ! Built-in Domain Local Groups ! Built-in Local Groups ! Built-in System Groups Built-in groups are predefined groups that have a predetermined set of user rights or group membership Windows 2000 creates built-in groups for you so that you not need to create groups and assign rights and permissions for commonly used functions There are four categories of built-in groups: global, domain local, local, and system Note User rights provide users with the ability to perform system tasks, such as changing the system time on a computer or backing up and restoring files Module 3: Using Groups to Organize User Accounts 23 Built-in Global Groups Slide Objective To describe the built-in global groups in a domain ! Initial Membership Lead-in ! No Inherent User Rights Domains contain built-in global groups that are stored in Active Directory These built-in groups are available from any computer in the domain Domain Users Domain Users Built-in Domain Admins Built-in Domain Admins Global Global Groups Domain Guests Groups Domain Guests Enterprise Admins Enterprise Admins Active Directory Active Directory Domain Key Points Global groups not have any inherent rights You assign rights either when you add the global group to other groups or when you assign user rights or permissions to the built-in global groups Windows 2000 creates built-in global groups in Active Directory to combine common types of user accounts By default, Windows 2000 automatically adds members to some built-in global groups You can add user accounts to these built-in groups to provide additional users with the privileges and permissions that you assign to the built-in group Important By default, built-in global groups not have any rights You assign rights either by adding the global groups to domain local groups or by explicitly assigning user rights to the built-in global groups The Users folder contains the built-in global groups in a domain The default memberships of the commonly used built-in global groups are as follows: Global group Description Domain Users Windows 2000 automatically adds the Domain Users global group to the Users domain local group By default, the Administrator account is initially a member, but Windows 2000 automatically makes each new domain user account a member Domain Admins Windows 2000 automatically adds the Domain Admins global group to the Administrators domain local group so that they can perform administrative tasks on any computer anywhere in the domain By default, the Administrator account is a member Domain Guests Windows 2000 automatically adds the Domain Guests global group to the Guests domain local group By default, the Guest account is a member Enterprise Admins You can add user accounts to Enterprise Admins for users who should have administrative control of your entire network Then, add Enterprise Admins to the Administrators domain local group in each domain By default, the Administrator account is a member 24 Module 3: Using Groups to Organize User Accounts Built-in Domain Local Groups Slide Objective To describe built-in local groups in a domain ! Initial Membership Lead-in ! Predefined User Rights The second type of built-in group in a domain is the domain local group It is also stored in Active Directory and is available from any computer in the domain Account Operators Account Operators Print Operators Print Operators Built-in Built-in Domain Domain Local Local Groups Groups Active Directory Active Directory Domain Key Point Use domain local groups to provide users with permissions to gain access to network resources Delivery Tip Discuss only the Account Operators and Administrative groups and briefly mention the others Backup Operators Backup Operators Server Operators Server Operators Administrators Administrators Guests Guests Users Users Windows 2000 creates built-in domain local groups to provide users with predefined rights and permissions to perform tasks on domain controllers and in Active Directory The following table describes the commonly used domain local groups and the capabilities of their members Domain local group Description Account Operators Members can create, delete, and modify user accounts and groups; members cannot modify the Administrators group or any of the Operators groups Server Operators Members can share disk resources and back up and restore files on a domain controller Print Operators Members can set up and manage network printers on domain controllers Administrators Members can perform all administrative tasks on all domain controllers and on the domain itself By default, the Administrator account and the Domain Admins global group are members Guests Members can perform only tasks for which you have granted rights, gain access only to resources for which you have assigned permissions, and cannot make permanent changes to their desktop environments By default, the Guest user account and the Domain Guests global group are members Backup Operators Members can back up and restore all domain controllers by using Windows 2000 Backup Users Members can perform only tasks for which you have granted rights and can gain access only to resources for which you have assigned permissions By default, the Domain Users group is a member Use this group to assign permissions and rights that every user with a user account in your domain should have Module 3: Using Groups to Organize User Accounts 25 Built-in Local Groups Slide Objective To describe the built-in local groups that exist on all member servers and computers running Windows 2000 Professional Windows 2000 Server Windows 2000 Server (Member or Stand-Alone Server) (Member or Stand-Alone Server) Lead-in Users Users Member servers, standalone servers, and computers running Windows 2000 Professional have these built-in local groups: Users, Guests, Administrators, Backup Operators, and Power Users Delivery Tip Point out to the students that Power Users is a type of built-in local group and not a type of user account Key Points All member servers, standalone servers, and computers running Windows 2000 Professional have built-in local groups A built-in local group defines what its members can on the local computer where the built-in group exists Built-in Administrators Built-in Administrators Local Guests Local Guests Groups Groups Backup Operators Backup Operators Power Users Power Users Windows 2000 Professional Windows 2000 Professional All member servers, stand-alone servers, and computers running Windows 2000 Professional have built-in local groups Built-in local groups have rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources Windows 2000 places the built-in local groups in the Groups folder in Local User Manager The following table describes the capabilities of members of the most commonly used built-in local groups Except where noted, there are no initial members in these groups Local group Description Users Members can perform only tasks for which you have specifically granted rights and can gain access only to resources for which you have assigned permissions By default, Windows 2000 adds local user accounts that you create on a computer to the Users group When a member server or a computer running Windows 2000 Professional joins a domain, Windows 2000 adds the Domain Users group to the local Users group Administrators Members can perform all administrative tasks on the computer By default, the built-in Administrator account for the computer is a member When a member server or a computer running Windows 2000 Professional joins a domain, Windows 2000 adds the Domain Admins group to the local Administrators group 26 Module 3: Using Groups to Organize User Accounts (continued) Local group Description Guests Members can perform only tasks for which you have specifically granted rights and can gain access only to resources for which you have assigned permissions; members cannot make permanent changes to their desktop environments By default, the built-in Guest account for the computer is a member When a member server or a computer running Windows 2000 Professional joins a domain, Windows 2000 adds the Domain Guests group to the local Guests group Backup Operators Members can use Windows 2000 Backup to back up and restore the computer Power Users Members can create and modify local user accounts on the computer and share resources This group gives the user the ability to perform system administrative functions without having complete control over the system Module 3: Using Groups to Organize User Accounts 27 Built-in System Groups Slide Objective To describe the built-in system groups that are used in network administration ! Exist on All Computers Running Windows 2000 ! You Cannot Modify Membership Lead-in ! Windows 2000 Adds Members Based on Activity ! Some Common System Groups: Built-in system groups exist on all computers running Windows 2000 $ Demonstrate how to view system groups by adding permissions to a file to show the available groups Emphasize the difference between the Interactive and Network groups When users log on to a computer, Windows 2000 adds them to the Interactive group automatically When users access a resource over the network, Windows 2000 adds them to the Network group automatically Authenticated Users $ Creator Owner $ Network $ Delivery Tip Everyone $ Unlike other built-in groups, user accounts become members of the built-in system groups based on activity Interactive Built-in system groups exist on all computers running Windows 2000 System groups not have specific memberships that you can view or modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource You not see system groups when you administer groups, but they are available for use when you assign rights and permissions to resources Windows 2000 bases system group membership on how the computer is accessed, not on who uses the computer The following table describes some of the common built-in system groups System group Description Everyone Includes all current network users, including guests and users from other domains Whenever a user logs on to the network, Windows 2000 automatically adds the user to the Everyone group Authenticated Users Includes all users with valid user accounts on the computer or in Active Directory Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource Creator Owner Includes the user account for the user who created or took ownership of a resource If a member of the Administrators group creates a resource, the Administrators group is owner of the resource Network Includes users currently accessing a given resource over the network (as opposed to users who access a resource by logging on locally to the computer on which the resource is located) Whenever users access a given resource over the network, Windows 2000 automatically adds them to the Network group Interactive Includes all users currently logged on to a particular computer and accessing a given resource located on that computer (as opposed to users who access the resource over the network) Whenever users access given resources on the computer to which they are currently logged on, Windows 2000 automatically adds them to the Interactive group 28 Module 3: Using Groups to Organize User Accounts Lab B: Using Built-in Groups Slide Objective To prepare students for the lab Lead-in In this lab, you will identify the membership and rights of built-in groups and use built-in groups to assign administrative capabilities Delivery Tip Explain the lab objectives Go over the information in the “Before You Begin” section of the lab Objectives After completing this lab, you will be able to: Ask students if they encountered any problems during the lab Identify the membership of built-in groups !" Identify the rights of built-in groups !" Use built-in groups to assign administrative capabilities !" Review the lab answers !" Add users to built-in groups Prerequisites Before working on this lab, you must: !" Be able to gain access to and use Active Directory Users and Computers !" Have completed Module 3, “Using Groups to Organize User Accounts.” Lab Setup In this lab, you and your partner need to perform steps that are specific to each computer For this purpose, designate one computer as A and the other as B Your instructor will provide this information, or your partner and you can decide together If you are not working with a partner, you will use “A.” Your computer (A or B) _ Your partner’s computer (A or B) Estimated time to complete this lab: 15 minutes Module 3: Using Groups to Organize User Accounts 29 Exercise Determining Built-in Group Membership in a Domain In Microsoft® Windows® 2000, being a member of certain built-in groups gives a user additional rights (such as the ability to perform system tasks) As an administrator, you must be familiar with the default membership in these groups and the abilities that each of these groups provides You will view some of the built-in groups in your Windows 2000 domain to determine the default members !!To display built-in domain local groups Log on to your domain as Administrator Open Active Directory Users and Computers, expand DomainName.nwtraders.msft (where DomainName is your assigned domain), and then click Builtin Active Directory Users and Computers displays a list of all built-in domain local groups in your domain !!To determine the default membership of the Administrators built-in domain local group Double-click Administrators In the Administrators Properties dialog box, click the Members tab By default, what built-in user accounts or groups are members of the Administrators group? Administrator is the only user account; Domain Admins and Enterprise Admins are the only groups Click Cancel !!To determine the default membership of the Guests built-in domain local group With the Builtin folder still selected, double-click the Guests group In the Guests Properties dialog box, click the Members tab What user accounts or groups are members of the Guests group? User accounts Group accounts Guest Domain Guests IUSR_YourComputerName IUSR_Your_Partner’s_Computer IWAM_YourPartner’scomputerName IWAM_ YourComputerName TsInternetUser 30 Module 3: Using Groups to Organize User Accounts Why would you use this account? To allow non-authenticated accounts to use domain resources, such as Internet and UNIX clients Click Cancel !!To determine the default membership of the Users built-in domain local group In Active Directory Users and Computers, select the Builtin folder, and then double-click the Users built-in group In the Users Properties dialog box, click the Members tab What user accounts or groups are members of the Users group? No user accounts are members; Domain Users is the only group Click Cancel !!To determine the default membership of built-in global groups In Active Directory Users and Computers, select the Users folder Windows 2000 stores the default global groups in the Users folder These are the built-in groups that you modify most frequently Double-click Domain Admins In the Domain Admins Properties dialog box, click the Members tab By default, what user accounts or groups are members of Domain Admins? Administrator is the only user account; no groups are members Click Cancel to return to Active Directory Users and Computers Repeat the preceding steps to answer the following questions By default, what user accounts or groups are members of Domain Users? All user accounts in the domain are members; no groups are members By default, what user accounts or groups are members of Domain Guests? Guest is the only user account; no groups are members Close Active Directory Users and Computers Module 3: Using Groups to Organize User Accounts 31 Exercise Implementing Built-in Groups for Administration In order to perform administrative tasks, you will need an account that has administrative rights in the domain You will use this account to perform your daily administrative tasks In order to provide these rights, you will put the user account into a group that will provide these rights You need to decide which group will best provide this functionality within the domain You may need to check a user account to confirm that it has the appropriate rights after adding it to the Administrators domain local group and the Domain Admins global group !!To test a user account Log off Windows 2000, and then log on as User31x (where x is your computer: A or B) with no password Try to change the system time by double-clicking the clock on the taskbar Were you successful? Why or why not? No, because the user account does not have the required user right Log off Windows 2000 !!To add a user account to the Administrators domain local group Log on to your domain as Administrator Open Active Directory Users and Computers Expand your domain, and then select the Builtin folder Double-click Administrators The Administrators Properties dialog box displays the properties of the group To view the members of the group, click the Members tab The Administrators Properties dialog box displays a list of group members To add a member to the group, click Add Make sure that your domain is selected in the Look in box In the list, select User31x (where x is your computer), and then click Add Click OK User31x is now a member of the Administrators built-in group Click OK to close the Administrators Properties dialog box 10 Close all open windows, and log off Windows 2000 32 Module 3: Using Groups to Organize User Accounts !!To test the user account as a member of the Administrators domain local group Log on as User31x (where x is your computer) using the user account that you created Try to change the system time Note If you can change the system time, change it back to the original setting Were you successful? Why or why not? Yes, because the user account is a member of the Administrators domain local group Because of this membership, the user account has all of the built-in rights of the Administrators domain local group If this computer were a member server, you would not be successful, because the Administrators domain local group has no default rights on member servers in the domain To give a user administrative capabilities in the domain, should you add user accounts to the Administrators domain local group or the Domain Admins global group? Adding a user account to the Domain Admins global group is the best method Because the Domain Admins global group is a member of the Administrators domain local group and the Administrators local group on all computers in your domain, a member of the Domain Admins global group can administer all computers in the domain Also, using global groups can facilitate administration in a multiple domain environment Close any open windows, and log off Windows 2000 Module 3: Using Groups to Organize User Accounts 33 Best Practices Slide Objective To present best practices for creating groups Create Groups Based on Administrative Needs Create Groups Based on Administrative Needs Lead-in Review this checklist before you create groups Use Local Groups to Provide Access to Resources on Local Computers Use Local Groups to Provide Access to Resources on Local Computers Add User Accounts to Groups That Are Most Restrictive Add User Accounts to Groups That Are Most Restrictive Use Built-in Groups Whenever Possible Use Built-in Groups Whenever Possible Assign Permissions By Using the Users or Authenticated Users Group Assign Permissions By Using the Users or Authenticated Users Group Consider the following best practices for implementing groups: !" Create groups based on administrative needs When you create a group based on a job function and another person takes over that job, you only need to change the group membership You not need to change all permissions that are assigned to the individual user account Because of this, it is sometimes advantageous to create a group that has only one member !" Use local groups to provide access to resources on local computers !" If you have multiple groups from which to choose, always add user accounts to the group that is most restrictive, while still allowing the appropriate rights and permissions so that users can accomplish any required task !" Whenever a built-in group enables users to accomplish a task, use the builtin group instead of creating a new group Create groups only when there are no built-in groups that provide the required rights and permissions !" Use the Authenticated Users group instead of the Everyone group to assign most rights and permissions This minimizes the risk of unauthorized access, because Windows 2000 makes only valid user accounts on the computer or in Active Directory members of the Authenticated Users system group 34 Module 3: Using Groups to Organize User Accounts Review Slide Objective To reinforce module objectives by reviewing key points Lead-in The review questions cover some of the key concepts taught in the module Please take a few minutes to answer the questions, and then we will discuss them as a class ! Introduction to Groups ! Implementing Group Strategies ! Implementing Groups ! Implementing Local Groups ! Implementing Built-in Groups ! Best Practices Can users be members of more than one group? Yes, because a group is a list of members with references to the actual user accounts Therefore, users can be members of more than one group When should you use security groups instead of distribution groups? Use security groups to assign permissions Use distribution groups only when the function of the group is not security related, such as an e-mail distribution list In an environment where multiple users need to share common network resources, what is the recommended group strategy? Create a domain local group and add existing global groups containing the users to it Then assign the required permissions for using the network resources to the domain local group Module 3: Using Groups to Organize User Accounts Can you create local groups on domain controllers? You cannot create local groups on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory Local groups not appear in Active Directory and must be administered separately for each computer This prevents the centralizing of group administration Of the built-in groups, which group does not allow modification of its membership? You cannot view or modify the membership of built-in system groups Windows 2000 automatically assigns users to these groups However, you can assign rights and permissions to resources to these groups 35 THIS PAGE INTENTIONALLY LEFT BLANK ... addition of User3 1A, User3 1B, User3 2 and User3 3 in the Users container !" The addition of User3 1A and User3 1B in the Administrators Domain Local group Module 3: Using Groups to Organize User Accounts. .. determine user needs and organize local groups accordingly, you can create the local groups and assign permissions to them Module 3: Using Groups to Organize User Accounts 17 Introduction to Local Groups. .. box for that user account or group Use this method to add the same user or group to multiple groups quickly 16 Module 3: Using Groups to Organize User Accounts # Implementing Local Groups Slide