Section 8.4: Group Accounts

A group is a collection of user and/or computer accounts, and contacts that are managed as a single object. The users and computers that belong to the group are known as group members. Groups are used to simplify the administrative process of assigning permissions and rights to a large number of user and computer accounts at the same time, resulting in these groups' members having inherited permissions from the group.

When you install Windows Server 2003, a number of default groups are created on the computer and are known as local groups. In addition, computers that are part a domain also have a number of default groups that reside within the Active Directory database structure. You can create additional groups for both workstation and domain-based computers.

Windows Server 2003 supports two types of groups: distribution groups, and security groups.

• You can use distribution groups for distributing messages to group members by assigning an e-mail address to the distribution group. All members of the distribution group that are mailbox enabled will receive e-mail messages sent to the distribution group's e-mail address. This is the only usage for distribution groups.

• You can also use security groups for the distribution of e-mail messages. But you can also use security groups to simplify and reduce administrative requirements by assigning permissions and rights for network resources to the group rather than to each individual user that requires access. All users and groups that are members of the group will receive the configured permissions and rights through inheritance. In addition, security groups enable you to delegate administrative responsibilities for performing specific tasks in Active Directory. Security groups also provides you with the capability to move users in and out of groups as their jobs and task requirements dictate

8.4.1: Group Scope

The scope of a group identifies the extent to which the group is applied throughout the domain tree or forest.

There are four group scopes: local groups, domain local groups, global groups, and universal groups.

• Local groups can contain user accounts from the local machine, user accounts from the domain the local machine is joined to, or user accounts from any trusted domains of the domain the computer is joined to. Only local groups can manage permissions for local resources.

• Domain local groups can include other groups and user and/or computer accounts from Windows Server 2003, Windows 2000 Server, and Windows NT domains. Permissions for only the domain in which the group is defined can be assigned to domain local groups. Thus, domain local groups can be used to manage access to resources within a domain.

• Global groups can include other groups and user and/or computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups. Global groups are not replicated beyond the boundaries of their own domains, thus changes can be made to global group members without creating large amounts of replication traffic to the Global Catalog servers. Permissions and user rights that are assigned to global groups are only valid in the domain in which they are assigned.

• Universal groups can include other groups and user and/or computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups. Universal groups are only available if your domain functional level is set to the Windows 2000 native domain functional level. Universal groups are best used to consolidate global groups into one location. Since user accounts are added to the global groups, membership changes in the global groups do not have an effect on the universal group.

8.4.2: Group Nesting

Group nesting refers to placing one group in another, so that the group becomes a member of parent group. Groups can be nested to help consolidate large numbers of user and computer accounts to reduce replication traffic. The type of nesting you can perform is determined by the domain functional level of the domain.

If the domain functional level is set to the Windows 2000 native domain functional level or the Windows Server 2003 domain functional level, groups can have the following members:

• Domain local groups can contain other domain local groups in the same domain, global groups from any domain, universal groups from any domain, user accounts from any domain, and computer accounts from any domain.

• Global groups can contain other global groups in the same domain, user accounts in the same domain, and computer accounts in the same domain.

• Universal groups can contain other universal groups from any domain, global groups from any domain, user accounts from any domain, and computer accounts from any domain.

If the domain functional level is set to the Windows 2000 mixed domain functional level, distribution groups can have the same membership as in the to the Windows 2000 native domain functional level or the Windows Server 2003 domain functional levels.

If the domain functional level is set to the Windows 2000 mixed domain functional level, security groups can have the following members:

• Domain local groups can contain other global groups from any domain, user accounts from any domain, and computer accounts from any domain.

• Global groups can contain user accounts in the same domain and computer accounts in the same domain.

8.4.3: Creating Groups

You can use Active Directory Users and Computers console in Administrative Tools or the dsadd command-line utility to create groups. To create a group using Active Directory Users and Computers, do the following: 3

• Click on the START button

• Point to ALL PROGRAMS

• Point to ADMINISTRATIVE TOOLS

• Open ACTIVE DIRECTORY USERS AND COMPUTERS

• In the console tree, right-click the folder in which you want to add a new group

• Point to NEW

• Then click GROUP

• Enter a name of the new group

• In Group scope, select the group scope for the group

• In Group type, select the group type of the new group

• Then click OK

The dsadd command used to create a group requires the group parameter to. The syntax for this command is:

dsadd group <group DN>

[-secgrp {yes | no}]

[-scope {l | g | u}]

[-samid <ДМ name>]

[-desc <description>]

[-memberof < group .

. .>]

[-members <member ..

.>] [-s <server> | -d

<domain>] [-u <user

name>]

[-p{ <password> | 3

}] [-q] [{-uc | -uco

-uci}]

Table 8.5: The Dsadd Command-line Parameters

The parameters used in this syntax are discussed in Table 8.5.

Parameter

Description

<group DN>

-secgrp {yes | no}

-scope {l | g | u}

-samid <SAM name>

-desc <description>

-memberof <group . . .>

-members <member

.>

-s <server> | -d <domain>

-u <user_name>

-p{ <password> | 3 }

Specifies the distinguished names (DNs) of the group account you want to create.

Specifies that the group is a security group if set to yes, or a distribution group if set to no.

Specifies the group scope. The valid switches for this parameter are:

• l, which specifies a local group;

• g, which specifies a global group and is the default; and

• u, which specifies a universal group. If the domain is in the Windows 2000 mixed domain functional level, universal groups are not supported.

Sets the group's SAM account name to the value specified in <S3M_name>.

Sets the group description to that specified in

< des cription>.

Makes the group a member of the group(s) listed by their distinguished name (DN) in <group . .. >. If multiple groups are listed, their distinguished name must be separated by a space.

Adds the members listed in <member ...> to the group. If multiple members are listed, their distinguished name must be separated by a space.

-s <server> connects to the domain controller with the specified <server> name, while -d <domain> connects to a domain controller in the specified <domain>.

Specifies the user account to use when connecting.

-p <password> specifies the password to be used with the user account to use when connecting while -p 3

specifies that the command prompt the user for a password when connecting.

-q

Sets the command to run in quiet mode. In this mode, all command output is suppressed to the standard output.

-uc

Specifies that the input from or output to pipe is formatted in Unicode.

-uco

Specifies that the output to pipe or file is formatted in Unicode.

-uci

Specifies that the input to pipe or file is formatted in Unicode.

You can use the dsmod command-line utility to modify one or more existing groups. The syntax for the dsmod command is:

dsmod group

A

4

0

1

..> [-samid

<SAM name>]

[-desc <description>]

[-secgrp

{yes | no}]

[-scope {l |

1 g |

u}]

[{-addmbr

| -rmmbr |

-chmbr} <member

...>] [

-s <server> |

-d <domain>]

[-u <user

В

CD

V

l

<password>

| *

}] [-c]

[-q] [{-uc |

-uco | -uci}]

As you can see, the syntax for the dsmod command is similar to that of the dsadd command. The two differences are:

• The -c switch, which sets the command to run in continuous mode. In this mode, the command reports errors but continues with the next group in the argument list when multiple computer objects are specified in <group_DN ... >; and

• The [{-addmbr | -rmmbr | -chmbr} <member ...>] clause. This clause contains three parameters: -addmbr, -rmmbr and -chmbr. The -addmbr parameter adds the <member ...> list to the group; the -rmmbr parameter removes the members listed in <member ...> from the group; and -chmbr replaces the current members of the group with those listed in <member ...>.

8.4.4: Adding a User to a Group

Right-clicking a user account in Active Directory Users and Computers and choosing Add to a group enables you to add the selected user account to a group. Alternatively, you can use the dsmod command to add user to the group by using the -addmbr parameter and listing the distinguished name of the user accounts that you want to add to the group in the <member ...> list.