Microsoft Windows 1002000 Professional E2 [Electronic resources]

نسخه متنی -صفحه : 156/ 62
نمايش فراداده

[Previous] [Next]

Lesson 1: Implementing Local Groups

In this lesson, you will learn what groups are and how you can use them to simplify user account administration.

After this lesson, you will be able to

  • Describe the key features of groups.

  • Describe local groups.

  • Create and delete local groups.

  • Add members to local groups.

  • Remove members from local groups.

Estimated lesson time: 30 minutes

Understanding Groups

A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than having to assign permissions to each individual user account (see Figure 11.1).

Figure 11.1 Groups simplify administration

Permissions control what users can do with a resource, such as a folder, file, or printer. When you assign permissions, you give users the capability to gain access to a resource, and you define the type of access that they have. For example, if several users need to read the same file, you would add their user accounts to a group. Then you would give the group permission to read the file. Rights allow users to perform system tasks, such as changing the time on a computer, backing up or restoring files, or logging on locally.

When adding members to a group, remember that users can be members of multiple groups. A group contains a list of members, with references to the actual user account. Therefore, users can be members of more than one group.

Understanding Local Groups

A local group is a collection of user accounts on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Windows 2000 creates local groups in the local security database.

Preparing to Use Local Groups

Guidelines for using local groups include the following:

  • Use local groups on computers that don't belong to a domain.

    • You can use local groups only on the computer where you create the local groups. Although local groups are available on member servers and domain computers running Windows 2000 Professional, don't use local groups on computers that are part of a domain. Using local groups on domain computers prevents you from centralizing group administration. Local groups don't appear in directory services based on Active Directory technology, and you have to administer local groups separately for each computer.

  • You can assign permissions to local groups for access to only the resources on the computer where you create the local groups.

NOTE
You can't create local groups on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory directory services.

Membership rules for local groups include the following:

  • Local groups can contain local user accounts from the computer where you create the local groups.

  • Local groups can't be a member of any other group.

Creating Local Groups

Use the Computer Management snap-in to create local groups, as shown in Figure 11.2. You create local groups in the Groups folder.

Figure 11.2 The Computer Management snap-in

You can create a local group by doing the following:

  1. In Computer Management, expand Local Users And Groups and click the Groups folder.

  2. Right-click Groups, and then click New Group.

    3. Table 11.1 describes the options presented in the New Group dialog box.

  3. Enter the appropriate information and then click Create.

Table 11.1 New Local Group Options

Option Description
Group Name A unique name for the local group. This is the only required entry. Use any character except for the backslash (\). The name can contain up to 256 characters; however, very long names might not display in some windows.
Description A description of the group.
Add Adds a user to the list of members.
Remove Removes a user from the list of members.
Create Creates the group.
Close Closes the New Group dialog box.

You can add members to a local group when you create the group by using the Add button, but you can also add users to a local group after you create it.

Deleting Local Groups

Use the Computer Management snap-in to delete local groups. Each group that you create has a unique, nonreusable identifier. Windows 2000 uses this value to identify the group and the permissions that are assigned to it. When you delete a group, Windows 2000 doesn't use the identifier again, even if you create a new group with the same name as the group that you deleted. Therefore, you cannot restore access to resources by recreating the group.

When you delete a group, you delete only the group and remove the permissions and rights that are associated with it. Deleting a group doesn't delete the user accounts that are members of the group. To delete a group, right-click the group, and then click Delete.

Adding Members to a Group

To add members to a group that has already been created, start the Computer Management snap-in and expand Local Users And Groups. Click Groups, and then in the details pane, right-click the appropriate group and click Properties. In the Properties dialog box, click Add. The Select Users Or Groups dialog box appears, as shown in Figure 11.3.

Figure 11.3 The Select Users Or Groups dialog box

In the Look In list, ensure that the computer on which you created the group is selected. In the Name box, select the user account that you want to add to the group, and then click Add.

NOTE
If you want to add multiple user accounts, you can repeat the process of selecting them one at a time and then click Add, or you can hold down the Shift or Ctrl key to select multiple user accounts at once. The Shift key allows you to select a consecutive range of accounts, while the Ctrl key allows you to pick some accounts and skip others. Click Add once you have selected all the accounts that you want to add.

Clicking Add lists the accounts you have selected. Once you review the accounts to make sure that they are the accounts you want to add to the group, click OK to add the members.

NOTE
You can also add a user account to a group by using the Member Of tab in the Properties dialog box for that user account. Use this method to quickly add the same user account to multiple groups.

Practice: Creating and Managing Local Groups

In this practice, you will create two local groups. You will add members to the local groups when you create them, and then add an additional member to one of the groups after they have been created. You delete a member from one of the groups, and then you delete one of the local groups that you created.

NOTE
This practice requires user accounts that you create when you complete the practice in Chapter 10, "Setting Up and Managing User Accounts." If you didn't set up the user accounts as described in Chapter 10, go back and do the practice in that chapter to set up the user accounts you will work with in this practice.

Exercise 1: Creating Local Groups and Adding and Removing Members

In this exercise, you will create two local groups, Sales and Testing. You add members to both groups when you create them. You add a member to an existing group by adding an additional member to the Testing group, and then you remove a member from the Testing group.

  • To create a local group

    1. Log on to your computer as Administrator.

    2. Click the Start button, point to Programs, point to Administrative Tools, and then click Computer Management.

    3. Expand Local Users And Groups, and then click Groups.

      4. In the details pane, Computer Management displays a list of current and built-in local groups.

    4. To create a new group, right-click Groups, and then click New Group.

      5. Computer Management displays the New Group dialog box.

    5. Type Sales in the Group Name box, and type Access to Customer Files in the Description box.

    6. Click Add.

      7. The Select Users Or Groups dialog box appears.

    7. Hold the Ctrl key down and select User1 and User3.

    8. Click Add.

      9. PRO1\User1 and PRO1\User3 should be listed in the box below the Add button.

    NOTE
    If you didn't name your computer PRO1, then PRO1 will be replaced by the name of your computer.

    1. Click OK.

      2. In the New Group dialog box, notice that User1 and User3 are listed in the Members box.

    2. Click Create.

      3. Windows 2000 creates the group and adds it to the list of users and groups. Note the New Group dialog box is still open and might block your view of the list of users and groups.

    3. Repeat steps 5-10 to create a group named Testing. Type Access to Troubleshooting Tips File in the Description box, and make User2 and User4 members of the Testing group.

    4. When you have created both the Sales and the Testing groups, click Close to close the New Group dialog box.

    Notice that the Sales and Testing groups are listed in the details pane.

  • To add members to and remove members from a local group

    1. In the details pane of Computer Management, double-click Testing.

      2. The Testing Properties dialog box displays the properties of the group. Notice that User2 and User4 are listed in the Members box.

    2. To add a member to the group, click Add.

      3. The Select Users Or Groups dialog box appears.

    3. In the Name box, select User3, click Add, and then click OK.

      4. The Testing Properties dialog box displays User2, User3, and User4 listed in the Members box.

    4. Select User4 and then click Remove.

      5. Notice that User4 is no longer listed in the Members box. User4 still exists as a local user account, but it is no longer a member of the Testing group.

    5. Click OK.

    Exercise 2: Deleting a Local Group

    In this exercise, you will delete the Testing local group.

  • To delete a local group

    1. Right-click Testing in the Computer Management details pane, and then click Delete.

      2. A Local Users And Groups dialog box appears, asking whether you are sure that you want to delete the group.

    2. Click Yes.

      3. Notice that Testing is no longer listed in the Computer Management window. The members of the group were not deleted. User2 and User3 are still local user accounts on PRO1.

    3. Close Computer Management.

    Lesson Summary

    In this lesson, you learned that a group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than having to assign permissions to each individual user account.

    When naming a group, you make the name intuitive. You also learned that you use the Computer Management snap-in to create groups, to add members to a group, to remove members from a group, and to delete groups. In the practice portion of this lesson, you created two local groups and added members to the groups as you created the local groups. You then added an additional member to one of the local groups. You deleted a member from one of the local groups, and then you deleted one of the local groups.