Lesson 1: Implementing Local Groups
A local group is a collection of user accounts on a computer. You can use local groups to assign permissions to resources residing on the computer on which the local group is created. Windows 2000 creates local groups in the local security database. In this lesson, you learn what groups are and how you can use them to simplify user account administration.
After this lesson, you will be able to
- Describe the key features of groups
- Describe local groups
- Create and delete local groups
- Add members to local groups
- Remove members from local groups
Estimated lesson time: 30 minutes
Understanding Groups
A group is a collection of user accounts. Administration is simplified when you assign permissions and rights to a group of users rather than to each individual user account (see Figure 7.1).
Figure 7.1 Simplified administration using groups
Permissions control what users can do with a resource, such as a folder, file, or printer. When you assign permissions, you give users the capability to gain access to a resource, and you define the type of access they have. For example, if several users need to read the same file, you would add their user accounts to a group. You would then give the group permission to read the file. Rights allow users to perform system tasks such as changing the time on a computer, backing up or restoring files, or logging on locally.
Users can be members of multiple groups. A group contains a list of members with references to the actual individual user account.
Preparing to Use Local Groups
The following are guidelines for using local groups:
- Use local groups on computers that don't belong to a domain.
You can use local groups only on the computer on which you create the local groups. Although local groups are available on member servers and domain computers running Windows 2000 Professional, don't use local groups on computers that are part of a domain. Using local groups on domain computers prevents you from centralizing group administration. Local groups don't appear in directory services based on Active Directory technology, and you have to administer local groups separately for each computer.
- Assign permissions to local groups for access only to the resources on the computer on which you create the local groups.
NOTE
You can't create local groups on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory directory service.
Membership rules for local groups include the following:
- Local groups can contain local user accounts from the computer on which you create the local groups.
- Local groups can't be a member of any other group.
Creating Local Groups
Use the Computer Management snap-in to create local groups, as shown in Figure 7.2. You create local groups in the Groups folder.
Figure 7.2 The Computer Management snap-in
Follow these steps to create a local group:
- In Computer Management, expand Local Users And Groups and click the Groups folder.
- Right-click Groups, and then click New Group.
Table 7.1 describes the options available in the New Group dialog box.
- Enter the appropriate information and then click Create.
Table 7.1 New Local Group Options
| Option | Description |
|---|---|
| Group Name | A unique name for the local group. This is the only required entry. Use any character except for the backslash (\). The name can contain up to 256 characters; however, very long names might not be displayed completely in some windows. |
| Description | Describes the group. |
| Add | Adds a user to the list of members. |
| Remove | Removes a user from the list of members. |
| Create | Creates the group. |
| Close | Closes the New Group dialog box. |
You can add members to a local group when you create the group by using the Add button, but you can also add users to a local group after you create it.
Deleting Local Groups
Use the Computer Management snap-in to delete local groups. Each group that you create has a unique identifier. Windows 2000 uses this value to identify the group and the permissions that are assigned to it. When you delete a group, Windows 2000 doesn't use the identifier again, even if you create a new group with the same name as the group that you deleted. Therefore, you cannot restore access to resources by recreating the group.
When you delete a group, you delete only the group and remove the permissions and rights that are associated with it. Deleting a group doesn't delete the user accounts that are members of the group. To delete a group, right-click the group, and then click Delete.
Adding Members to a Group
To add members to a group that has already been created, start the Computer Management snap-in and expand Local Users And Groups. Click Groups, and then in the details pane, right-click the appropriate group and click Properties. In the Properties dialog box, click Add. The Select Users Or Groups dialog box appears, as shown in Figure 7.3.
Figure 7.3 The Select Users Or Groups dialog box
In the Look In list, ensure that the computer on which you created the group is selected. In the Name box, select the user account that you want to add to the group, and then click Add.
NOTE
If you want to add multiple user accounts, you can repeat the process of selecting them one at a time and then click Add, or you can hold down the Shift or Ctrl key to select multiple user accounts at once. With the Shift key down you can select a consecutive range of accounts; with the Ctrl key down you can pick some accounts and skip others. Click Add when you have selected all the accounts that you want to add.
Clicking Add lists the accounts you have selected. Review the accounts to make sure that they are the accounts you want to add to the group, and click OK to add the members.
NOTE
You can also add a user account to a group from the Member Of tab in the Properties dialog box for that user account. Use the Member Of tab to quickly add the same user account to multiple groups.
Practice: Creating and Managing Local Groups
In this practice, you create two local groups. You add members to the local groups when you create them and then add another member to one of the groups after the groups have been created. You delete a member from one of the groups, and then you delete one of the local groups that you created.
NOTE
This practice requires user accounts that you created when you complete the practice "Creating Local User Accounts" in Chapter 4, "Managing User Accounts." If you didn't set up the user accounts as described in Chapter 4, go back and do the practice in that chapter to set up the user accounts you will work with in this practice.
Exercise 1: Creating Local Groups and Adding and Removing Members
In this exercise, you create two local groups, Sales and Testing. You add members to both groups when you create them. You add a member to an existing group by adding an additional member to the Testing group, and then you remove a member from the Testing group.
To create a local group
- Log on to your computer as Administrator.
- Click the Start button, point to Programs, point to Administrative Tools, and then click Computer Management.
- Expand Local Users And Groups, and then click Groups.
In the details pane, Computer Management displays a list of current and built-in local groups.
- To create a new group, right-click Groups, and then click New Group.
Computer Management displays the New Group dialog box.
- Type Sales in the Group Name box, and type Access to Customer Files in the Description box.
- Click Add.
The Select Users Or Groups dialog box appears.
- Hold the Ctrl key down and select User1 and User3.
- Click Add.
PRO1\User1 and PRO1\User3 should be listed in the box below the Add button.
NOTE
If you didn't name your computer PRO1, then PRO1 will be replaced by the name of your computer. - Click OK.
In the New Group dialog box, notice that User1 and User3 are listed in the Members box.
- Click Create.
Windows 2000 creates the group and adds it to the list of users and groups. Note the New Group dialog box is still open and might block your view of the list of users and groups.
- Repeat steps 5 to 10 to create a group named Testing. Type Access to Troubleshooting Tips File in the Description box, and make User2 and User4 members of the Testing group.
- When you have created both the Sales and the Testing groups, click Close to close the New Group dialog box.
Notice that the Sales and Testing groups are listed in the details pane.
To add members to and remove members from a local group
- In the details pane of Computer Management, double-click Testing.
The Testing Properties dialog box displays the properties of the group. Notice that User2 and User4 are listed in the Members box.
- To add a member to the group, click Add.
The Select Users Or Groups dialog box appears.
- In the Name box, select User3, click Add, and then click OK.
The Testing Properties dialog box displays User2, User3, and User4 listed in the Members box.
- Select User4 and then click Remove.
Notice that User4 is no longer listed in the Members box. User4 still exists as a local user account, but it is no longer a member of the Testing group.
- Click OK.
Exercise 2: Deleting a Local Group
In this exercise, you delete the Testing local group.
- Right-click Testing in the Computer Management details pane, and then click Delete.
A Local Users And Groups dialog box appears, asking whether you are sure that you want to delete the group.
- Click Yes.
Notice that Testing is no longer listed in the Computer Management window. The members of the group were not deleted. User2 and User3 are still local user accounts on PRO1.
- Close Computer Management.
Lesson Summary
In this lesson, you learned that a group is a collection of user accounts. Administration is simplified when you assign permissions and rights to a group of users rather than to each individual user account.
You also learned that when naming a group you should make the name intuitive. You use the Computer Management snap-in to create groups, to add members to a group, to remove members from a group, and to delete groups. In the practice portion of this lesson, you created two local groups and added members to the groups as you created the local groups. You then added another member to one of the local groups. You deleted a member from one of the local groups, and then you deleted one of the local groups.
EAN: N/A
Pages: 244