Groups Flashcards
Create and Manage groups
Groups
Group Facts
A group is used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of individual user accounts helps simplify network maintenance and administration. For instance, through groups the users receive all the user rights assigned to the group and all the permissions assigned to the group on any shared resources.
Like user accounts, there are both local and domain groups.
Local groups exist only on the local computer, and control access to local resources.
Domain groups exist in Active Directory, and can be used to control access to domain and local resources. In an Enterprise environment, you will work mainly with domain groups.
Active Directory groups have a group scope. The scope defines the potential group membership and the resource access that can be controlled through the group.
Global GroupS
Global groups can contain members within the same domain. These include:
Global groups in the same domain (in native mode only).
Users and computers within the same domain.
Use global groups to group users and computers within the domain who have similar access needs.
Resource Access:
Global groups can be assigned permissions to resources anywhere in the forest.
Create global groups to organize users (e.g., Sales or Development).
Domain Local Groups
Domain local groups can contain members from any domain in the forest. These include:
Domain local groups in the same domain (in native mode only).
Global groups within the forest.
Universal groups within the forest (in native mode only).
Users and computers within the forest.
Domain local groups can be assigned permissions within a domain.
Resource Access
Create domain local groups representative of the domain controller resources to which you want to control access, and then assign permissions on the resource to the group.
Universal Groups
Universal groups can contain members from any domain in the forest. These include:
Universal groups within the forest.
Global groups within the forest.
Users and computers within the forest.
Universal groups can be assigned permissions to resources anywhere in the forest.
Resource Access:
Universal group membership should be relatively stable. For this reason, you should only add global or universal groups to universal groups. Avoid adding user accounts directly to universal groups.
Types of Groups
Security
and
Distribution
A security group is one that can be used to manage rights and permissions.
Group members get the permissions that are granted to the group.
A security group represents an object with a security identifier (SID), which through the member attribute, collects other objects, such as users, computers, contacts, and other groups.
Distribution A distribution group is used to maintain a list of users and is typically used for sending e-mails to all group members. Distribution groups cannot be used for assigning permissions.
Manage Groups
Be aware of the following when managing groups:
The basic best practices for user and group security are:
Create groups based on user access needs.
Assign user accounts to the appropriate groups.
Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.
After creating a group, you may need to convert the group’s scope and/or type.
Converting a security group to a distribution group removes permissions assigned to the group. This could prevent or allow unwanted access.
You cannot directly convert a group from global to domain local or domain local to global. Instead, convert the group to a universal group and apply the changes, then convert the group to the desired scope.
If a global group is nested in another global group, the nested global group cannot be converted to a universal group because a universal group cannot be a member of a global group.
To add or remove members of a group, use one of the following methods:
On the group object, edit the Members tab and add the group members. Use this method to efficiently add multiple members to the same group.
On the user account, edit the Members Of tab and select the group to which you want to add the user. The Member Of tab displays all of groups to which the object is a member. Use this method to efficiently add a single user to multiple groups.
Because a group can be a member of another group, a group object also has a Member Of tab. Adding objects to the Member Of tab for a group makes the group a member of another group (it does not add members to the group).
When you delete a group, all information about the group (including any permissions assigned to the group) is deleted. User accounts, however, are not deleted. They are simply no longer associated with the group. If you delete the group, use one of the following strategies to recover it:
Re-create the group, add all the original group members, and reassign any permissions granted to the group.
Restore the group from a recent backup.
Default Local Groups
A local group is created and available only a local, single computer. Windows creates default local groups automatically during installation. These groups have default rights, permissions, and group memberships. You can rename these groups, but cannot delete them. Some default groups are listed in the following table:
Group Description
Administrators Members of the Administrators group have complete and unrestricted access to the computer, including every system right. The group contains the Administrator user account (by default) and any account designated as a computer administrator.
Backup Operators Members of the Backup Operators group can back up and restore files (regardless of permissions), log on locally, and shut down the system. However, members cannot change security settings.
Users Members of the Users group:
Can use the computer but cannot perform system administration tasks and might not be able to run legacy applications.
Cannot share directories or install printers if the driver is not yet installed.
Cannot view or modify system files.
You should know the following about the Users group:
Any user created with Local Users and Groups is automatically a member of this group.
User accounts designated as limited use accounts are members of this group.
Power Users Members of the Power Users group have no more user rights or permissions than a standard user account, by default. For legacy applications requiring the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions present in previous versions of Windows.
Guests Members of the Guests group have limited rights (similar to members of the Users group), such as shutting down the system. Members of the Guests group have a temporary profile created at log on, that is then deleted when the member logs off.
Note: Additional groups, such as Network Configuration Operators and Replicator, also exist. Additionally, many features or applications may create default groups. In most cases, you should not modify the membership or privileges of these groups without understanding how they are used.
Default Domain Groups
Default Domain Groups
A domain group is a resource group to which permissions to access resources can be assigned on a domain-wide scale. Active Directory includes several default groups that are created automatically. These groups have default members, rights, and permissions. The following table lists some of the default groups that are created in the Builtin folder:
**Builtin Group **
Administrators Full control over the computer, including every available right in the system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right.
Server Operators Log on locally, back up and restore files and directories, change the system time, and force a local or remote shutdown. Can also create and delete shared resources, format the hard disk, and start and stop some services. Abilities extend to domain controllers.
Backup Operators Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings.
Account Operators Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.
Guests The domain Guest account is a member of this group. The group does not have any default rights.
Network Configuration Operators Change TCP/IP settings including changes on domain controllers.
Print Operators Create, share, manage, and delete printers on domain controllers. Manage Active Directory printer objects. Log on locally, add or remove device drivers, and shut down domain controllers.
Users Perform common tasks such as running applications, using local and remote printers, and locking workstations. By default, all domain members are members of this group.
User Group
Additional domain groups are also created in the Users folder in Active Directory. The following table describes some of these groups:
User Group
Domain Admins Full control over the domain. This group is a member of the Administrators group on all computers when they are joined to the domain. This means that members of the Domain Admins group can perform all tasks on any computer in the domain (including domain controllers).
Domain Computers Contains all computers that are a member of the domain. When you join a computer to the domain, it becomes a member of this group.
Domain Controllers Contains all domain controllers. When a computer is made a domain controller, it is added to this group.
Domain Guests Contains all domain guests. It does not have any default rights.
Domain Users Contains all domain users. This group can be used to give access to all users in a domain.
Enterprise Admins Full control over all domains in the forest. This group is a member of the Administrators group on all computers in the forest, allowing them to perform any task on any computer in the forest.
Schema Admins Full control over the Active Directory schema. By default, the Administrator account is a member of this group.
Read-only Domain Controllers Contains all members who have administrative access to the Read-Only Domain Controllers in the domain.
DHCP Administrators Contains all members who have administrative access to the DHCP service.
Cert Publishers Contains all members which are permitted to publish certificates to the directory.
Note: When working with domain networking resources, use domain groups for controlling access. However, to enable users to manage local systems, make domain user or group accounts members of the local groups.