Escolar Documentos
Profissional Documentos
Cultura Documentos
AGUDLP
Group Accounts
When a user logs on, an access token is
created that identifies the user and all of the
users group memberships.
This access token is used to verify a users
permissions when the user attempts to access a
local or network resource.
By using groups, multiple users can be given the
same permission level for resources on the
network.
Since a users access token is only generated
when they first log on to the network from their
workstation, if you add a user to a group, they
will need to log off and log back on again for that
change to take effect.
Group Types
Distribution groups Non-security-
related groups created for the
distribution of information to one or
more persons.
Security groups - Security-related
groups created for purposes of
granting resource access permissions
to multiple users.
Group Nesting
Users can be members of more than
one group.
Groups can contain other Active
Directory objects, such as computers,
and other groups.
Groups containing groups is called
group nesting.
Group Scopes
Global
Domain Local
Universal
Using Global and Domain Local Groups
Global
These groups can include users, computers,
and other global groups from the same
domain.
You can use them to organize users who
have similar functions and therefore similar
requirements on the network.
Domain local
These groups can include users, computers,
and groups from any domain in the forest.
They are most often utilized to grant
permissions for local resources and may be
used to provide access to any resource in
the domain in which they are located.
Using Global and Domain Local Groups
Assign users within a domain to
global groups.
Add global groups to domain local
groups.
Assign permissions to domain local
group.
Universal Groups
These groups can include users and
groups from any domain in the AD DS
forest and can be employed to grant
permissions to any resource in the
forest.
A universal group can include users,
computers, and global groups from any
domain in the forest.
Changes to universal group membership
lists are replicated to all global catalog
servers throughout the forest.
AGUDLP
Microsoft approach to using groups:
add A ccounts to G lobal groups.
add those global groups to U niversal
groups.
Add universal groups to D omain L ocal
groups.
Finally, assign P ermissions to the
domain local groups.
Creating and Managing Groups
Creating and managing groups is
usually done with Active Directory
Users and Computers.
Group Properties
Group Properties
Working with Default Groups
Account Operators Can create, modify
and delete accounts for users, groups,
and computers in all containers and OUs.
Cannot modify administrators, domain
admins and enterprise admin groups.
Administrators Complete and
unrestricted access to the computer or
domain controller.
Backup Operators - Can back up and
restore all files on the computer.
Working with Default Groups
Guests Same privileges as members of
the Users group.
Disabled by default
Print Operators Can manage printers
and document queues.
Server Operators Can log on a server
interactively, create and delete shares,
start and stop some services, back up and
restore files, format the disk, shutdown the
computer and modify the system date and
time.
Working with Default Groups
Users Allows general access to run
applications, use printers, shut down
and start the computer and use
network shares for which they are
assigned permissions.
DNSAdmins Permits
administrative access to the DNS
server service.
Working with Default Groups
Domain Admins Can perform
administrative tasks on any
computer anywhere in the domain.
Domain Computers Contains all
computers.
Used to make computer management
easier through group policies.
Domain Controllers Contains all
computers installed in the domain as
a domain controller.
Working with Default Groups
Domain Guests Members include all
domain guests.
Domain Users Members include all
domain users.
Used to assign permissions to all users
in the domain.
Enterprise Admins Allows the
global administrative privileges
associated with this group, such as the
ability to create and delete domains.
Working with Default Groups
Schema Admins Members can
manage and modify the Active
Directory schema.
Special Identity Groups and Local Groups
Authenticated Users Used to
allow controlled access to resources
throughout the forest or domain.
Everyone Used to provide access
to resource for all users and guest.
Not recommended to assign this
group to resources.
Group Implementation Plan
A plan that states who has the ability and
responsibility to create, delete, and
manage groups.
A policy that states how domain local,
global, and universal groups are to be
used.
A policy that states guidelines for creating
new groups and deleting old groups.
A naming standards document to keep
group names consistent.
A standard for group nesting.
Creating Users and Groups
Active Directory Users and
Computers.
DS command line i.e. dsadd user
Batch files.
Comma-Separated Value Directory
Exchange (CSVDE).
LDAP Data Interchange Format
Directory Exchange (LDIFDE).
Windows Script Host (WSH).
Summary
Three types of user accounts exist in
Windows Server 2008:
Local user accounts reside on a local
computer and are not replicated to other
computers by Active Directory.
Domain user accounts are created and
stored in Active Directory and replicated to
all domain controllers within a domain.
Built-in user accounts are automatically
created when the operating system is
installed and when a member server is
promoted to a domain controller.
Summary
The Administrator account is a built-in
domain account that serves as the primary
supervisory account in Windows Server
2008.
It can be renamed, but it cannot be deleted.
The Guest account is a built-in account
used to assign temporary access to
resources.
It can be renamed, but it cannot be deleted.
This account is disabled by default and the
password can be left blank.
Summary
Windows Server 2008 group options
include two types (security and
distribution) and three scopes
(domain local, global, and universal).
Domain local groups are placed on
the ACL of resources and assigned
permissions. They typically contain
global groups in their membership
list.
Summary
Global groups are used to organize
domain users according to their
resource access needs.
Global groups are placed in the
membership list of domain local
groups, which are then assigned the
desired permissions to resources.
Summary
Universal groups are used to provide
access to resources anywhere in the
forest.
Their membership lists can contain
global groups and users from any
domain.
Changes to universal group
membership lists are replicated to all
global catalog servers throughout the
forest.
Summary
The recommended permission
assignment strategy (AGUDLP)
places users needing access
permissions in a global group, the
global group in a universal group,
and the universal group in a domain
local group and then assigns
permissions to the domain local
group.
Summary
Group nesting is the process of placing
group accounts in the membership of
other group accounts for the purpose
of simplifying permission assignments.
Multiple users and groups can be
created in Active Directory by using
several methods. Windows Server
2008 offers the ability to use batch
files, CSVDE, LDIFDE, and WSH to
accomplish your administrative goals.