Sites

Confguring Active Directory Groups, OUs and

TOPIC 4:
CONFIGURING ACTIVE DIRECT
ORY GROUPS, OUS AND SITES
ITP4112 Network and Virtualized Systems
Administration Project

VTC 2012
 LESSON INTENDED LEARNING OUTCOMES
On completion of the lesson, students are expected to:
Know how to configure Active Directory groups.

and Sites
Confguring Active Directory Groups, OUs
Know how to configure Active Directory organization
al units.
Know how to configure Active Directory sites.

VTC 2012
 OVERVIEW
A Group is a collection of Active Directory objects, it is primari
ly used to group users and define permissions based on grou
p membership.

and Sites
Confguring Active Directory Groups, OUs
By default, a number of groups are available for use, and you
can create new groups by using the Active Directory Users an
d Computers snap-in.
There are actually two different group types:
Security group a group that defines permissions related to res
ources and objects in the domain, e.g. printers and files.
Distribution group a group that is just a list of users, such as a
grouping of contacts to which you would send an email. It cann
ot be used to assign permissions to the users in the group.
3

VTC 2012
 OVERVIEW
A security group always has a particular scope, whic
h refers to the level at which the group operates wit
hin the AD DS hierarchy. It also refers to the type of

and Sites
Confguring Active Directory Groups, OUs
objects that can be contained in the group.
The three group scopes are universal, global, and d
omain local.

VTC 2012
 GROUP SCOPES
Universal group spans multiple domains and can have
users (or groups) from any of these domains as membe
rs; designed to contain objects that remain fairly static

and Sites
Confguring Active Directory Groups, OUs
(such as global groups).
Global group used to organize users in one domain.
Membership is limited to the domain where the global
group is created. However, a global group can access re
sources in any domain in the AD tree.
Domain local group created at the domain level and u
sed to provide users with permissions to local resource
s (within the domain). However, the domain local group
can have members from any domain in the tree.
5

VTC 2012
 GROUP SCOPES
If your network consists of only one domain, you woul
d typically use global groups to organize your users, wi
th each group assigned a particular level of permission

and Sites
Confguring Active Directory Groups, OUs
s to resources within the domain.
Universal groups usually come into play only if your ne
twork is of greater scope with multiple domains.
Domain local groups are often used to assign users pe
rmissions to specific resources within a domain, where
the group has been created.

VTC 2012
 NESTED GROUPS
Nesting of groups is controlled by the group membership ru
les for each group scope:
Universal members can include users, global groups from

and Sites
Confguring Active Directory Groups, OUs
any domain, and other universal groups.
Global members can include users and global groups fro
m the same domain.
Domain local members can include users, global groups fr
om any domain, domain local groups from the same domai
n, and universal groups.
E.g. you can add a global group to a domain local group. Th
e global group provides the list of users, and the domain loc
al group actually provides the permission level that will be a
ssigned to members of the domain local group; in this case, 7
that includes the global group you have nested.
VTC 2012
 CREATE GROUPS
Open the Active Directory Users and Computers snap-in
. Right-click below the current groups shown in the Det
ails pane, and then select New.

and Sites
Confguring Active Directory Groups, OUs
8

VTC 2012
 ORGANIZATIONAL UNITS
You can add compartmentalization to AD domains using O
Us. An OU is an AD object that serves as a domain contain
er, that can be used to hold users, groups, computers, and

and Sites
Confguring Active Directory Groups, OUs
other OUs. This enables you to refine the logical grouping
of AD objects within the domain.
You can apply Group Policy settings to OUs, enabling you t
o refine policies and security settings at a level below the d
omain level.
OUs provide you with a domain container that can be used
to mimic the hierarchical structure of your business. E.g. y
ou can create an OU for each company department. This p
rovides you with a way to logically group users (at a higher
level than with actual groups). 9

VTC 2012
 CREATE ORGANIZATIONAL UNITS
In the Active Directory Users and Computers snap-in, ri
ght-click on your domain node, then select New. Similar
ly, you can also create OUs inside other OUs.

and Sites
Confguring Active Directory Groups, OUs
10

VTC 2012
 ACTIVE DIRECTORY SITES
Sites are physical entities (having an actual physical locatio
n) and help to determine your networks physical topology.
When creating regional (child) domains in your root domai
n, each regional domain in placed in a site. Each site opera

and Sites
Confguring Active Directory Groups, OUs
tes at least one domain controller for the regional domain
(which branches off the root domain or forest in the AD hi
erarchy). This allows for intersite replication between the v
arious domain controllers in the tree.
So, sites typically represent IP subnets that are connected
by LAN or WAN connections. When you create regional do
mains, you must specify the site in which the domain will r
eside during the domain creation process.

11

VTC 2012
 CREATE SITES
Because you will have a map of your domain hierarchy bef
ore you bring your regional domains online, it actually mak
es sense to begin setting up your networks site structure i
mmediately after creating the forest for the domain.

and Sites
Confguring Active Directory Groups, OUs
Sites are created using the Active Directory Sites and Servic
es snap-in in the Server Manager.

12

VTC 2012
 CONFIGURE A SITE
You must associate a subnet (or subnets) to the sit
e and connect the site to other sites, using an Activ
e Directory connection (this takes care of replicatio
n between the sites).

and Sites
Confguring Active Directory Groups, OUs
13

VTC 2012