Managing Group Accounts
- The Active Directory Users And Computers MMC is the primary tool you will use to administer security principals—users, groups, and computers—in the domain.
- In the creation of groups, you will configure the scope, type, and membership for each. You will also use the Active Directory Users And Computers MMC to modify membership of existing groups.
Creating a Security Group
- The primary type of group that you will likely create is a security group because this is the type of group used to set permissions in an ACL.
- In a mixed or interim domain functional level domain, you can only set a security group for the domain local and global scopes. As Figure 4-1 illustrates, you cannot create a security group that has universal scope in mixed or interim domain functional level domains.
Domain local, global, and universal groups can, however, be created as a distribution type in a mixed or interim domain functional level domain. In a mixed or interim domain functional level domain, security groups can be created in any scope.
Modifying Group Membership
Adding or deleting members from a group is also accomplished through Active Directory Users And Computers. Right-click any group, and choose Properties. Figure 4-2 illustrates the Properties dialog box of a global security group called Sales.
Membership Configuration
| Tab | Function |
| Members Member of | Adding,removing or listing the security principals that this container holds as members Adding,removing or listing the containers that hold this container as a member |
Finding the Domain Groups
Active Directory allows for flexible and creative group nesting, where
■ Global groups can nest into other global groups, universal groups, or domain local groups.
■ Universal groups can be members of other universal groups or domain local groups.
■ Domain local groups can belong to other domain local groups.
This flexibility brings with it the potential for complexity, and without the right tools, it would be difficult to know exactly which groups a user belongs to, whether directly or indirectly. Fortunately, Windows Server 2003 adds the DSGET command, which solves the problem. From a command prompt, type:
dsget user UserDN -memberof [-expand]
The -memberof switch returns the value of the MemberOf attribute, showing the groups to which the user directly belongs. By adding the -expand switch, those groups are searched recursively, producing an exhaustive list of all groups to which the user belongs in the domain.
No comments:
Post a Comment