2: Creating Local User Groups

Criteria for Completion

You have completed this task when you confirm that the three accounts are visible in the right pane of the Computer Management window while Users is selected in the left pane.

Task 3.2: Creating Local User Groups

While creating user accounts is the first step toward assigning rights to users, user accounts alone leave a bit to be desired when it comes to actually assigning rights. Imagine hundreds, even thousands, of resources that must be guarded against unauthorized access. For each resource, you need to list each user granted access, with others being denied access, by default. Once you multiply the number of users by the number of resources, you begin to understand the sheer magnitude of the task at hand. The number of entries easily approaches the number you calculate. Such numbers are daunting even on the local level; envision the same scenario in a domain-wide setting.

Clearly, a solution is needed. Since the first networked operating systems, one solution has been to place user accounts into user groups that bind the member accounts by function or simply by general access policy. For example, instead of adding 20 user accounts to a resource, applying the exact same permissions for each user, why not build a user group that contains each user account and apply the permissions once to the group?

A single user account can be a member of multiple groups. Generally, the user enjoys a com- posite of all positive rights to a resource if their account is a member of multiple groups with varying rights. The user is granted all mutually exclusive rights and the best of all related rights. However, any denial of access to a resource for the members of a group trumps their positive access to the same resource by means of any other group. Such a priority placed on negative access makes it effortless to blacklist any user account. Simply place the “blacklist” group in every resource’s access control list (ACL) with full denial of access associated with the group and then add individual user accounts to the group as needed and you have an effi- cient mechanism to deny radically anyone’s access to all resources at any time. It is no difficult task to develop other strategies, as well, to limit individual access to certain resources through group membership on a more granular level.

Scenario

You have a computer on the network that you want to use to house collaborative folders for three company associates. At this point, you need to create user groups to interrelate the user accounts of these individuals so that later you can exercise more efficient control over access to the various resources you intend to create compared with assigning rights to the actual user accounts individually.

144 Phase 3 Maintaining and Securing The Network

Scope of Task

Duration

This task should take about 20 minutes.

Setup

For this task, you need to have room to set up two computers with a network connection to one another.

Caveat

Assigning rights and permissions to users, regardless of the method used, occasionally results in conflicts that can be rather difficult to troubleshoot. Furthermore, the same user accounts and groups are used to assign rights to resources shared across the network and to assign per- missions to actual folders, files, and other resources. These rights and permissions combine or conflict, as mentioned earlier, causing sometimes unforeseen results that can take a bit of time to resolve.

Procedure

In this task, you create three local user groups in preparation for resource access control.

Equipment Used

For this task, you’ll use one of the computers to create three local user groups. In a later task, to test these groups, you will use the other computer. These computers require network access to each other.

Details

You will need only the first computer, the one that will house the shared folders and the user accounts and groups. The following steps guide you through the process of creating three user groups, one called Sales Planning, one called Advertising, and one called Receivables. Table 3.1 details the membership of these groups.

T A B L E 3 . 1 Group Membership

Group Name Members

Sales Planning akaminski (Sales), bunderhill (Mktg) Advertising bunderhill (Mktg), csullivan (Fin) Receivables akaminski (Sales), csullivan (Fin)

Task 3.2: Creating Local User Groups 145

1. On the computer’s Desktop, right-click My Computer and choose Manage. This produces

the Computer Management plug-in for the Microsoft Management Console (MMC).

2. In the left pane of the Computer Management window, click the plus sign beside Local

Users And Groups under System Tools to expand this category.

3. Under Local Users And Groups, click the Groups folder to produce the current list of user groups that have been created on this computer, as seen in the following image.

4. Right-click in an unaffiliated (blank) portion of the right pane of the Computer Manage-

ment display to bring up a shortcut menu and then click New Group. This starts the New Group dialog, allowing you to enter the details for a new user group.

5. In the New Group dialog, shown next, start by giving the group a meaningful name and

146 Phase 3 Maintaining and Securing The Network

6. Click the Add button to begin the process of adding users to the group. The next image

shows the Select Users dialog that pops up when you do.

7. Type in the user account names for this group separated by semicolons (;) and click the

OK button to go back to the New Group dialog. The following image shows the Select Users dialog with the akaminski and bunderhill user accounts typed in.

Optionally, to check your accuracy, you may elect to click the Check Names button, which will confirm your selections or give you the opportunity to correct those that are incorrect. The next image shows an example of the Check Names feature catching the omission of Ann Kaminski’s first initial in her username.

Task 3.2: Creating Local User Groups 147

8. As you can see in the following screen shot, which once again shows the New Group dia-

log, Ann and Bob’s user accounts have been added to the Sales Planning group. Click the Create button to finalize the establishment of the Sales Planning group.

9. The New Group dialog stays open and clears out so you can create another group. Create

all three groups as described in this task, following the detail in Table 3.1 and clicking the Create button after each one.

10. Finally, click the Close button to return to the Computer Management plug-in, where the

148 Phase 3 Maintaining and Securing The Network

Criteria for Completion

You have completed this task when you confirm that the three groups are visible in the right pane of the Computer Management display while Groups is selected in the left pane and you confirm that each group’s membership matches the details in Table 3.1.