Windows 2003 Server

Chapter 4

Implementing and Managing Group and Computer Accounts

Home | Chapters | Homework | Grades | Calendar | Forums | Syllabus

Forum Policy | Assignment Policy | E-Mail Mr Hull | FTP

Main | Chapter 1 | Chapter 2 | Chapter 3 | Chapter 4 | Chapter 5 | Chapter 6 | Chapter 7

Chapter 8 | Chapter 9 | Chapter 10 | Chapter 11 | Chapter 12 | Chapter 13 | Chapter 14


At the end of this chapter you should be able to:

  • Understand the purpose of using group accounts to simplify administration

  • Create group objects using both graphical and command-line tools

  • Manage security groups and distribution groups

  • Explain the purpose of the built-in groups created when Active Directory is installed

  • Create and manage computer accounts

Introduction to Group Accounts

Groups are used to logically group users together.  You may have a group that contains all users at a site, or you may have a group that has all the users from one department.  You can use the group to easily assign permissions to users.  For example you would be able to add a new accountant to the accountant's group and they would have access to all the accountant's data.

Active Directory Users and Computer is the main interface you use when interacting with groups, but we will see that we have command line utilities available as well.

Groups may sound similar to Organizational Units (OU) in that they both logically group users.  The difference is OU's cannot be used to assign permissions and OU's can only contain users in it's own domain.


Group Types

There are two types of groups in Windows Server 2003.  Both are outlined below:

  • Security Groups - Security groups contain a SID to uniquely identify them, using this SID a group can be placed in a Discretionary Access Control List (DACLs) and be assigned rights.  A DACL's is the list of objects that have access to a resource.  (Also a security group can become mail enabled.)

  • Distribution Groups - When an email is sent to a distribution list the mail will go to each user in the list.  For example if you have multiple people that act as a webmaster, you can make a distribution group called webmaster, and when anyone sends mail to that account all users in the group will get it.  Note: Exchange 2003 supports query based distribution lists.

Group Scopes

Before we go over the different group scopes we should discuss the three different domain functional levels.  The different domain functional levels support early versions of Windows Server acting as domain controllers.

  • Windows 2000 Mixed - In this mode the domain will support Windows NT,2000,and 2003 Domain Controllers.  Since Windows NT didn't support some of the advanced group options they will not be supported in this mode.  This is the default setting for your domain.

  • Windows 2000 Native - This mode supports Windows 2000, and 2003 Domain Controllers.  In this mode advanced group settings are supported.

  • Windows Server 2003 - This mode only supports Windows 2003 Domain Controllers.  Group settings are the same as Windows 2000 Native mode.

Now that we know about the different domain functional levels we will look at how each group scope acts at each level.

  • Global Groups - Can contain users from there own domain only

    • Windows 2000 Mixed

      • Can contain users from the same domain

      • Can be added to local groups or domain local groups in any domain

      • Can not be added to universal groups in the forest

    • Windows 2000 Native or Windows Server 2003

      • Can contain users or other global groups from the same domain

      • Can be added to universal groups

      • Can be added to local groups or domain local groups in any domain

  • Domain Local Groups - Can contain users from any domain.  Can be assigned to DACL's in its own domain only.

    • Windows 2000 Mixed

      • Can contain user accounts from any domain

      • Can contain global groups from any domain

    • Windows 2000 Native or Windows Server 2003

      • Can contain user account from any domain

      • Can contain global groups from any domain

      • Can contain universal groups

      • Can contain other domain local groups from the same domain

  • Universal Groups - This group type is not available in Windows 2000 Mixed

    • Can contain user accounts from any trusted domain

    • Can contain global group accounts from any trusted domain

    • Can contain other universal groups

Creating Group Objects

Now that we have a better understanding about the different types of groups we will look at ways to create them. 


Active Directory Users and Computers

You can create groups using Active Directory Users and Computers by right clicking on the container you would like to create the group, point to new and choose group.


LAB ACTIVITY - Do the lab on page 153. (15 Minutes)

LAB ACTIVITY - Do the lab on page 156. (10 Minutes)

LAB ACTIVITY - Do the lab on page 157. (10 Minutes)

Converting Group Types

You may have the need to convert a distribution group to a security group.  This is possible if the domain is in Windows 2000 Native or Windows Server 2003 modes.


LAB ACTIVITY - Do the lab on page 160. (5 Minutes)

Converting Group Scopes

If you want to convert the scope of a group you can with some limitations.  First limitation is that the domain has to be in Windows 2000 Native or Windows Server 2003 modes.  Others are outlined below:

  • Global to Universal - Supported as long it is not a member of any other global groups.

  • Domain Local to Universal - Supported as long as it doesn't contain other domain local groups.

  • Universal to Global - Supported as long as it doesn't contain other universal groups

  • Universal to Domain Local - Supported

LAB ACTIVITY - Do the lab on page 162. (5 Minutes)


Command Line Utilities

  • DSADD - Allows you to add groups

  • DSMOD - Modifies object attributes and settings

  • DSQUERY - Queries for objects

  • DSMOVE - Moves objects to different locations within a domain

  • DSRM - Deletes objects from the directory

LAB ACTIVITY - Do the lab on page 165. (10 Minutes)

LAB ACTIVITY - Do the lab on page 167. (10 Minutes)

Managing Security Groups

The recommended strategy for group deployment can be summed up with the following acronym; A G U DL P.  With this strategy you place Accounts (A) in Global groups (G).  The global groups will usually be based on departments.  Then if you have multiple domain you will place the Global group into a Universal group (U).  The universal group will get the rest of the members of a department.  Next you place the Universal group into a Domain Local group (DL).  The Domain Local group represent the resource in which you are granting writes.  Finally that Domain Local group will be assigned the Permissions (P) on the resource.  If you have a single domain you can use the A G DL P method.


Another method you can use to help manage your security groups is nesting.  Nesting is the process of putting one group inside another.  In Windows 2000 Native and Windows Server 2003 modes you can nest your groups.  An example where this might be handy is at a school, you could have a global group called Elementary Teachers, and another called High School Teachers.  You could them make a global group called Teachers and add both the Elementary Teachers and High School Teachers to it.


Determining Group Membership

You can view the members of a group by opening the group in Active Directory Users and Computers and looking at the Members tab.  You can also see what groups a user is a member of by clicking on their Member of tab.  Alternatively you can use the DSGET command.

Built-In Groups

Windows Server 2003 contains a number of built-in groups that are outlined in this section.   There are two locations where you will find the groups.  The Built-in container and the Users container.  All of the groups in Built-in container are Domain Local groups.


The Built-in Container

  • Account Operators - Users can create and modify accounts in the domain.  They cannot add themselves or others to any administrative groups.

  • Administrators - Complete control over the domain

  • Backup Operators - Can backup and restore data regardless of security settings.

  • Guests - Guests, no default permissions

  • Incoming Forest Trust Builders - Users can create one way incoming trusts in the root domain only.

  • Network Configurations Operators - Users can change TCP/IP settings on Domain Controllers in the domain

  • Performance Log Users - Users can remotely access performance counters on a Domain Controller

  • Pre-Windows 2000 Compatible Access - Used to support applications that work in Windows NT4 but may have problems with Windows 2003 Security.

  • Print Operators - Users have control over printers.

  • Remote Desktop Users - Users can access the server remotely using terminal services.

  • Replicator - Used by the File Replication Service.

  • Server Operators - Users can logon to the server locally and share folders, backup and restore files and shutdown the server.

  • Terminal Server License Servers - Contains the list of servers that are terminal server license servers.

  • Users - Users

  • Windows Authorization Access Group - Members can find out what groups a user is a member.

The Users Container

  • Cert Publishers - Domain Local - Members can publish certificates in Active Directory.

  • DNSAdmins - Domain Local - Members can change DNS server settings.

  • DNSUpdateProxy - Global - Members can perform dynamic DNS updates on behalf of other clients.

  • Domain Admins - Global - Members can perform administrative tasks.

  • Domain Computers - Global - Contains all workstation and server computer accounts in the domain.

  • Domain Controllers - Global - Contains all Domain Controller accounts in the domain.

  • Domain Guests - Global - Contains all guests accounts.

  • Domain Users - Global - Contains all domain users.

  • Enterprise Admins - Global - Administrator of all domains.

  • Group Policy Creator Owners - Global - Members can modify Group Policy's.

  • RAS and IAS Servers - Global - Contains servers that can access the remote access properties of a user account.

  • Schema Admins - Global - Members can modify the schema.

  • WINS Users - Domain Local - Members can read the WINS database.

Creating and Managing Computer Accounts

Computer accounts are required on Windows NT/2000/XP clients and Windows NT/2000/2003 servers for authentication.  Without a computer account on a domain or trusted domain it cannot log on.  You can make computer accounts in Active Directory Users and Computers, the workstations system properties, and using command line utilities.


LAB ACTIVITY - Do the lab on page 175. (10 Minutes)

Resetting Computer Accounts

Windows uses a secure channel to communicate with a Windows Domain Controller.  A password is associated with this channel that gets changed every 30 days.  If this password gets out of sync you may have to reset the computer account.  You can do this in Active Directory Users and Computer by right clicking the computer account and choose reset account.  As an alternative you can use the Netdom.exe tool that comes with the Windows Support Tools.

More Information


Click Here to download the slides for this chapter

(NOTE: You must have PowerPoint or PowerPoint Viewer if you don't have  either Click Here to download PowerPoint Viewer.)

Home | Chapters | Homework | Grades | Calendar | Forums | Syllabus

Forum Policy | Assignment Policy | E-Mail Mr Hull | FTP