Implementing the Group Strategy

Once you've planned your strategy and tested it using a variety of scenarios, you're ready to begin putting the structure into place.

Creating Groups

Use Active Directory Users and Computers to create and delete groups. Groups should be created in the Users container or in an OU that you've created for the purpose of containing groups. To create a group, follow these steps:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. Expand the domain in which the group will be created.
3. Right-click the Users container, point to New, and choose Group from the shortcut menu to open the dialog box shown in Figure 9-1.
4. Fill in the required information:
   • The group name must be unique in the domain.
   • The group name as it will be seen by pre-Windows 2000 operating systems will be filled in automatically. (In native mode, this field will be Downlevel Name Of New Group but will still be filled in automatically based on the name you provide as the group name.)
   • For Group Scope, click Domain Local, Global, or Universal.
   • For Group Type, click Security or Distribution.
5. Click OK when you're finished. The new group will appear in the Users container. You might have to wait a few minutes for the group to be replicated to the Global Catalog before adding members.

   

   Figure 9-1. Creating a new group.

Deleting Groups

When groups are no longer needed, be sure to delete them from the system promptly. Unnecessary groups are a security risk because it is all too easy to grant permissions unintentionally.

Each group, like each user, has a unique security identifier (SID). The SID is used to identify the group and the permissions assigned to the group. When the group is deleted, the SID is deleted and not used again. If you delete a group and decide later to re-create it, you will have to configure the users and permissions as if for a new group.

To delete a group, merely right-click its name in Active Directory Users and Computers and choose Delete from the shortcut menu. Deleting a group deletes only the group and the permissions associated with the group. It has no effect on the accounts of users who are members of the group.

Adding Users to a Group

Once you've created a group, you'll need to add members to it. As mentioned earlier in the chapter, groups can contain users, contacts, other groups, and computers. To add members to a group, follow these steps:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. In the console tree, click the container that includes the group to which you will be adding members.
3. Right-click the group and choose Properties from the shortcut menu.
4. Click the Members tab, and then click Add to open the Select Users, Contacts, Or Computers dialog box (Figure 9-2).
5. Select the accounts you want to add. (You can use the Shift and Ctrl keys to select multiple accounts.)
6. Click Add. This returns you to the group's Properties dialog box with the users added. Click OK.

   A contact is an account without security permissions and is typically used to represent external users for the purpose of e-mail. You can't log on to the network as a contact.

   

   Figure 9-2. Adding an account to a group.

Changing the Group Scope

Over time, you might find that you need to change the scope of a particular group. For example, you might need to change a global group to a universal group so that users from another domain can be part of the group. However, the types of changes that can be made to a group scope are quite limited, and you might need to delete the group and create a new one to get the configuration you need.

To change a group scope, right-click the group name in Active Directory Users and Computers and choose Properties from the shortcut menu. Make the necessary changes in the General tab, and click OK when you're finished. The rules for changing a group scope are as follows:

• In mixed mode, a security group cannot have universal scope.
• A global group can be changed to a universal group if the global group is not already a member of another global group.
• A domain local group can be changed to a universal group if the domain local group does not already contain another domain local group.
• A universal group cannot be changed.

Creating Local Groups

A local group is a collection of user accounts on a single computer. The user accounts must be local to the computer, and members of local groups can be assigned permissions for resources only on the computer where the local group was created.

Local groups can be created on any Windows 2000 computer except domain controllers. In general, you don't want to use local groups on a computer that's part of a domain or, at least, you want to do so sparingly. Local groups don't appear in Active Directory, so you must administer local groups separately on each individual computer. To create a local group, follow these steps:

1. Right-click the My Computer icon on the desktop and choose Manage from the shortcut menu.
2. In the console tree, expand System Tools and then Local Users And Groups, as shown in Figure 9-3.
3. Right-click the Groups folder and select New Group from the shortcut menu.
4. In the New Group dialog box, enter the group name. You can include a description if you like.
5. Click Add to add members to the group. (You can add members now or later.)
6. Click Create when you're finished, and the new group is added to the list of groups in the details pane.

   

   Figure 9-3. Viewing local groups in the Computer Management MMC snap-in.