1

Module 4

Setting Up Group Accounts

2

Overview

Introduction to Groups

Planning a Group Strategy

Creating Local and Global Groups

Implementing Built-in Groups

Best Practices

3

Introduction to Groups

Groups Are Collections of User Accounts

Group Members Get All Group Permissions and Rights

Local Groups Provide Access to Resources and Rights to Perform System Tasks

Global Groups Organize Users

ResourcesResources Global Group“Sales”

Global Group“Sales”

PermissionsPermissionsPermissionsPermissions

Local Group“Resources”Local Group“Resources”

4

Local and Global Groups Summary

Local GroupsLocal GroupsLocal GroupsLocal Groups

Provide users with permissions or rightsProvide users with permissions or rights

Can include (from any domain): User accounts Global groups

Can include (from any domain): User accounts Global groups

Cannot include other local groupsCannot include other local groups

Are assigned permissions and rights in the local domainAre assigned permissions and rights in the local domain

On Windows NT Workstation or member server, can only be assigned to local resources

On Windows NT Workstation or member server, can only be assigned to local resources

On a PDC, can be assigned resourceson any domain controller in the domain

On a PDC, can be assigned resourceson any domain controller in the domain

Organize domain users Organize domain users

Global GroupsGlobal GroupsGlobal GroupsGlobal Groups

Can only include user accounts in the domain where it residesCan only include user accounts in the domain where it resides

Cannot contain local or global groupsCannot contain local or global groups

Are added to a local group to give its members rightsAre added to a local group to give its members rights

Are not assigned to local resourcesAre not assigned to local resources

Must be created on a PDC in the domain where the accounts resideMust be created on a PDC in the domain where the accounts reside

5

Planning a Group Strategy

Logically Organize Users Based on Common Needs Create Global Groups and Add User Accounts Create Local Groups Based on Resource Access Needs Assign Permissions to Local Groups Add Global Groups to Local Groups

6

Creating Local and Global Groups

You Must Be a Member of Administrators or Account Operators Group

You Can Create Local Groups on Any Windows NT Computer

You Create Global Groups on a PDC from Any Computer Running User Manager for Domains

Group Names Must Be Unique to the Domain

User Manager - DOMAIN1

User View Policies Options HelpUser

New User...

New Global Group...

New Local Group...

Copy... F8Delete DelRename...Properties... EnterSelect Users...

Select Domain

Exit

New Global Group...

7

Creating Global Groups

New Global Group

QuebecGroup Name:

Description: Quebec domain users

OK

Cancel

HelpMembers:

Eric Blondel Eric

< - Add

Remove - >

Not Members:

Account adminstra AcctmanLinda Kobora LindaSandy Alto SandyRyan Calafato RyanKathryn Yusi KathrynSusan Stevenson SusanRick Wallace RickAdministrator

Account adminstraAcctman

8

Creating Local GroupsNew Local Group

SalesGroup Name:

Description:

Show Full Names

Add...

Remove

Members:

StefanH

OK

Cancel

Help

Sales Personnel Add Users and Groups

Names:List Names From:

Administrators Members can fully administer the computAccount Operators Members can administer domain user an

CancelOK Help

Backup Operators Members can bypass file security to bacDomain Admins Designated administrators for the domainDomain Guests All domains guests

Everyone All UsersGuests Users granted guest access to the comp

Type of Access:

CLASSROOM\Domain Users

Show UsersAddAdd Members...Members... Search...

Add Names:

CLASSROOM*

Read

Domain Users All domains users

DomainsDomainsDomainsDomains

9

Deleting Groups

New User...

New Global Group...

New Local Group...

Copy... F8Delete DelRename...Properties... EnterSelect Users...

Select Domain

Exit

Delete Del

User Manager - DOMAIN_A

User View Policies Options HelpUser

Deleting a Group:

Permanently removes permissions and rights associated with it

Does not delete the member user accounts

10

Implementing Built-in Groups

Built-in Local Groups

Give users rights to perform system tasks

Built-in Global Groups

Give administrators a way of controlling domain resources

System Groups

Organize users for system use

Membership is automatic and cannot be modified

User Rights Policy

Show Advanced User Rights

Computer: User-1

Cancel

OK

Help

Add...

Remove

Grant to:

EveryonePower Users

Administrators

Right: Access this computer from network

11

Built-in Groups on All Windows NT Computers

UsersUsersUsersUsers

Ordinary usersOrdinary users

AdministratorsAdministratorsAdministratorsAdministrators

AdministratorAdministrator

GuestsGuestsGuestsGuests

GuestGuest

Backup Backup OperatorsOperatorsBackup Backup

OperatorsOperators

No membersNo members

Power UsersPower UsersPower UsersPower Users

No membersNo members

Windows NT ServerDomain Controller

Windows NT ServerDomain Controller

Windows NT ServerMember Server

Windows NT ServerMember Server

Windows NT WorkstationWindows NT Workstation

12

Built-in Groups on Domain Controllers Only

Domain ControllerDomain Controller

Local GroupsLocal Groups

Account OperatorsAccount

Operators

PrinterOperators

PrinterOperators

ServerOperators

ServerOperators

Global GroupsGlobal Groups

UsersUsersUsersUsers

DomainUsers

AdministratorsAdministratorsAdministratorsAdministrators

DomainAdmins

GuestsGuestsGuestsGuests

DomainGuests

DomainUsers

DomainUsers

DomainGuests

DomainGuests

DomainAdminsDomainAdmins

13

Built-in System Groups

Reside on All Computers

Membership Cannot Be Modified

Users Become Members Automatically During Network Activity

Two Key System Groups

Everyone

Creator Owner

14

Best Practices

Add Users to Built-in Groups that Are Most RestrictiveAdd Users to Built-in Groups that Are Most Restrictive

Add Domain Admins from Other Domains to Local Administrators Add Domain Admins from Other Domains to Local Administrators

Assign Rights to Users Only If Built-in Groups Don’t Meet Your NeedsAssign Rights to Users Only If Built-in Groups Don’t Meet Your Needs

Use Domain Users Instead of Everyone (Medium and High Security)Use Domain Users Instead of Everyone (Medium and High Security)

15

Review

Introduction to Groups

Planning a Group Strategy

Creating Local and Global Groups

Implementing Built-in Groups

Best Practices