Page 1
6.1 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
A group in Active Directory is a collection of users, computers, contacts, and other group objects within a forest
Users in a group are assigned rights and permissions, which allow them to access network resources such as files, folders, and applications
(Skill 1)
Introducing Groups
Page 2
6.2 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Rights and permissions
Rights give users the capability to perform certain actions such as changing the system time or shutting the system down
Permissions grant users a particular level of control over specific resources
Introducing Groups (2)
(Skill 1)
Page 3
6.3 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Group membership
Multiple users can be part of a single group
Conversely, one user can be a member of multiple groups
Creating groups ensures that the administrator does not need to assign similar permissions to individual users separately
Introducing Groups (3)
(Skill 1)
Page 4
6.4 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Figure 6-1 Granting individual permissions vs. group permissions
(Skill 1)
Page 5
6.5 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
When you are creating groups, there are two basic settings
Group type
Group scope
There are two types of groups
Distribution groups
Security groups
Introducing Groups (4)
(Skill 1)
Page 6
6.6 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Distribution groupsUsed exclusively for sending e-mail messages to a
group of usersCannot be used to set security permissions
Introducing Groups (5)
(Skill 1)
Page 7
6.7 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Security groups
Used to define the rights and permissions users will have to access resources on a computer or a network
When a user requests access to a network resource, the credentials of the user are validated against the group permissions to verify whether the user is allowed access
Can be used to distribute e-mail to multiple users because security groups have all the same capabilities as distribution groups
Introducing Groups (6)
(Skill 1)
Page 8
6.8 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Security groups
Security groups are listed in Discretionary Access Control Lists (DACLs)
A DACL is a list that defines the permissions that are allowed or denied to specific users and groups for resources and objects
After you have selected the group type, you need to decide on the group scope
Introducing Groups (7)
(Skill 1)
Page 9
6.9 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
There are three group scopes
Domain local
Global
Universal
Introducing Groups (8)
(Skill 1)
Page 10
6.10 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Domain local group scope
Created in Active Directory on a domain controller
Generally used to grant access rights to network resources such as printers and shared folders
The scope of a domain local group is the domain in which the group was created
The distinguishing feature of domain local groups is that they can include members from any domain
Introducing Groups (9)
(Skill 1)
Page 11
6.11 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Global group scope
Used to group users who share similar roles in the organization
In most typical environments, a global group is created for each job function or title
Can contain members only from its own domain
Is visible in all domains in the forest, and permissions can be assigned to members for resources in any domain
Introducing Groups (10)
(Skill 1)
Page 12
6.12 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Global group scope
In Windows 2000 native mode and Windows Server 2003 mode, global groups can be nested in other global groups
Universal groups and global groups from any domain can be nested in domain local groups
In Windows 2000 mixed mode, global groups from any domain can be nested in domain local groups
Introducing Groups (11)
(Skill 1)
Page 13
6.13 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Universal group scope
Can contain members from any domain and are visible in all domains
Are unique in that they are stored entirely on global catalog servers
Used when there are multiple domains in a forest
Are available only when Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode
Introducing Groups (12)
(Skill 1)
Page 14
6.14 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Universal group scope
Windows Server 2003 Active Directory has four modes
Windows 2000 native mode
Windows 2000 mixed mode
Windows Server 2003 interim mode
Windows Server 2003 mode
Introducing Groups (13)
(Skill 1)
Page 15
6.15 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Windows 2000 native mode is available only when all domain controllers in the domain are running either Windows 2000 Server or Windows Server 2003
Domains are configured by default to run in Windows 2000 mixed mode
This allows the coexistence of Windows NT, Windows 2000, and Windows Server 2003 domain controllers in the same domain
Introducing Groups (14)
(Skill 1)
Page 16
6.16 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
If your domain consists of only Windows Server 2003 domain controllers, you can switch to Windows Server 2003 mode
You cannot create universal groups in a domain on which Active Directory is running in Windows 2000 mixed mode
Introducing Groups (15)
(Skill 1)
Page 17
6.17 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Since Windows 2000 mixed mode is the default setup, to create universal groups you must transfer to Windows 2000 native mode or Windows Server 2003 mode after all domain controllers have been upgraded
In Windows 2000 native mode or Windows Server 2003 mode, domains, user accounts, computer accounts, other universal scope groups, and groups with global scope from any domain can join a group with universal scope
In Windows 2000 mixed mode, only user accounts can be members of global groups
Introducing Groups (16)
(Skill 1)
Page 18
6.18 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Nesting
The process of adding a group to other groups or consolidating the groups in a network
You can add user groups, as well as groups of other network resources, such as computers and contacts, to create a consolidated group
It simplifies the management of your network
Introducing Groups (17)
(Skill 1)
Page 19
6.19 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Nesting
It is important to document the access permissions granted to users and their group membership
Reduces group allocation mistakes
Eliminates the redundant inclusion of user accounts in groups
Having more than a single level of nesting is not advisable because troubleshooting a problem on a network that implements multiple levels of nesting can be complicated
Introducing Groups (18)
(Skill 1)
Page 20
6.20 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
“The Microsoft rule”
This strategy suggests that even if you have only a single domain, consider using the global and domain local group strategy to assign permissions to network resources
Essentially, you build one global group for each position or job function
Each time you create a share, you typically create four separate domain local groups for different levels of access to the share
You would make the global group or groups members of the appropriate domain local group
Planning Group Strategies (2)
(Skill 2)
Page 21
6.21 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Benefits of using the Microsoft rule
Modularity
Ease of modification
A reduction in the size of the global group list
Summarize the rule using the acronym A-G-DL-P: Accounts go into global groups, which go into domain local groups, which are assigned permissions
Planning Group Strategies (3)
(Skill 2)
Page 22
6.22 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Figure 6-3 Strategy for creating global and domain local groups
(Skill 2)
Page 23
6.23 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Strategies for using the universal group scope
Before creating universal groups, make sure that the memberships of those groups will not change frequently
Never add a user account as a member of a universal group; instead, add global groups as members of universal groups
Universal groups are designed to be used in one specific situation
Planning Group Strategies (4)
(Skill 2)
Page 24
6.24 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Strategies for using the universal group scope
When you use universal groups to organize global groups from multiple domains, the Microsoft rule is modified so that universal groups are nested in between global and domain local groups
The acronym is now A-G-U-DL-P: Accounts go into global groups, which go into universal groups, which are placed in domain local groups, which are assigned permissions
Planning Group Strategies (5)
(Skill 2)
Page 25
6.25 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Groups can be used to effectively manage large numbers of users and resources
Even in small environments, it is advised that you follow the Microsoft rule for creating groups and assigning permissions
Creating Groups
(Skill 3)
Page 26
6.26 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
As organizational changes are made, some groups may become redundant
It is important to delete groups that are no longer required
Maintains security
Avoids accidentally assigning permissions to groups and resources that are no longer required
Windows Server 2003 Active Directory uses the Security Identifier (SID) to identify a particular group and assign permissions to it
Creating Groups (2)
(Skill 3)
Page 27
6.27 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Security Identifier (SID)
A unique number that identifies each security object in Active Directory
When a group is deleted, the SID for that group is also deleted and is never used by Windows Server 2003 again
You cannot recreate and restore the settings for a deleted group
Creating Groups (3)
(Skill 3)
Page 28
6.28 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Figure 6-4 Creating a group
(Skill 3)
Page 29
6.29 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
After you have created a group, you can open the Properties dialog box for the group to set its properties
Tabs on the Properties dialog box for a group
General: Describes the scope and type assigned to the group
Members: Used to add members of the domain to the group; members of a group can include user accounts, contacts, other groups, or computers
Setting Group Properties
(Skill 4)
Page 30
6.30 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Tabs on the Properties dialog box for a group
Member Of: Used to add the group to other groups in the domain or universal groups in other domains in the forest
Managed By: Used to specify the user or contact person managing the group
Object: Specifies the path to the group within the domain
Security: Used to set permissions for the members of the group
Setting Group Properties (2)
(Skill 4)
Page 31
6.31 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Figure 6-6 Selecting a user for the group
(Skill 4)
Page 32
6.32 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Sometimes groups with a domain local scope are referred to as local groups
However, there is a vast difference between a local group and a domain local group
Unlike a domain local group, which is a collection of user accounts from a domain, a local group is used to manage local user accounts on a single server or a stand-alone computer
In other words, groups with a local scope are called local groups
Creating Local Groups
(Skill 6)
Page 33
6.33 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
The access level for local groups is limited to resources located on the computer on which the group is created
Local groups are mainly used in peer-to-peer or workgroup networks, or on stand-alone computers that are not part of a domain
You populate local groups with user accounts that are stored in the local security database of a single computer
Creating Local Groups (2)
(Skill 6)
Page 34
6.34 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
On a domain network, you can create global groups that belong to a local group so that domain users can be assigned rights and permissions for the resources on a particular workstation
To create local groups, you use the Local Users and Groups snap-in in the Computer Management console
You can delete, rename, and add members to the local group from the context menu for the local group in the Computer Management console
Creating Local Groups (3)
(Skill 6)
Page 35
6.35 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Figure 6-11 The Location dialog box
(Skill 6)
Page 36
6.36 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Figure 6-12 Searching for local resources
(Skill 6)
Page 37
6.37 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
You generally create local groups when the number of users is small and Active Directory is not installed on the network
It is important to remember that local groups cannot be created on domain controllers because domain controllers use the Active Directory database, not the local user database
Local groups can be used only on the computer where the local group was created
Creating Local Groups (4)
(Skill 6)
Page 38
6.38 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Windows Server 2003 Active Directory provides four classes of default groups
Built-in local
Built-in domain local
Built-in global
Built-in system
These groups have a predefined common set of user rights or group memberships, which determine the type of tasks that a user or a group member of each group can perform
Introducing Default Groups
(Skill 7)
Page 39
6.39 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Built-in local groups
Are created on all Windows Server 2003 computers
Can be viewed in the Groups folder in the Computer Management snap-in on all non-domain controllers
On domain controllers, they are stored in the Builtin container in the Active Directory Users and Computers console
Introducing Default Groups (2)
(Skill 7)
Page 40
6.40 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Built-in local groups in the Builtin container
Introducing Default Groups (3)
(Skill 7)
Account Operators
Administrators
Backup Operators
Guests
Incoming Forest Trust Builders
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Pre-Windows 2000 Compatible Access
Print Operators
Remote Desktop Users
Replicator
Server Operators
Users
Page 41
6.41 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Built-in domain local groups
Cannot be deleted
Are automatically created only on domain controllers
Are stored in the Users container in the Active Directory Users and Computers console
The number of domain local groups will be different on each domain controller, depending on the type of services the domain controller is running
Introducing Default Groups (4)
(Skill 7)
Page 42
6.42 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Built-in domain local groups
Their names generally identify the function of the group
Have a set of predefined rights and permissions to perform various actions in Active Directory and on domain controllers
Introducing Default Groups (5)
(Skill 7)
Page 43
6.43 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Built-in global groups
Are automatically created on domain controllers
Are stored in the Users container in the Active Directory Users and Computers console
These groups, also known as predefined global groups, consolidate common types of user accounts and have predefined group memberships
Introducing Default Groups (6)
(Skill 7)
Page 44
6.44 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Built-in global groups
Domain-wide rights and privileges must be assigned to members of these groups
Rights can be assigned to built-in global groups either directly or by adding them to domain local groups
Introducing Default Groups (7)
(Skill 7)
Page 45
6.45 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Some commonly used built-in global groups
DnsUpdateProxy: DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers)
Domain Admins: Members of this group have full control over the domain; this group is a member of the Administrators group by default
Domain Computers: All workstations and servers joined to the domain
Domain Controllers: All domain controllers in the domain
Introducing Default Groups (8)
(Skill 7)
Page 46
6.46 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Some commonly used built-in global groups
Enterprise Admins: This group, which is present only in the forest root domain, is used by network administrators to manage resources in an enterprise
The Domain Admins group and the Administrators user account are default members of this built-in global group
When Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode, this will be converted to a universal group
Introducing Default Groups (10)
(Skill 7)
Page 47
6.47 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Some commonly used built-in global groups
Schema Admins: Designated administrators of the schema
The Administrator account is a default member of this group
When Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode, this will be converted to a universal group
Introducing Default Groups (11)
(Skill 7)
Page 48
6.48 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Built-in system groups
Also referred to as special identities
Are populated with users based on how they access a computer or a resource
Network administrators cannot add, modify, or delete user accounts because the operating system does so automatically
Since users cannot be added to built-in system groups, they are not shown when you are managing your user accounts, but they are available for selection when you are granting rights and permissions
Introducing Default Groups (12)
(Skill 7)
Page 49
6.49 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
As a general rule, you should avoid running a computer using the Administrator account in order to protect your network from significant security risks
You should log on as a member of the Users or Power Users group for routine tasks
Starting a Program Using the Run as Command
(Skill 8)
Page 50
6.50 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
To perform an administrative task or to start a program while you are logged on as a user, you can use the Run as command
The Run as command allows you to access programs and other Windows Server 2003 administrative tools temporarily without logging off as the current user
Starting a Program Using the Run as Command (2)
(Skill 8)
Page 51
6.51 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
To start any program or any other Windows Server 2003 utility using the Run as command, you need
An appropriate user account and password information to log on to the computer
To ensure the program or Windows Server 2003 utility you want to run is installed on the system
Starting a Program Using the Run as Command (3)
(Skill 8)
Page 52
6.52 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
The Run as command can also be invoked in a shortcut
Go into Properties for the shortcut
Check the Run as other user box
Starting a Program Using the Run as Command (6)
(Skill 8)
Page 53
6.53 © 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 6: Implementing Groups in Active Directory
Figure 6-18 Running the Run as command at the command prompt
(Skill 8)