Creating Groups


When it comes to creating groups, understanding the characteristics and limitations of each different type and scope is only half the battle. Other points to consider for group creation are how the group will be used and who will need to be a member of the group. A group is commonly used for three separate functions, including delegating administrative rights, distributing email, and securing network resources such as file shares and printer devices. To help clarify group usage, the following examples show how the different groups can be used in different administrative scenarios.

User Administration in a Single Domain

If a group is needed to simplify the process of granting rights to reset user passwords in a single domain, either a domain local or global security group would suffice. The actual domain user rights should have local groups applied only to their access control lists or settings, but these local groups should have global groups as members. For a single-domain model, if the specific user rights need to be granted only at the domain level, a domain local group with users as members would be fine. However, if you need to add the same group of users to an access control list on a member server resource or you need to create a completely new domain, the domain local group cannot be used. This is the main reason it is recommended to place users only into global groups and assign permissions to resources using local groups that have global groups as members. After you use this strategy and use global groups over and over, saving administration time, the reasoning will be validated.

User Administration Across a Forest of Domains

When multiple domains need to be supported by the same IT staff, even if the domain levels are set to Windows 2000 Mixed mode, each domain's Domain Admins group should be added to each domain's Administrators group. For example, domain A's Administrators group would have Domain A Domain Admins, Domain B Domain Admins, and Domain C Domain Admins groups as members. You would need to add these domains whenever a resource or administrative task needs to grant or deny groups from each domain access to a resource in the forest.

If all the domains in the forest run in Windows 2000 Native or Windows Server 2003 Native Domain functional level, you could create a Universal security group named Forest Admins with each of the domain's Domain Admin groups as members. Then you would need to configure only a single entry to allow all the administrators access forest-wide for a particular resource or user right. Universal security groups are useful because they can have members from each domain, but if a proper group strategy has been developed, domain local and domain global groups could still handle most situations.

Domain Functionality Level and Groups

There are many different domain functionality levels, with each level adding more functionality. The reason for all the different levels is to provide backward compatibility to support domain controllers running on different platforms. This allows a phased migration of the domain controllers. The four main domain functionality levels are

  • Windows 2000 Mixed This domain level mode was created primarily to allow both Windows 2000 and Windows NT 4.0 domain controllers to function in an Active Directory domain. Universal security groups and any group nesting other than nesting global groups into local groups are not options. This level can be raised to Windows 2000 Native or Windows Server 2003 Native after all the domain controllers are upgraded to the necessary operating system levels.

  • Windows 2000 Native This domain level allows only Windows 2000 and Windows Server 2003 domain controllers in the domain. Universal security groups can be leveraged, along with universal and global security group nesting. This level can be raised to Windows Server 2003 Native level. This mode also allows you to change some existing groups' scope and type on the fly.

  • Windows Server 2003 Native This level allows only Windows Server 2003 domain controllers and provides all the features of the Windows 2000 Native domain level, plus additional security and functionality features such as domain rename.

  • Windows Server 2003 Interim Windows Server 2003 Interim mode enables the Windows Server 2003 Active Directory to interoperate with a domain composed of Windows NT 4.0 domain controllers and Windows Server 2003 domain controllers only. This level was created to support environments that seek to upgrade directly from NT 4.0 to Windows Server 2003 Active Directory. This domain level can be raised only to Windows Server 2003 Native domain level. This mode is listed only if an NT 4.0 domain PDC has been upgraded to a Windows Server 2003 domain controller.

Creating AD Groups

Now that you understand what kinds of groups you can create and what they can be used for, you are ready to create a group. To do so, follow these steps:

1.

Log on to a domain controller using an account with the rights to create groups in the respective domain. Usually, an account with Domain Admin rights will suffice.

2.

Choose Start, All Programs, Administrative Tools, Active Directory Users and Computers.

3.

Select a container in the left pane; for example, the Users container. Right-click it and select New, Group.

4.

Enter the group name and select the appropriate group type and scope, as shown in Figure 19.5. Click OK to finish creating the group.

Figure 19.5. Creating a group.


Populating Groups

After you create a group, you can add members to it. The domain level that the domain is running in will determine whether this group can have other groups as members.

To add members to an existing group, follow these steps:

1.

Log on to a domain controller using an account with the rights to create groups in the respective domain. Usually, an account with Domain Admin rights will suffice.

2.

Choose Start, All Programs, Administrative Tools, Active Directory Users and Computers.

3.

Select the container that contains the group you want in the left pane. Then, in the right pane, right-click the group and select Properties.

4.

Enter a description for the group on the General tab and then click the Members tab.

5.

Click Add to add members to the group.

6.

In the Select Users, Contacts, Computers or Groups window, type in the name of each group member separated by a semicolon and click OK to add these users to the group. If you don't know the names, clicking the Advanced button opens a window where you can perform a search to locate the desired members.

7.

When all the members are listed on the Members tab of the group's property page, click OK to complete the operation.

Group Management

After a group is created, it needs to be managed by an administrator, users, or a combination of both, depending on the dynamics of the group. For example, when Exchange Server 2003 is being leveraged in an Active Directory environment, administrative assistants commonly need to modify certain mailing group memberships. For this particular example, if the proper permissions on the group are defined, an administrative assistant would be able to manage group membership using her Outlook client. If group membership needed to be managed outside Outlook, the administrative assistant would need the Windows Server 2003 Administration Pack installed on the workstation.

To delegate control of a group to a particular user, follow these steps:

1.

Log on to a domain controller with Domain Administrator privileges.

2.

Choose Start, All Programs, Administrative Tools, Active Directory Users and Computers.

3.

Select the container that contains the group you want in the left pane. Then, in the right pane, right-click the group and select Properties.

4.

Select the Security tab. If the Security tab is not visible, close the group, and in the Active Directory Users and Computers MMC snap-in, select View, Advanced Features. Open the properties of the desired group and select the Security tab afterward.

5.

On the bottom of the page, click the Advanced button.

6.

In the Advanced Security Settings for Group page, select the Permissions tab.

7.

Click Add. In the Select User, Computer or Group window, type in the name of the account for which you want to grant permissions and click OK.

8.

When the Permissions Entry for Group window appears, select the Properties tab.

9.

Select Apply Onto, Group Objects.

10.

In the Permissions section, check the Allow boxes for Read Members and Write Members, as shown in Figure 19.6. Then click OK.

Figure 19.6. Granting permissions to modify group membership.


11.

Click OK to close the Advanced Security Settings for Group page.

12.

Click OK to close the group's property pages. Then click File, Exit, No (to save console settings) to close the Active Directory Users and Computers MMC snap-in, and log out of the server.




Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net