04 Groups
description
Transcript of 04 Groups
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Module Overview
• Overview of Groups• Administer Groups• Best Practices for Group Management
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Overview of Groups• Access Management Without Groups• Benefits of Using Groups• Role-Based Management: Role Groups and Rule Groups• Define Group Naming Conventions• Group Type• Group Scope• Local Groups• Domain Local Groups• Global Groups• Universal Groups• Summary of Group Scope Possibilities• Develop a Group Management Strategy• Default Groups• Special Identities
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Identity Access Management
Access Management Without Groups
Resource
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Benefits of Using Groups• Groups Add Manageability and Scalability
Identity GroupAccess Management
Resources
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Role-Based Management
Identity Role Group Rule GroupAccess Management
Resources
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Define Group Naming Conventions
• Name properties• Group name: cn and name of group must be unique within OU• Group name (pre-Windows 2000 Server): sAMAccountName of group must be
unique in domain• Use the same name (unique in the domain) for both properties
• Naming conventions• Role groups: Simple, unique name, such as Sales or Consultants• Management groups: For example, ACL_Sales Folders_Read
• Prefix: Management purpose of group, such as ACL• Resource identifier: What is managed, such as Sales Folders• Suffix: Access level, such as Read• Delimiter: Separates name components, such as underscore (_)
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Group Type
Distribution groups
Used only with e-mail applicationsNot security-enabled (no SID);cannot be given permissions
Security groups
Security principal with a SID;can be given permissionsCan also be email enabled
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Group Scope
• Four group scopes• Local• Global• Domain Local• Universal
• Characteristics that distinguish each scope• Replication: Where are the group and its membership stored?• Membership: What types of objects, and from which domains, can be
members of the group?• Availability (Scope): Where can the group be used? In what scopes of groups
can the group be a member? Can the group be added to an ACL?
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Local Groups
• Replication• Defined in the SAM database of a domain member or workgroup computer• Membership not replicated to any other system
• Membership: Local group can include as members• Any security principals from the domain: users (U), computers (C), global groups (GG), or
domain local groups (DLG)• U, C, GG from any domain in the forest• U, C, GG from any trusted domain• Universal groups (UG) defined in any domain in the forest
• Availability/scope• Limited to the machine on which the group is defined; can be used for ACLs on the local
machine only• Cannot be a member of any other group
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Domain Local Groups
• Replication• Defined in the domain naming context• Group and membership replicated to every DC in domain
• Membership: Domain local group can include as members• Any security principals from the domain: U, C, GG, DLG• U, C, GG from any domain in the forest• U, C, GG from any trusted domain• UG defined in any domain in the forest
• Availability/scope• Can be on ACLs on any resource on any domain member• Can be a member of other domain local groups or of machine local groups
• Well-suited for defining business management rules
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Global Groups
• Replication• Defined in the domain naming context• Group and membership is replicated to every DC in domain
• Membership: Global group can include as members• Only security principals from the same domain: U, C, GG, DLG
• Availability/scope• Available for use by all domain members, all other domains in the forest, and all
trusting external domains• Can be on ACLs on any resource on any computer in any of those domains• Can be a member of any DLG or UG in the forest, and of any DLG in a trusting external
domain
• Well-suited for defining roles
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Universal Groups
• Replication• Defined in a single domain in the forest• Replicated to the global catalog (forest-wide)
• Membership: Universal group can include as members• U, C, GG, and UG from any domain in the forest
• Availability/scope• Available to every domain and domain member in the forest• Can be on ACLs on any resource on any system in the forest• Can be a member of other UGs or DLGs anywhere in the forest
• Useful in multidomain forests• Defining roles that include members from multiple domains• Defining business management rules that manage resources in multiple domains in the forest
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Summary of Group Scope Possibilities
U UserC ComputerGG Global GroupDLG Domain Local GroupUG Universal Group
Group ScopeMembers from Same Domain
Members from Domain
in Same Forest
Members from Trusted
External Domain
Can beAssigned
Permissions to Resources
Local U, C,GG, DLG, UGand local users
U, C,GG, UG
U, C,GG
On the local computer only
Domain Local U, C,GG, DLG, UG
U, C,GG, UG
U, C,GG
Anywhere in the domain
Universal U, C,GG, UG
U, C,GG, UG
N/A Anywhere in the forest
Global U, C,GG
N/A N/A Anywhere in the domain or a trusted domain
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Develop a Group Management Strategy• Identities (users or computers)
are members of• Global groups
that collect members basedon those members' roles,which are members of
• Domain Local groupsthat providemanagementof some kind, suchas management ofresource accesswhich are
• Assigned Access to a resource (for example, on an ACL)• Multidomain forest: IGUDLA
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Default Groups
• Default local groups in the BUILTIN and Users containers• Enterprise Admins, Schema Admins, Administrators, Domain Admins, Server Operators,
Account Operators, Backup Operators, Print Operators
• Reference to their rights and privileges in Student Handbook• Know these rights for the certification exams
• Issues with these groups• Highly overdelegated
• Account Operators, for example, can log on to a DC• Protected
• Users who are members of these groups become protected and are not unprotected when removed
• Best practice: Keep these groups empty and create custom groups with the rights and privileges you require
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Special Identities
• Membership is controlled by Windows: • Cannot be viewed, edited, or added to other groups• Can be used on ACLs
• Examples• Anonymous Logon: Represents connections to a computer without a user name
and password• Authenticated Users: Represents identities that have been authenticated, but does
not include the Guest identity• Everyone: Includes Authenticated Users and Guest (but not Anonymous Logon by
default in Windows Server 2003/2008)• Interactive: Users logged on locally or with Remote Desktop• Network: Users accessing a resource over the network
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Administer Groups
• Tools for Group Management• Demonstration: Create a Group Object• Manage Group Membership• Import Groups with CSVDE• Import Groups with LDIFDE• Convert Group Type and Scope• Modify Group Membership with LDIFDE• Copy Group Membership• Delete Groups
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Tools for Group Management
To create and manage groups in AD DS, you can use :• Active Directory Users and Computers• GUI-based console for management of Active Directory objects
• Active Directory Administrative Center (R2 only)• New GUI-based console built on PowerShell
• Windows PowerShell with Active Directory Module (R2 only)• New command-line based tool
• DS commands• Old command-line based tools
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Demonstration: Create a Group ObjectIn this demonstration, you will learn:• How to create a group by using Active Directory Users and Computers• How to configure group properties• How to change group scope by using Windows PowerShell with Active
Directory Module
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Manage Group Membership
• Methods• The group's Members tab (Add/Remove)• The member's Member Of tab (Add/Remove)• The member's Add to a group command (Add)
• You are always changing the member attribute• memberOf is a backlink attribute updated by Active Directory
• Changes to membership do not take effect immediately• Requires logon (for a user) or startup (for a computer)• Token built with SIDs of member groups at those times• Account for replication of membership change to the user or computer's domain
controller• Tip: Change group membership on a DC in the user's site
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Import Groups with CSVDE
• Comma-separated values (csv) file format• Comma-separated list of attributes• Groups to create, one per line, with all attributes listed on the first line
• Example
• csvde -i -f "filename" [-k]• -i. Import; default mode is export• -f. File name• -k. Continue on error, such as object already exists
• CSVDE can create groups, not modify existing groups
objectClass,sAMAccountName,DN,membergroup,Marketing,"CN=Marketing,OU=Role,OU=Groups,
DC=contoso,DC=com","CN=Linda Mitchell,OU=Employees,OU=User Accounts,DC=contoso,DC=com;CN=Scott Mitchell,OU=Employees,OU=User Accounts,DC=contoso,DC=com"
objectClass,sAMAccountName,DN,membergroup,Marketing,"CN=Marketing,OU=Role,OU=Groups,
DC=contoso,DC=com","CN=Linda Mitchell,OU=Employees,OU=User Accounts,DC=contoso,DC=com;CN=Scott Mitchell,OU=Employees,OU=User Accounts,DC=contoso,DC=com"
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Import Groups with LDIFDE
• LDIF file
• Ldifde -i -f "filename" [-k]• -i. Import (default mode is export)• -f. File name• -k. Continue on error, such as object already exists
DN: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=comchangeType: addCN: Financedescription: Finance UsersobjectClass: groupsAMAccountName: Finance
DN: CN=Research,OU=Role,OU=Groups,DC=contoso,DC=comchangeType: addCN: Researchdescription: Research UsersobjectClass: groupsAMAccountName: Research
DN: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=comchangeType: addCN: Financedescription: Finance UsersobjectClass: groupsAMAccountName: Finance
DN: CN=Research,OU=Role,OU=Groups,DC=contoso,DC=comchangeType: addCN: Researchdescription: Research UsersobjectClass: groupsAMAccountName: Research
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Convert Group Type and Scope
• In Active Directory Users and Computers, you can change group type:• Security to distribution (* lose permissions assigned to group)
• Distribution to security
• In Active Directory Users and Computers, you can change the group scope:• Global to universal
• Domain local to universal
• Universal to global
• Universal to domain local
• You cannot change DL G or G DL directly, but you can change DL U G or G U DL.
• Change prevented if memberships are invalid—fix, then retry
• dsmod group GroupDN –secgrp { yes | no } –scope { l | g | u }
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Modify Group Membership with LDIFDE• LDIF file
• changetype: modify• Third line: What type of change? Add a value to member
• To delete a member, just change to delete: member
• Change operation is terminated with line containing only –
dn: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=comchangetype: modifyadd: membermember: CN=April Stewart,OU=Employees,OU=User Accounts,
dc=contoso,dc=commember: CN=Mike Fitzmaurice,OU=Employees,OU=User Accounts,
dc=contoso,dc=com-
dn: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=comchangetype: modifyadd: membermember: CN=April Stewart,OU=Employees,OU=User Accounts,
dc=contoso,dc=commember: CN=Mike Fitzmaurice,OU=Employees,OU=User Accounts,
dc=contoso,dc=com-
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Copy Group Membership
• Copy members from one group to another
• Copy memberships of one user to another
dsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbrdsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbr
dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN"
dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN"
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Delete Groups
• Active Directory Users and Computers: Right-click, Delete• DSRm command
• dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c]• -noprompt prevents prompting to confirm each deletion• -c continues if an error occurs (such as access denied)• -subtree deletes the object and all child objects• -subtree -exclude deletes all child objects but not the object itself
• Deleting a security group has significant impact• SID is lost and cannot be re-established by re-creating group• Tip: First, record all members and delete all members for a test period, to evaluate any unintended side
effects
dsrm "CN=Public Relations,OU=Role,OU=Groups,DC=contoso,DC=com"
dsrm "CN=Public Relations,OU=Role,OU=Groups,DC=contoso,DC=com"
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Best Practices for Group Management• Best Practices for Group Documentation• Protect Groups from Accidental Deletion• Delegate Membership Management with the Managed By Tab
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Best Practices for Group Documentation
• Why document groups?• Easier to find them when you need them• Easier to understand how and when to use
a group
• Establish and adhere to a strict naming convention• Prefix, for example, helps distinguish
APP_Budget from ACL_Budget_Edit• Prefix helps you find the group in the Select
dialog box
• Summarize a group's purpose with its description• Appears in Active Directory Users and
Computers details pane
• Detail a group's purpose in its Notes field
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Protect Groups from Accidental Deletion1. In the Active Directory Users and Computers snap-in, click the View
menu and make sure that Advanced Features is selected.2. Open the Properties dialog box for a group.3. On the Object tab, select the Protect Object From Accidental
Deletion check box.4. Click OK.
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Delegate Membership Management with the Managed By Tab• The Managed By tab serves two purposes:
• Provide contact information for who manages the group
• Allow specified user (or group) to modify group membership if Manager Can Update Membership List is selected
• Tips• Must click OK (not just Apply)
to change the ACL on the group• To set a group in the Name box,
click Change, clickObject Types, and then click Groups