Adding Group Accounts

Previous page
Table of content
Next page

  < Day Day Up > 


The type of group you need depends on your network configuration. In domains, you’ll typically work with security and distribution groups. In workgroups, you’ll typically work with local groups that pertain only to specific machines.

Creating Security and Distribution Groups

As discussed previously, security groups are used to manage access permissions for groups of users, and distribution groups are used for mail distribution lists. Regardless of which type of group you create, the way the group is used depends on the scope. Scope controls the areas in which the groups are valid and the defined scopes are

  • Domain local groups Groups used to grant permissions within a single domain. Its members can include only accounts (both user and computer accounts) and groups from the domain in which they’re defined.

  • Global groups Groups used to grant permissions to objects in any domain in the domain tree or forest. Its members can include only accounts and groups from the domain in which they’re defined.

  • Universal groups Groups used to grant permissions on a wide scale throughout a domain tree or forest. Its members can include accounts, global groups, and other universal groups from any domain in the domain tree or forest.

Note

Universal security groups are available only when Active Directory is running at the Windows 2000 native functional level or at the Windows Server 2003 functional level, and are more useful on larger networks than on smaller ones. Primarily this is because they add another level of group hierarchy for administrators to manage; therefore, their benefits are clearer in large installations where you need more control over groups.

Table 13-1 summarizes the capabilities of groups based on the scope and the operations mode. As the table shows, both affect what you can and can’t do with groups.

Table 13-1: Group Capabilities With Regard to Functional Level and Scope

Group Capability

Domain Local Scope

Global Scope

Universal Scope

Windows Server 2003/ Windows 2000 Native functional level

Members can include user accounts, global groups, and universal groups from any domain; domain local groups from the same domain only.

Members can include only user accounts from the same domain and global groups from the same domain.

Members can include user accounts from any domain, as well as groups from any domain regardless of scope.

Windows 2000 Mixed functional level

Members can include user accounts and global groups from any domain.

Members can include only user and group accounts from the same domain.

Universal security groups can’t be created in mixed-mode domains.

Member Of

Can be put into other domain local groups and assigned permissions only in the same domain.

Can be put into other groups and assigned permissions in any domain.

Can be put into other groups and assigned permissions in any domain.

When you create groups, you pass DSADD GROUP the group’s DN. The common name component of the DN sets the group’s display name. The rest of the DN specifies where in Active Directory the group is to be located, which includes the container in which the group is to be created and the related domain. By default, if you provide no other parameters, a global security group is created. For example, you could create a global security group called Sales in the Sales organizational unit of the cpandl.com domain by typing dsadd group “CN=Sales,OU=Sales,
DC=cpandl,DC=com”. The group would be created with Sales as the group’s display name and the same value as the SAM account name. No other properties would be set, however.

Group names aren’t case-sensitive and can be as long as 64 characters. In most cases, you’ll want to specify the group type and scope directly. You use the –Secgrp parameter to specify whether the group is a security group, as follows:

  • Type –secgrp yes to specify that you are creating a security group.

  • Type –secgrp no to specify that you are creating a distribution group.

To set the group scope, use the –Scope parameter, as follows:

  • Type –scope l to create a local domain group

  • Type –scope g to create a global group

  • Type –scope u to create a universal group. For security groups, valid only when running at the Windows Server 2003 functional level.

Note

By default, groups are created as security groups with a global scope. Therefore, even if you create a security group with a different scope, you don’t have to specify –secgrp yes because this is the default.

The first 20 characters of the group name are used to set the SAM account name of the group, which is also referred to as the pre–Windows 2000 group name. The SAM account name must be unique in the domain and if there is overlap you might want the group’s SAM account name to be different from its display name. In this case, you would need to set the SAM account name using the –Samid parameter.

You can also specify the group membership when you create the group. If the group you are creating should be a member of an existing group, you can use the –Memberof parameter to specify the DNs for these groups. If the group should have users or other groups as its members, you can specify the DNs for these members using the –Members parameter. However, it is much easier to use DSMOD GROUP to configure group membership. Why? You can pass DSMOD GROUP a list of DNs as input from DSQUERY USER. This saves you from having to type several dozen and sometimes hundreds of DNs.

Consider the following examples to see how groups can be created:

Create a domain local security group called Engineering. Add the group to the Engineering OU in the tech.cpandl.com domain. 

dsadd group "CN=Engineering,OU=Engineering,DC=tech,DC=cpandl,
DC=com" -scope l

Create a global security group called Engineering Global in the Users container of the cpandl.com domain. Set the SAM account name to gEngineering. 

dsadd group "CN=Engineering Global,CN=Users,DC=cpandl,DC=com" 
-samid "gEngineering"

Create a universal distribution group called Engineering All in the Engineering OU of the cpandl.com domain. Set the SAM account name to allEngineering. 

dsadd group "CN=Engineering All,OU=Engineering,DC=cpandl,DC=com" 
-samid "allEngineering" -secgrp no -scope u

If there are problems creating the group, you’ll see a warning and you’ll need to check your syntax, ensuring that all the values are set appropriately and that the DN values are valid. Otherwise, DSADD GROUP should report DSADD SUCCEEDED. Once the group is created, you can add members and set additional properties, as discussed later in this chapter.

Creating a Local Group and Assigning Members

Local groups are created on individual computers to help manage permissions for users that log on locally instead of logging on to the domain. To create a local group, you’ll need to log on to the computer you want to work with or use a remote logon to access a local command prompt. Once you are logged on to the computer, you can create the required local group account using NET LOCALGROUP.

You can create the local group simply by following the command name with the name of the group and then using the /Add parameter. Consider the following example:

net localgroup localDevs /add
Note

You can’t create local group accounts on domain controllers. Domain controllers do not have local machine accounts.

Here, you create a group called localDevs on the local computer. If you wanted, you could also use the /Comment parameter to add a description of the group, such as

net localgroup localDevs /comment:"Local Developers and Testers" /add

If the account creation is successful, NET LOCALGROUP will state “Command Completed Successfully.” However, if there are problems creating the account, NET LOCALGROUP won’t display an error message per se. Instead, it will display the command syntax. In this case, check your syntax and ensure that all the values are set appropriately.

When you create a local group, you can also specify a list of local user accounts which should be members of the group. This list of names follows the group name as shown in this example:

net localgroup localDevs williams johng edwardh /add

Here, you create a group called localDevs and add WilliamS, JohnG, and EdwardH as members.

If you want to add members to a local group later rather than when you create the group, you can do this as well. The syntax is the same as for creating the group. For example if you create a group called custSupport by typing

net localgroup custSupport /add

You could later add members to this group by typing

net localgroup custSupport williams johng edwardh /add

Here, you add WilliamS, JohnG, and EdwardH as members to the custSupport group.


  < Day Day Up > 


Previous page
Table of content
Next page
Microsoft Windows Command-Line Administrator's Pocket Consultant
MicrosoftВ® WindowsВ® Command-Line Administrators Pocket Consultant
ISBN: 0735620385
EAN: 2147483647
Year: 2004
Pages: 114
Authors: William R. Stanek
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
WebLogic: The Definitive Guide
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
.NET System Management Services
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy