Managing Groups

In this section, you will learn:

 What groups are

 How to best use groups
 Group scopes
 Best practices for group naming
 How to create groups
 How to manage group membership
 Strategies for using groups
 The default groups and their uses

You can use groups to control access to resources or to logically categorize people in
your company. For example, you may have different groups for your marketing, sales,
finance, account, IT, HR, and operations employees. Within each of those departments,
you may have teams. For example, in HR you may have benefits team, a training group,
and a recruiting team. These teams may access different resources (e.g. printers or shared
folders) that require different Active Directory security groups.

Groups can be either a security group or a distribution group. Security groups are
permitted to have security access rights on folders, files, and other Access Control
situations. Distribution groups are used to send email to a group of users.

Group Scope

There are three types of groups in Windows Server 2003: Universal Scope, Global Scope,
and Domain Local Scope.

Universal Scope groups can includes groups and accounts from any domain in the
domain tree or forest and can be assigned permissions in any domain or forest. You can
use Universal Scope groups to consolidate groups across multiple domains. For example,
if you have Asia and US as two domains in your AD environment and have a global
scope group, GMarketing, in each domain, you can create a UMarketing Universal Scope
group which contains both of the GMarketing groups.

Universal Groups are replicated across domains, however, Global Groups inside them are
not replicated. You should only use Universal Groups for groups that do not change
frequently to decrease replication traffic.

Global group members can include other groups and user accounts only from the domain
in which the group is defined and can be assigned permissions in any domain in the
forest.

Global Groups should be used for most security functions. Global Scope groups will be
your most commonly used group - containing users and computer accounts and using

1
these groups for security access permissions. We recommend a common naming scheme
among domains - for example if you have GOperations in your Asia domain, you should
have the Operations group named GOperations in the US domain. Global groups do not
replicate outside their own domain.

Domain Local groups include groups or accounts from Windows Server 2003, Windows
2000, or Windows NT domains and can be assigned permissions only within a domain.
You can also use Domain Local groups for security access within a single domain.

Managing Groups - Group Naming Scheme

Group Naming Schemes

We recommend you create a standard naming scheme for your groups. This standard can
be anything you desire, in our examples, we use G, D, and U at the beginning of the
group name to specify Global, Domain Local, and Universal groups. For example:

GMarketing - Marketing users Global group

UAdmins - Universal group for the system administrators

DPayroll - Domain Local group for payroll users

Managing Groups - Creating Groups - MCSE 70-290

Creating Groups

Creating groups is similar to creating computer or user accounts.

1. Open Active Directory Users and Computers.

2. Right-click on the OU or area you want to create a group and choose New,
Group. You can create groups within Organizational Units or just in the standard
containers, such as Users.
3. Enter a name for the group and a pre-Windows 2000 name for the group.
4. Click the radio button next to the Group Scope you are interested in using. If you
have only one domain, Universal will be grayed out.
5. Click OK.

Adding Groups at the Command Line

Active Directory has several command line interface applications allowing administrators
the flexibility of scripting functions within AD. You can use these command line tools to
quickly add computer, contact, group, OU, user, or quota accounts.

Adding a group to the directory from the command line uses:

2
dsadd group GroupDN -secgrp [yes | no] -scope [l | g | u] -samid SAMName -desc
Description -memberof Group. -members members.

GroupDN is the distinguished name of the group you would like to add.

-secgrp sets whether this is a security group (versus a distribution group) - the default is
Yes.

-scope specifies local, global, or universal.

-samid SAMName is the SAM account name of the group, e.g. operators.

-desc Description is the description of the group.

-memberof Group. is a list of groups this group will be a member of. You can specify
multiple groups separated by a space.

-members members. is a list of the groups or users you want to be placed into this group.
You can specify multiple distinguished names with a space in between them.

There are additional options you can see if you type dsadd group /? at a command
prompt.

Managing Group Membership in Windows Server 2003

Managing Group Membership

There are several ways to manage group membership. The two primary methods are
managing from the group and managing from the user account.

Managing the Group

1. Open Active Directory Users and Computers.

2. Right-click on the group you want to manage.
3. Click Properties.
4. Click on the Members tab.
5. Click the Add button.
6. Type in the name of the users you want to add (separated by ; ) or click on
Advanced and search for the user you want to add. Click OK.
7. Click OK.

Add Users Account to a Group

1. Open Active Directory Users and Computers.

2. Right-click on the user account you want to manage.
3. Click Properties.

3
 4. Click on the Member Of tab.
5. Click the Add button.
6. Type in the name of the groups you want to add (separated by ; ) or click on
Advanced and search for the group you want to add. Click OK.
7. Click OK.

Strategies for Using Groups in Windows Server 2003

Strategies for Using Groups

The most common use for groups is in a security context. Security groups can be used to
assign access rights for users in a domain.

Typically, organizations create Global groups, place user accounts in them, and use these
groups for security access. For example, in your environment, you may have these
departments: Accounting, Marketing, Finance, HR, IT. You may share a common file
server and shared drive. In this shared drive, your folder structure might appear like this:

You can create security groups for each of the departments: GHumanResources,
GFinance, GAccounting, GInfoTech, GMarketing. These security groups can then have
rights to modify their respective folders.

4
You can further setup security groups for each of the subfolders, e.g.: GHR_Training,
GHR_Benefits, GHR_Compensation, GHR_Recruiting. You can use these groups to
setup security on the subfolders and only allow users in those groups modify files in
those directories.

Windows Server 2003 Default Groups

Using Default Groups

Microsoft Server 2003 has several built in groups which have predefined user rights.
These groups are stored in two containers: Builtin and Users.

Groups in the Builtin Container:

Group Description Default User Rights

Account Operators Account Operators can create, Allow log on locally; Shut
modify, and delete accounts for users, down the system
groups, and computers located in the
containers and OUs - except for the
Domain Controllers OU. Cannot
modify the Administrators or Domain
Admins group.

Administrators Full control of all domain controllers
in the domain. The Domain Admins
and Enterprise Admins are members
of the Administrators group. The
Administrator user account is a
default member.
Access this computer from
the network; Adjust memory
quotas for a process; Back
up files and directories;
Bypass traverse checking;
Change the system time;
Create a pagefile; Debug
programs; Enable computer
and user accounts to be
trusted for delegation; Force
a shutdown from a remote
system; Increase scheduling
priority; Load and unload
device drivers; Allow log on
locally; Manage auditing and
security log; Modify
firmware environment
values; Profile single
process; Profile system

5
 performance; Remove
computer from docking
station; Restore files and
directories; Shut down the
system; Take ownership of
files or other objects.

Backup Operators Can back up and restore files on Back up files and directories;
domain controllers on the domain. Allow log on locally;
Can shut down domain controllers. Restore files and directories;
No default members. Shut down the system.

Guests The Domain Guests group is a No default user rights.

member of this group. The Guest
account is also a default member.

Incoming Forest This group allows its members to No default user rights.
Trust Builders (only create one-way incoming forest trusts
appears in the forest to the forest root domain. No default
root domain) members.

Network Can make changes to TCP/IP settings No default user rights.

Configuration and renew/release TCP/IP addresses
Operators on domain controllers. No default
members.

Performance Can monitor performance counters on No default user rights.

Monitor Users domain controllers.

Performance Log Can manage performance counters, No default user rights.

Users logs, and alerts on domain
controllers.

Pre-Windows 2000 Members of this group have read Access this computer from
Compatible Access access on all users and groups in the the network; Bypass traverse
domain. By default, Everyone is a checking.
member of this group. Used for users
running Windows NT 4.0 or earlier.

6
Print Operators Members of this group can manage, Allow log on locally; Shut
create, share, and delete printers down the system.
connected to domain controllers.
They can manage AD printer objects
in the domain. No default members.

Remote Desktop Members can remotely log on to No default user rights.

Users domain controllers. No default
members.

Replicator This group supports directory No default user rights.

replication functions and is used by
the File Replication service on
domain controllers in the domain. No
default members. Do not add users to
this group.

Server Operators Members of this group can log on
interactively to domain controllers,
create and delete shared resources,
start and stop some services, back up
and restore files, format the hard
drive, and shut down the computer.
No default members.
Back up files and directories;
Change the system time;
Force shutdown from a
remote system; Allow log on
locally; Restore files and
directories; Shut down the
system.

Users Members can perform common tasks No default user rights.

- starting applications, using local and
network printers, and locking the
server. The Domain Users group,
Authenticated Users, and Interactive
are members of this group. Any user
account created in the domain
becomes a member of this group.

Groups in the Users Container:

Group Description Default User Rights

Cert Publishers Members of this group are No default user rights.

7
 permitted to publish certificates for
users and computers.
DNSAdmins Installed with DNS. Members have No default user rights.
administrative access to the DNS
Server service. No default
members.
DNSUpdateProxy Installed with DNS. Members of No default user rights.
this group are DNS clients that
perform dynamic updates on behalf
of other clients, such as DHCP
servers. No default members.
Domain Admins Members have full control of the
domain. This group is a member of
the Administrators group on all
domain controllers, all domain
workstations, and all domain
member servers at the time they are
joined to the domain. The
Administrator account is a member
of this group.
Domain Computers Contains all workstations and No default user rights.
servers joined to the domain. Any
computer account created becomes
a member of this group
Access this computer from the
network; Adjust memory
quotas for a process; Back up
files and directories; Bypass
traverse checking; Change the
system time; Create a pagefile;
Debug programs; Enable
computer and user accounts to
be trusted for delegation; Force
a shutdown from a remote
system; Increase scheduling
priority; Load and unload
device drivers; Allow log on
locally; Manage auditing and
security log; Modify firmware
environment values; Profile
single process; Profile system
performance; Remove
computer from docking
station; Restore files and
directories; Shut down the
system; Take ownership of
files or other objects.
8
 automatically.

Domain Controllers Contains all domain controllers in No default user rights.

the domain.

Domain Guests All domain guests. No default user rights.

Domain Users All domain users. Any user account No default user rights.
created in the domain becomes a
member of this group
automatically.

Enterprise Admins Only appears in the forest root

domain. Full control of all domains
in the forest. The Administrator
account is a member of this group.

Group Policy Can modify Group Policy in the No default user rights.
Creator Owners domain. The Administrator account
is a default member.

IIS_WPG Installed with IIS. The Internet No default user rights.

Information Services (IIS) 6.0
worker process group. No default
members.

RAS and IAS Servers in this group are permitted No default user rights.
Servers access to the remote access
properties of users.

Schema Admins Only appears in the forest root No default user rights.
domain. Members can modify
Active Directory schema.
Administrator account is a default
member.

Section Review

9
In this section, you learned:
 What groups are
 How to best use groups
 Group scopes
 Best practices for group naming
 How to create groups
 How to manage group membership
 Strategies for using groups
 The default groups and their uses

Practice Exercises

1. Create a new group named "GAccounting."

2. Add several users to this group.

3. Delete one of the GAccounting group members.

4. Add users to several of the default groups.

10