Groups A group is a collection of user and computer accounts that can be treated as a unit.

Each member receives the rights and permissions assigned to the group. Groups can be created in Active Directory or on a local computer. Some groups can contain other groups. Active Directory groups can vary by scope and type. Group Scopes There are three group scopes: Global, Domain Local, and Universal. The group scope determines: The domains from which you can add members to the group. The domains where the group can access resources. The domains where you can nest the group within other groups. Group Types There are two group types: Security groups are used primarily to assign rights and permissions, but they can also be used as e-mail distribution lists. Distribution groups can be used only as e-mail distribution lists, and are not securityenabled. Even though security groups have all the capabilities of distribution groups, distribution groups are still required, because some applicaitons can use only distribution groups Domain Functional Level A domain's functional level determines which Active Directory features are enabled. If your domain controllers are running on the appropriate operating systems, you can raise the domain functional level from the default level to a higher level, and enable additional features. The group scopes available in Active Directory depend upon the functional level of the group's domain. Windows 2000 Native Supports Windows 2000 and Windows 2003 domain controllers. Supports Global, Domain Local, and Universal Group scopes. Windows 2000 Mixed (the default level) - Supports Windows NT 4.0, Windows 2000 and Windows Server 2003 domain controllers. Supports Global and Domain Local group. Windows Server 2003 - Supports Windows Server 2003 domain controllers. Supports Global, Domain Local, and Universal Group scopes. Converting Group Types At the Windows 2000 Native or Windows Server 2003 functional levels, you can convert security groups to distribution groups and vice versa. Local Groups

A local group is a group that is created on a member server or a stand-alone server, and which is used to grant permissions for resources residing on the local computer. Local groups on stand-alone servers can contain users from the local computer. On member servers, local groups can also contain users, computers, and groups from Active Directory. Local groups have the following characteristics: You can use local groups only on the computer where you create the local groups. Local group permissions provide access to resources only on the computer where you created the local group. Local groups cannot be members of any other group. You can use local groups on computers running currently supported Microsoft client operating systems and on member servers running Windows Server 2003. You cannot create local groups on domain controllers, because domain controllers cannot have a security database that is independent of the database in Active Directory. You can create local groups to limit the ability of local users and groups to access network resources in cases when you do not want to create domain groups. Domain Local Groups A domain local group is an Active Directory group that can contain groups and accounts from its domain and from other domains in the forest, and it can be assigned rights and permissions to resources only in its own domain. A domain local group is only visible in the group's domain. Because groups with a domain local scope are sometimes referred to as local groups, it is important to distinguish between a local group and a group with domain local scope. Local groups are sometimes referred to as machine local groups to distinguish them from domain local groups. Because groups with a domain local scope are sometimes referred to as local groups, it is important to distinguish between a local group and a group with domain local scope. Local groups are sometimes referred to as machine local groups to distinguish them from domain local groups. At the Windows 2000 Mixed functional level: Domain local groups can contain user accounts, computer accounts, and global groups from any domain. Member servers cannot use domain local groups. A domain local group cannot be a member of any group. At Native functional level (Windows 2000 or Windows 2003): Domain local groups can contain user accounts, computer accounts, global groups, and universal groups from any domain in the forest, and domain local groups that are from the same domain as the domain local group. A domain local group can be a member of other domain local groups that are from the same domain as the domain local group. Global Groups

A global group is an Active Directory group that can contain users, groups, and computers that are from the same domain as the global group. You can use global security groups to assign user rights and permissions to resources in any domain in the forest. Global groups are primarily used to group together accounts that have common responsibilities and resource needs. Global groups can be members of other groups and are visible in all domains in the forest. The membership characteristics of global groups vary depending upon the functional level of the group's domain. At the Windows 2000 Mixed functional level: Global groups can contain user and computer accounts that are from the same domain as the global group. A global group can be a member of only domain local groups. At Native functional level (Windows 2000 or Windows 2003): Global groups can contain user accounts, computer accounts, and other global groups that are from the same domain as the global group. A global group can be a member of universal and domain local groups in any domain, and global groups that are from the same domain as the global group. Universal Groups A universal group is an Active Directory group that can contain users, groups, and computers from any domain in its forest. It is used to assign user rights and permissions to resources in any domain in the forest. The membership characteristics of universal groups vary depending upon the functional level of the group's domain. Universal groups are not available at the Windows 2000 Mixed functional level. At Native functional level (Windows 2000 or Windows 2003): Universal groups can contain user accounts, computer accounts, and other global groups that are from the same domain as the global group. A universal group can be a member of universal and domain local groups in any domain. The membership list of each universal group is stored in the Global Catalog. Therefore, changes to universal group membership can increase forest-wide replication traffic. Use universal groups when you need forest-wide visibility, and the membership of the group is relatively stable. Default Groups When you install Windows Server 2003 on a member server or workgroup computer, or install Active Directory on a domain controller, several groups are automatically created and assigned default rights and permissions. These default groups support specific administrative purposes. On a member server or workgroup computer, default local groups appear in the Local Users and Groups management console in the Groups folder.

On a domain controller, some default domain local groups appear in Active Directory Users and Computers in the Builtin container; default global groups and other default domain local groups appear in the Users container. You can move default groups to other containers in the domain, but you cannot move them to other domains. The default groups create the fundamental administrative and security structure for users in Windows Server 2003. For example, the default Administrator user gets some of its administrative rights because it is a member of the default Administrators group. Administrators Members have full control of the server and can assign user rights and access control permissions to users as necessary. The Administrator user is a default member account. Users should be added with caution. When the computer is joined to a domain, the Domain Admins group is automatically added to this group. Therefore, domain administrators automatically have full control of domain member computers. Guests The Guest user account is a member and is disabled by default. A temporary profile is created for a member when the member logs on. When the guest member logs off, the profile is deleted. Performance Log Users Members can manage performance counters, logs, and alerts on the server locally and from remote clients without being a member of the Administrators group. Performance Log Users Members can monitor performance counters on the server locally and from remote clients without being a member of the Administrators or Performance Log Users groups. Power Users Members can create user accounts and then modify and delete the accounts they have created. Members can create local groups and then add or remove users from the local groups they have created. Members can add or remove users from the Power Users, Users, and Guests groups. Members can create shared resources and administer the shared resources they have created. Members cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage security and auditing logs. Print Operators Members can manage printers and print queues. Users Members perform common tasks, such as running applications, using local and network printers, and locking the server. Users cannot share directories or create local printers.On domain member computers, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account created in the domain becomes a member of this group.

Default Local Network Services Groups The following table describes the default groups used by network services such as the Dynamic Host Configuration Protocol (DHCP) service and Windows Internet Name Service (WINS). These groups are created when the services are installed. DHCP Administrators Members have administrative access to the DHCP service. The DHCP Administrators group provides security to assign limited administrative access to the DHCP server only, while not providing full access to the server. Members can administer DHCP on a server by using the DHCP console or the Netsh command, but they cannot perform other administrative actions on the server. DHCP Users Members have read-only access to the DHCP service. Members can view information and properties stored at a specified DHCP server. This information is useful to support staff when they need to obtain DHCP status reports. WINS Users Members are permitted read-only access to the Windows Internet Name Service (WINS). Members can view information and properties stored at a specified WINS server. This information is useful to support staff when they need to obtain WINS status reports. Default Active Directory Groups in the Built In Container The following table describes some of the important default groups in the Builtin container in the Active Directory. Account Operators Members can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members do not have permission to modify the Administrators or the Domain Admins groups or accounts for members of those groups. Members can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution. Incoming Forest Trust Builders Members can create one-way, incoming forest trusts to the forest root domain. This group has no default members. Pre-Windows 2000 Compatible Access Members have read access on all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. Add users to this group only if they are using Remote Access Service (RAS) on a computer running Windows NT 4.0 or earlier. Server Operators

Members can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution. Default Active Directory Groups in the Users Container The following table describes some of the important default groups in the Users container in the Active Directory. Domain Controllers Contains all domain controllers in the domain. Domain Guests Contains all domain guest accounts. Domain Users Contains all domain user accounts. Domain Computers Contains all computers, other than domain controllers, that are members of the domain. As computers are joined to the domain, they automatically become members of this group. Domain Admins Members have full control of the domain. This group becomes a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. The Administrator account is a member of this group. Because the group has full power in the domain, add users with caution. Enterprise Admins Members have full control of all domains in the forest. This group is a member of the Administrators group on all domain controllers in the forest. The Administrator account is a member of this group. Because this group has full control of all domains in the forest, add users with caution. Group Policy Creator Owners Members can modify Group Policy in the domain. The Administrator account is a member of this group. Because this group has significant power in the domain, add users with caution. The System Groups System groups, which are also called special identities, are created by the operating system. The operating system dynamically adds and removes accounts from system groups when users log on or access resources. You can grant rights and permissions to system groups, but you cannot modify them or view their membership. Anonymous Logon The Anonymous Logon system group represents users and services that access a computer and its resources through the network without using an account name, password, or domain name.On computers running Windows NT and earlier, the Anonymous Logon group is a member of the Everyone group by default. On computers running a member of the

Windows Server 2003 family, the Anonymous Logon group is not a member of the Everyone group by default. If you want to create a file share for an anonymous user, you grant permissions to the Anonymous Logon group. Everyone The Everyone system group represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, the user is automatically added to the Everyone group. If security is not a concern for a specific group in your domain, you can grant permissions to the Everyone group. However, because the Anonymous Logon group can become a member of the Everyone group, it is not recommended that you use this group for permissions above read-only. Network The Network system group represents users currently accessing a given resource over the network, as opposed to users who access a resource by logging on locally at the computer where the resource is located. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Interactive The Interactive system group represents all users currently logged on to a particular computer and accessing a given resource located on that computer, as opposed to users who access the resource over the network. Whenever a user accesses a resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Authenticated Users The Authenticated Users system group represents all users within Active Directory. Always use the Authenticated Users group when granting permissions for a resource instead of using the Everyone group to prevent guests from accessing resources. Creator Owner The Creator Owner system group includes the user account for the user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group is the owner of the resource. Group Naming Conventions Your organization might wish to follow a structured convention for naming groups in the Active Directory, so that the group name conveys information about the group. Group Names can identify such characteristics as the scope, location, and purpose of the group. There can be up to five co-owners of a distribution group. For security groups, you might want to include the following information in a naming convention:

Group scope. A letter in the group name can identify the scope of the group; G for global, U for universal, and DL for domain local. For example, a global administrative group might be named G IT Admins. Group ownership. The name of the group can reflect the division of the organization that owns the group; for example, a group for the Marketing division might be called G Marketing. Group location. For example G London Marketing. Group function. You can include the job function or level of administrative power of a group; for example, DL London OU Admins, or G Marketing Managers. Naming conventions for Distribution Groups Distribution groups have an e-mail address name as well as a display name. Both names should be appropriate, useful, and relevant to the e-mail user. Naming Rules for Local Groups A local group name cannot be identical to any other group or user name on the local computer being administered. A local group name cannot consist solely of periods (.) or spaces. It can contain up to 256 uppercase or lowercase characters, except the following: " / \ [ ] : ; | =, + * ? Creating Active Directory Groups at the Command Line You can use the dsadd command to create Active Directory groups at the command line. The syntax is dsadd group GroupDN -samid SAMName -secgrp yes | no -scope l | g | u GroupDN The distinguished name of the group you want to add. SAMName Specifies the Security Accounts Manager (SAM) name as the unique SAM account name for this group (for example, operators). yes | no Specifies whether the group you want to add is a security group (yes) or a distribution group (no). l | g | u Specifies whether the scope of the group you want to add is domain local (l), global (g), or universal (u). Deleting from Command Line You can use the dsrm command to delete an Active Directory group at the command line. Type dsrm GroupDN. Consider the following guidelines when you create groups: You should use the default groups for administration when the default group meets your needs. However, you should only add users to default groups when the users need all the rights and permissions associated with the groups. Otherwise, create new security groups and assign the specific rights and permissions needed. If appropriate in your organization, place groups in organizational units so you can delegate group management to an OU administrator. If groups are required to control access outside the organizational unit, you can nest the groups within the organizational unit into universal groups (or other groups with global scope) that can be used elsewhere in the forest. It may be more efficient to nest global

groups if the domain functional level is set to Windows 2000 native or higher, the domain contains a hierarchy of organizational units, and administration is delegated to administrators from each organizational unit. Create groups based on administrative needs. When you create a group based on a job function and another person takes over that job, you only need to change the group membership. You do not need to change all permissions that are granted to the individual user account. Because of this, it is sometimes advantageous to create a group that has only one member. If you have multiple groups to which you can add user accounts, add user accounts to the group that is most restrictive. However, ensure that you grant the appropriate user rights and permissions so that users can accomplish any required task. Whenever a default group enables users to accomplish a task, use the default group instead of creating a new group. Create groups only when there are no default groups that provide the required user rights and permissions. Use the Authenticated Users group instead of the Everyone group to grant most user rights and permissions. Using this group minimizes the risk of unauthorized access, because Windows Server 2003 adds only valid user accounts to members of the Authenticated Users system group. Limit the number of users in the Administrators group. Members of the Administrators group on a local computer have Full Control permissions for that computer. Add a user to the Administrators group if the user will perform only administrative tasks. Your organization must equally trust all personnel that are members of the Administrators, Power Users, Print Operators, and Backup Operators groups. Some default user rights assigned to specific default local groups may allow members of those groups to gain additional rights on your computer, including administrative rights. Create Active Directory Groups In Active Directory Users and Computers, in the console tree, right-click the container to which you want to add the group, point to New, and then click Group. In the New Object Group dialog box, in the Group name box, type the name of the new group. Under Group scope, enter the group scope for the new group. Under Group type, select the group type for the new group, and then click OK. Student Note: Administrative Requirements To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must be delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. Create a Local Group Administrative Requirements To perform this procedure, you must be a member of the Power Users group or the Administrators group on the local computer, or you must be delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

In Computer Management, expand Local Users and Groups, and click Groups. Click Action, and then click New Group. In the New Group dialog box, in the Group name box, type a name for the new group. If desired, in the Description box, type a description for the new group. To add users to the group, click Add, enter the user names, and then click OK. Click Create, and then click Close. Delete a Group - Right-click the group, and then click Delete. Group Nesting You can consolidate group management by nesting groups inside other groups. Which accounts and groups a group can contain depends upon the group's scope and the domain's functional level. Global At the default functional level, global groups can contain user accounts and computer accounts from the same domain. At higher functional levels, global groups can also contain global groups from the same domain. Universal Universal groups can contain user accounts, computer accounts, universal groups, and global groups from any domain. Universal groups are only available if the domain is at the Windows 2000 Native or Windows Server 2003 functional level. Domain Local At the default level, domain local groups can contain user accounts, computer accounts, and global groups from any domain. At higher functional levels, domain local groups can also contain universal groups from any domain, and domain local groups from within the same domain. Group Nesting Stratedgies AGP Advantages - Groups are not nested, which might facilitate troubleshooting. Accounts belong only to a single group scope. Disadvantages - Complicates administration when you use multiple domains. If global groups from multiple domains require the same permissions, you must grant permissions to each global group individually. Every time a user authenticates with a resource, the server must check the global group membership to determine if the user is still a member of the group. Performance degrades because a global group is not cached. A DL P Advantages - Groups are not nested, which might facilitate troubleshooting. Accounts belong only to a single group scope. Disadvantages - Does not allow you to grant permissions for resources outside of the domain, which reduces flexibility as your network grows. Performance degrades because each domain local group has many members that must be authenticated. A G DL P Advantages - Creates flexibility in the domain structure to support network growth. Reduces the number of times you must set permissions. Resource owners require less access to Active Directory to flexibly secure their resources. Disadvantages - A tiered management structure is more complex to set up initially. However, it is easier to manage over time. A G U DL P

Advantages - There is flexibility across the forest. Enables centralized administration. Disadvantages - Because universal group membership is stored in the Global Catalog, adding members to universal groups can increase replication traffic. However, this effect only occurs when you initially implement the strategy because, after that, universal group membership should remain fairly stable. It might be necessary to add more global catalog servers. There may be global catalog replication latency. Latency is the time it takes to replicate a change to each global catalog server in the forest. AGLP Advantages - Enables you to maintain a Windows NT 4.0 group strategy in mixed domains. Resource owners own membership to every group that needs access. Disadvantages - You cannot grant permissions outside the local computer. Active Directory does not control access. You must create duplicate groups on separate member servers. It does not support centralized administration. Determine Group Membership at the Command Line; You can use the dsget command to determine a user's group membership. Type dsget user UserDN -memberof (where UserDN is the user's distinguished name). Changing Local Group Membership: You can use the Local Users and Groups tool in the Computer Management console to change the membership of local groups on member servers and workgroup computers. In the property sheet for the group, click Add to add members, and click Remove to remove selected members. Determine Group Membership: Right-click the user or group, and then click Properties. Click the Member Of tab to view groups that the user or group is a member of. For groups, click the Members tab to view members of the group. Click Cancel to close the property sheet. Change Active Directory Group Membership: Right-click the group, and then click Properties. Click the Members tab. To remove members, click the member, and then click Remove. Click Yes to confirm. To add members, click Add. Enter the names of the accounts or groups you want to add, and then click OK. When you have finished adding and removing members, in the group's property sheet, click OK. Modify Groups Change Group Restrictions You can change group scope or group type in domains where the functional level is set to Windows 2000 Native or to Windows Server 2003. You can change a group from security to distribution or vice versa at any time; you can change group scope only if the change would not violate group membership restrictions. Global to Universal Allowed only if the group you want to change is not a member of another Global Group. Domain Local to Universal - Allowed only if the group you want to change does not have another domain local group as a member.

Universal to Local - Allowed only if the group you want to change does not have another universal group as a member Universal to Domain Local None. Global to Domain Local Cannot convert directly: change from global to universal and then from universal to domain local. Group Managers You can alter the properties of groups to assign a user account as a group manager. Group managers enable you to: Track who is responsible for groups. Delegate to the manager the ability to change the group membership. Maintain contact information about the group; for example, an administrator can inform the group manager if the group is to be removed or migrated to another domain. Change a Group Scope or a Group Type Right-click the group, and then click Properties. Select the appropriate group scope and group type. Click OK. Assign a Manager to a Group Right-click the group, and then click Properties. Click the Managed By tab. Click Change. Enter the user name, and then click OK. If you want the manager to be able to change the group membership, select Manager can update membership. Click OK. Remove a Group Manager Right-click the group, and then click Properties. Click the Managed By tab. Click Clear. Click OK.