Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

We'll consider separately tasks for administering
groups in domain and workgroup environments.

Domain Setting

Domain local groups,

global
groups, and universal groups are administered using the Active
Directory Users and Computers console. After opening this console,
expand the console tree and select the OU in which the group is
located or where it will be created. Then proceed with the steps
described in the following sections.

Add Members to a Group

Right-click on
group Properties Members Add select domain select members Add

When adding members, you can select multiple user accounts by the
usual methods (e.g., Shift-click or Ctrl-click). You can also drag
and drop.

Create a Group

Right-click on OU New Group specify group name specify type and scope

Group names must be unique
within
the domain in which the group resides. By default, when you specify
the group name, this also becomes the Pre-Windows 2000 or downlevel
group name as well, though these can be different if you desire.
Downlevel group names are used in a mixed-mode environment to provide
compatibility with NT and earlier computers.

To create groups in a given domain, you must be a member of either
the Administrators or the Account Operators built-in groups for that
domain. When creating a group, any of the two group types may be
combined with any of the three group scopes to give a total of six
possible kinds of groups you can create. Note, however, that you
can't create universal groups unless the domain
functional level for your domain is Windows 2000 native or Windows
Server 2003.

Delete a Group

Right-click on group Delete

Deleting a group doesn't

delete
the members of the group.

Be careful before deleting a group from your enterprise. If you already have various permissions assigned to a group and you delete the group, you can't regain those permissions by simply creating another group with the same name as the old group. This is because groups are internally represented within Active Directory by unique security identifiers assigned when the groups are created. When you create a new group with the same name as the deleted group, the new group will have a different SID, and the new group's permissions will need to be assigned again from scratch.

Find a Group

If you have a large

number
of groups, you can use the Find function of Active Directory Users
and Groups to find the group you want to work with. You can find
groups in a particular domain or OU by:

Right-click on domain or OU Find

You can also change the focus of the Find Users, Contacts, and Groups
box to search the entire directory. To find all the groups of which a
particular user is a member, do the following:

Right-click on user account Properties Member Of

Modify Properties of a Group

Right-click on group Properties

This opens a properties

sheet
with the following tabs.

General

Lets you change the type and scope of the group. You can always
change the type of a group from security to distribution and vice
versa, but there are restrictions on which scope conversions you can
perform (see Table 4-20).

Members

Lists the user accounts that belong to the group and lets you add new
members or remove existing ones.

Members Of

Lists other groups of which this group itself is a member. This can
be domain local groups and universal groups from the local domain or
universal groups from other domains in the current domain tree or
forest.

Managed By

Lets you specify the user account or contact that is responsible for
managing the selected group. If you select an existing user account
or contact, the personal information for that user is automatically
imported into the fields on this sheet.

Move a Group

Right-click on group Move select
destination OU

Rename a Group

Right-click on group Rename specify
new name

Send Mail to a Group

Right-click on group Send mail

This opens Outlook Express
as your default mail client, unless you
have other software installed, such as Office 2000. Make sure you
configure your mail client before using this feature, or you will be
prompted to do so the first time you try to send mail to a group.

Workgroup Setting

Local groups are managed

using
the Local Users and Groups node under System Tools in Computer
Management. This snap-in is available only on member servers running
WS2003 and client computers running XP. You can also create a console
containing this snap-in as follows:

Start Run mmc Add/Remove Snap-in Add select Local Users and Groups Add select Local Computer to install the snap-in

Now proceed as follows.

Create a Local Group

Right-click on Groups container New Group specify group name Add select members Add Create

The New Group box stays
open
after you click Create, enabling you to continue creating more local
groups. You can create a group without any members and then add
members later if you prefer.

Add Members to a Local Group

Right-click on
group Add to Group Add select members Add

Delete a Local Group

Right-click on group Delete

Deleting a group
doesn't delete the
members of the group. If you have various permissions assigned to a
group and you delete the group, you can't regain
those permissions simply by creating a new group with the same name
as the old group. This is because groups are internally represented
within the local security database by a unique SID assigned when then
group is created. When you create a new group with the same name as
the deleted group, the new group will have a different SID, so the
group's permissions must be assigned again from
scratch.

Rename a Local Group

Right-click on group Rename