70-240 in 15 minutes a week: AD User and Group Administration Page 2

Of course, after user accounts have been created, a number of common management tasks may need to be performed. Note that while many of these involve setting up information relating to a particular user (phone numbers, addresses, etc), some have father-reaching implications in terms of security. Note that the most important account settings are found on the Account tab in the properties of a user account. It is from here that you can require that a user change their password at next logon, disable an account, set logon hour restrictions, account expiry, account lockout, and so forth. 

Note that passwords are reset in Windows 2000 by right clicking on an account and choosing the Reset Password option. In big environments (especially ones with many OUs) you may have trouble remembering where you created an account. To quickly find the user (or other objects), right click the domain name and choose Find in Active Directory Users and Computers. 

A couple of additional notes on user accounts:

- Remember that an account can be renamed, without affecting the resources that the account has access to. As such, if Bob quits and Mark replaces him, simply rename the Bob's account (and change the personal information obviously) and Mary will be a have access to everything that Bob previously did.
- Deleting an account is a big deal. When you delete an account, the SID associated with the account is also deleted. As such, if you were to recreate an account with the same username, it would not have access to whatever the original account has been granted access to, since the SID would be different. Note that a deleted account can be restored using an authoritative restore (discussed later in the series).

Active Directory Group Concepts

Windows 2000 Active Directory presents a number of different group options not found in the NT domain environment. The two biggest changes are the different types/scopes of groups that now exist, as well as the ability to nest groups. Group accounts for domain users are again created in Active Directory Users and Computers

First, understand that there are two types of groups: security and distribution. Distribution groups exist for the purpose of sending email, and do not have a SID. Security groups do have a SID, and as such can be used to assign permissions and rights via access control lists and policy settings. 

Secondly, there are three scopes of groups: domain local, global, and universal. A quick overview of each:

Domain Local groups: domain local groups are similar to local groups in NT 4, except that they can be applied to any system within a domain, not just on the system where the group exists (since domain local groups actually reside in the AD database). These groups are usually used to assign permissions to resources. 

Global groups: global groups are very similar to those found in an NT 4 domain. They are still collections of users with common needs. 

Universal groups: universal groups are totally new in Windows 2000. A universal group can contain users from any domain in an AD forest. Similar to global groups, they are used as collections of users with common needs or characteristics. Only an member of the Enterprise Admins group can create a universal group.

The screen shot below shows the dialog box you are presented with when creating a new group:

Note that the option to create a Universal group is not available. This is because my domain is still in Mixed Mode. Universal groups can only be created in Native Mode. The ability to nest groups is also new to Windows 2000, and is also only available in Native Mode. Nesting refers to the ability to place a group into a group of the same type - for example placing a global group into a global group. The table below outlines group membership rules for domains in Native Mode.

Group Scope May Contain
Domain Local Users from any domain, global groups from any domain, universal groups, domain local groups from the same domain. Can only be used to access resources in the same domain.
Global Users from same domain, global groups from same domain. Can be used to access resources in any domain.
Universal Users from any domain, global groups from any domain, universal groups. Can be used to access resources in any domain.

Active Directory Group Strategies

Some of you will remember the group usage strategy outlined by Microsoft for NT 4 domain environments. It suggested that you place user accounts into global groups according to needs, assign permissions to local groups, and then place global groups into local groups, thereby giving users access to resources. This model was often referred to as AGLP:

Accounts (get placed into) Global Groups (which are then placed in) Local Groups (who are ultimately assigned) Permissions 

Although there are many different possibilities in terms of assigning permissions, the above method is amongst the most scalable. By the same token, a methodology exists in Windows 2000 that you should follow (especially on the exam!). 

Accounts > Global Groups > Domain Local Groups > Permissions

Note that the model can extend beyond this, however. For example, you can nest global groups (which is useful if you have a few global groups in the same domain who you wish to further organize), or place global groups from different domains into a Universal group. With a Universal group, this would then make the model:

Accounts > Global Groups > Universal > Domain Local Groups > Permissions

The idea is simple - group users with common needs using global groups (or universal if you wish), and then place that group into a domain local group, which is assigned permissions to a resource. This allows many users to have access to the resource, while assigning permissions only once. A name for the new model that you won't forget? Try AGULP (just remember that the L is for domain local now)

This article was originally published on Jun 5, 2001
Page 2 of 3

Thanks for your registration, follow us on our social networks to keep up-to-date