Page 1
7.1 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Accounts
A group is a collection of user accounts or computers with similar rights and permissions
The users in a group are called members Administrators can categorize users into groups based
on the functions they perform and the requirements of their jobs so that they can easily manage multiple users as a single entity
(Skill 1)
Page 2
7.2 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Accounts (2)
Two main types of groups Security groups
Used to define the rights and permissions users will have to access resources on a computer or a network
Are listed in Discretionary Access Control Lists (DACLs)
Distribution groups Used only for the distribution of messages by applications such
as Microsoft Exchange Server Cannot be used to assign permissions to users
(Skill 1)
Page 3
7.3 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Accounts (3)
Group scope When you create a group, you must specify the group
scope The group scope determines whether the group can be
used to access resources in a specific domain or across domains in a network
There are three group scopes in a Windows Server 2003 environmentDomain local scopeGlobal scopeUniversal group scope
(Skill 1)
Page 4
7.4 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Accounts (4)
Domain local scope A domain local group is created in Active Directory on a
domain controller The scope of a domain local group is the domain in
which the group was created You can add members to a domain local group from any
domain
(Skill 1)
Page 5
7.5 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Accounts (5)
Global scope A global group has members with common network
access requirementsMembers can be drawn only from the domain where the
global group was createdPermissions can be assigned to members for resources in
any domain
(Skill 1)
Page 6
7.6 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-1 Group types and group scopes
(Skill 1)
Page 7
7.7 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Accounts (6)
Universal group scope A universal group is used when there are multiple
domains in a forest Members can be drawn from many different domains Permissions can be assigned for resources in any
domain Universal groups are available only when Active
Directory is running in Windows 2000 native mode or Windows Server 2003 mode
(Skill 1)
Page 8
7.8 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Accounts (7)
Group nesting Process of adding groups to other groups is called group
nesting Group nesting minimizes the number of times you need
to assign permissions to multiple groups
(Skill 1)
Page 9
7.9 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-2 Nested groups
(Skill 1)
Page 10
7.10 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Introducing Built-in Groups Windows Server 2003 includes default groups called
built-in groups that have a preset collection of rights and permissions
Built-in groups can be used to manage common tasks performed by users
There are four types of built-in groupsBuilt-in local groupsBuilt-in domain local groupsBuilt-in global groupsBuilt-in system groups
(Skill 3)
Page 11
7.11 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Introducing Built-in Groups (2)Built-in local groups Are created on all Windows Server 2003 computers Are stored in the Builtin container in the Active Directory
Users and Computers console
(Skill 3)
Account OperatorsAdministratorsBackup OperatorsGuestsIncoming Forest Trust BuildersNetwork Configuration OperatorsPerformance Log Users
Performance Monitor UsersPre-Windows 2000 Compatible AccessPrint OperatorsRemote Desktop UsersReplicatorServer OperatorsUsers
Page 12
7.12 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Introducing Built-in Groups (3)Built-in domain local groups Are automatically created only on domain controllers Cannot be deleted Are stored in the Users container in the Active Directory Users and
Computers console The number of domain local groups is different on each domain
controller, depending on the type of services the domain controller is running
(Skill 3)
Cert PublishersDHCP AdministratorsDHCP UsersDnsAdminsHelpServicesGroup
IIS_WPG (installed with IIS)RAS and IAS ServersTelnetClientsWINS Users
Page 13
7.13 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Introducing Built-in Groups (4)
Built-in global groups Are automatically created on all domain controllers Are stored in the Users container in the Active Directory
Users and Computers console
(Skill 3)
DnsUpdateProxyDomain AdminsDomain ComputersDomain ControllersDomain Guests
Domain UsersGroup Policy Creator OwnerEnterprise AdminsSchema Admins
Page 14
7.14 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Introducing Built-in Groups (5)
Built-in system groups Are populated with users based upon how they access a computer
or a resource Network administrators cannot add, modify, or delete user accounts
because the operating system does so automatically
(Skill 3)
Anonymous LogonAuthenticated UsersCreator OwnerDial-up
EveryoneInteractiveNetworkTerminal Server Users
Page 15
7.15 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-9 Built-in domain local groups in the Builtin container in the Active Directory Users and Computers console
(Skill 3)
Page 16
7.16 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-10 Built-in domain local groups in the Users container in the Active Directory Users and Computers console
(Skill 3)
Page 17
7.17 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-11 Built-in global groups in the Users container
(Skill 3)
Page 18
7.18 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Introducing Built-in Groups (6)
In Windows 2000 mixed mode environments, the best practice is to use domain local and global groups following what is referred to as the A-G-DL-P strategy
You put user accounts (A) into global groups (G), put the global groups into domain local groups (DL), and grant permissions (P) to the domain local group
In Windows 2000 native mode or Windows Server 2003 mode, universal groups can be used to organize global groups from multiple domains so that they fit between global and domain local (A-G-U-DL-P)
(Skill 3)
Page 19
7.19 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-15 The New Object-Group dialog box
The pre-
Windows 2000
group name is
automatically
filled in
The three group
scopes
The two
types of
groups
(Skill 4)
Page 20
7.20 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-16 The new group in the Active Directory Users and Computers console
The new
group
(Skill 4)
Page 21
7.21 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-17 Adding a member to the group
Member of
the group
Click to
remove
members
from the
group
Click to
add
members
to the
group
(Skill 4)
Page 22
7.22 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Creating Group Policy Objects
Group Policies are used to control the computer configuration, user environment, and account policies such as the minimum password length and length of time a password can be used
Network administrators apply Group Policies To centrally manage configuration settings for groups of
users or computersTo control the distribution of software applications in a
domain
(Skill 6)
Page 23
7.23 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Creating Group Policy Objects (2)
Group Policies are applied to objects in Active Directory to control how they and their child objects will function
There are both user settings and computer settings, which can also affect the rights that are given to user accounts and groups
The idea is to enforce uniform corporate policies on a portion of the network
(Skill 6)
Page 24
7.24 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Creating Group Policy Objects (4)Group Policy Objects (GPOs) Store all Group Policy settings that are applied to users and
computers, along with the properties associated with the objects in the Active Directory store
The policy settings for sites, domains, and organizational units are also stored in GPOs To create a GPO for a domain or an organizational unit, you use
either the Active Directory Users and Computers console or the new Group Policy Management console (GPMC), which must be downloaded from Microsoft
Types of GPOsLocalActive Directory-based
(Skill 6)
Page 25
7.25 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Creating Group Policy Objects (6)
Group Policy Management Console (GPMC) Designed as a comprehensive tool for Group Policy
administration for Windows Server 2003 and Windows 2000 domains
Provides administrators with the ability to back up, restore, import, and copy/paste GPOs, as well as create, delete, and rename them
Used to link GPOs, search for GPOs, and to delegate Group Policy-related features
(Skill 6)
Page 26
7.26 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-28 Download the GPMC
(Skill 6)
Page 27
7.27 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-29 Creating a GPO
(Skill 6)
Page 28
7.28 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-30 The New GPO dialog box
(Skill 6)
Page 29
7.29 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-31 New Group Policy Object in a domain The new GPO, as listed in the
Group Policy Object Links column
(Skill 6)
Page 30
7.30 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Policies
Types of Group Policies In the Windows Server 2003 environment, there are
different types of Group Policies categorized according to the different network components and Active Directory objects they influence
Most Group Policies are used to update and manage Registry configuration data
Use the Group Policy Object Editor snap-in to modify the default settings for Group Policies according to your requirements
(Skill 7)
Page 31
7.31 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Policies (2)
Group Policy Object EditorComputer Configuration node
Software Settings configuration setting nodeWindows Settings nodeAdministrative Templates node
User Configuration node Group Policy settings applied in the Computer
Configuration node affect the computer objects to which they are applied
(Skill 7)
Page 32
7.32 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-33 Security Settings for computers
(Skill 7)
Page 33
7.33 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Policies (4)
Group Policy Can be applied to users and computers Can be applied at the site, domain, or OU level Application of Group Policy Objects
Every computer has one Group Policy Object that is stored locally
The Local Group Policy Object (LPGO) is applied first Then, GPOs assigned to the site are processed Next, policies assigned to the domain are processed Finally, policies assigned to OUs and child OUs are processed
Policy settings are cumulative due to inheritance
(Skill 7)
Page 34
7.34 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Policies (5)
Understanding how GPO settings are applied If a GPO is assigned to the parent container, but not the
child container, the parent container GPO setting applies If a GPO is assigned to both the parent container and the
child container, and there is no conflict, both parent and child GPOs apply
If a GPO is assigned to both the parent container and the child container, and there is a conflict, the child container setting applies
These are the rules unless there is a conflict between a user setting and a computer setting; then the computer setting is applied
(Skill 7)
Page 35
7.35 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Identifying the Types of Group Policies (6)
Blocking inheritance You can modify the default behavior or inheritance by
using the Block Inheritance option You can block inheritance for the GPO links for an entire
domain, for all domain controllers, or for a particular OU
(Skill 7)
Page 36
7.36 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-39 Blocking Inheritance
(Skill 7)
Page 37
7.37 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Modifying Software Settings Using GPO Software Policies
Group Policies are used to assign and publish applications to groups of users or computers
Applications can be assigned to either users or computers, but they can be published only to users
After you have created the GPO, you can manage the software deployed to users and computers centrally in the Group Policy Object Editor
The Group Policy Object Editor has two parent nodes used to set Group Policies for users or computers: User Configuration and Computer Configuration
(Skill 8)
Page 38
7.38 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Modifying Software Settings Using GPO Software Policies (2)
User Configuration node Used to set Group Policies for users, which are applied
when the user logs on to the domain Used to modify the settings for the desktop, applications,
and security Used to assign and publish applications, set Group
Policies to redirect folders, and set scripts for the logon and logoff processes
(Skill 8)
Page 39
7.39 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Modifying Software Settings Using GPO Software Policies (3)
Computer Configuration node Used to set Group Policies for computers that are
members of the domain, OU, or site, depending on where the GPO is configured
These Group Policies are applied when the operating system initializes
Used to modify Group Policies related to the operating system, applications, and security controls for a computer
(Skill 8)
Page 40
7.40 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-45 The Deploy Software dialog box
Select to publish
and assign
applications
Select to publish
applications
Select to assign
applications
(Skill 8)
Page 41
7.41 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-46 A published application in the Group Policy Object Editor
Used to assign or
publish applications
to users
Deployment state
of the application
(Skill 8)
Page 42
7.42 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Redirecting Folders Using GPOs
Folder Redirection Allows you to take the most common folders and redirect
them to a network server This means that rather than downloading the full folder at
logon, your users are browsing the remote folder, just as if they were browsing a network share
When a user opens an item in a redirected folder, the individual item is downloaded
(Skill 9)
Page 43
7.43 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Redirecting Folders Using GPOs (2)
Folder Redirection Saves considerable network bandwidth Significantly reduces the logon time for users with large
profiles You can redirect folders over a network using the Folder
Redirection extension located in the Windows Settings folder.
This folder resides in the User Configuration node in the Group Policy Object Editor
(Skill 9)
Page 44
7.44 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-47 Special folders available for redirection
(Skill 9)
Page 45
7.45 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-48 The Target tab
The Basic setting will
redirect everyone’s folder
to the same location
(Skill 9)
Page 46
7.46 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-49 The Specify Group and Location dialog box
Use to specify the
security group for
Folder Redirection
Use to specify the location
of the redirection folder on
the network
(Skill 9)
Page 47
7.47 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-50 Entering the security group and the location of the redirection folder
The security groups to
which Folder Redirection
is applied can be selected,
edited, or removed here
(Skill 9)
Page 48
7.48 © 2004 Pearson Education, Inc.
Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment
Lesson 7: Introducing Group Accounts
Figure 7-51 The Settings tab
(Skill 9)
This option leaves the
redirected folder in the
new location even
after GPO is removed