In this practice, you perform best-practices group management tasks to improve the
administration of groups in the contoso.com domain. To perform the exercises in this practice, you need to have the following objects in the contoso.com domain:
n A first-level OU named Groups.
n A global security group named Finance in the Groups OU.
n A first-level OU named User Accounts.
n A user account named Mike Danseglio in the User Accounts OU. Populate the user account with sample contact information: address, phone, and email. Reset the password of the account so that you know it. Make sure the account is enabled and that the user is not required to change the password at the next logon.
In this and other practices in this training kit, you will log on to the domain controller with user accounts that are not a member of Domain Administrators or the domain’s Administrators group.
Therefore, you must give all user accounts the right to log on locally to the domain controllers in your practice environment. Follow the steps in the article, “Grant a Member the Right to Logon Locally,” at http://technet.microsoft.com/en-us/library/ee957044(WS.10).aspx to grant the Allow Logon Locally right to the Administrators and Domain Users groups. If you will use Remote Desktop Services to connect to the domain controller—rather than logging on locally—grant the Allow Logon Through Remote Desktop Services right. This is for the practice environment only. In
exercise 1 Create a Well-Documented Group
In this exercise, you create a group to manage access to the Budget folder, and you follow the best-practices guidelines presented in this lesson.
1. Log on to SERVER01 as Administrator and open the Active Directory Users And Computers snap-in.
2. Select the Groups OU in the console tree.
3. Right-click the Groups OU, point to New, and click Group.
4. In the Group Name box, type acL_budget_edit.
5. Select Domain Local in the Group Scope section and Security in the Group Type section, and then click OK.
6. Click the View menu and ensure that Advanced Features is selected.
7. Right-click the ACL_Budget_Edit group and choose Properties.
8. On the Object tab, select the Protect Object From Accidental Deletion check box and click OK.
9. Open the group’s Properties again.
10. In the Description box, type buDget (eDit).
11. In the Notes box, type the following paths to represent the folders that have permissions assigned to this group:
\\server23\data$\finance\budget
\\server32\data$\finance\revenue projections 12. Click OK.
exercise 2 Delegate Management of Group Membership
In this exercise, you give Mike Danseglio the ability to manage the membership of the ACL_Budget_Edit group.
1. Open the Properties dialog box of the ACL_Budget_Edit group.
2. On the Managed By tab, click Change.
3. Type the user name for Mike Danseglio, mike.danseglio, and then click OK.
4. Select the Manager Can Update Membership List check box. Click OK.
exercise 3 Validate the Delegation of Membership Management
In this exercise, you test the delegation you performed in Exercise 2, “Delegate Management of Group Membership,” by modifying the membership of the group as Mike Danseglio.
1. Open Command Prompt and type the following command: runas/user:mike .danseglio cmd.exe.
2. When prompted, enter the password for Mike Danseglio.
A new command prompt window appears, running as Mike Danseglio.
3. Type the following command on one line, and then press Enter:
dsmod group "CN=ACL_Budget_Edit,OU=Groups,DC=contoso,DC=com"
-addmbr "CN=Finance,OU=Groups,DC=contoso,DC=com"
4. Close both Command Prompt windows.
5. In the Active Directory Users And Computers snap-in, examine the membership of the ACL_Budget_Edit group and confirm that the Finance group was added successfully.
Lesson Summary
n Use the Description and Notes text boxes in a group’s Properties dialog box to document the purpose of the group.
n The Managed By tab lets you specify a user or group that is responsible for a group.
You can also select the Manager Can Update Membership List check box to delegate membership management to the user or group indicated on the Managed By tab.
n To delegate the management of group membership, grant the Allow Write Members permission.
n Use the Protect Object From Accidental Deletion check box to prevent the potential security and management problems created when a group is accidentally deleted.
n Windows Server 2008 R2 and Active Directory contain default groups with significant permissions and user rights. You should not add users to the default domain groups that do not already have members (Account Operators, Backup Operators, Print Operators, and Server Operators), and you should seriously restrict membership in other service administration groups (Enterprise Admins, Domain Admins, Schema Admins, and Administrators).
n Special identities such as Authenticated Users, Everyone, Interactive, and Network can be used to assign rights and permissions. Their membership is determined dynamically by the operating system and cannot be viewed or modified.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 3,
“Administering Groups in an Enterprise.” The questions are also available on the companion CD if you prefer to review them in electronic form.
Note anSwerS
Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book.
1. Your company is conducting a meeting for a special project. The data is particularly confidential. The team is meeting in a conference room, and you have configured a folder on the conference room computer that grants permission to the team members.
The folder is a subfolder of a shared folder to which all employees have access. You want to ensure that team members access the data only while logged on to the computer in the conference room, not from other computers in the enterprise. What must you do?
a. Assign the Allow Read permission to the Interactive group.
B. Assign the Allow Read permission to the team group.
c. Assign the Deny Traverse Folders permission to the team group.
D. Assign the Deny Full Control permission to the Network group.
2. You want to allow a user named Mike Danseglio to add and remove users in a group called Special Project. Where can you configure this permission?
a. The Members tab of the group
B. The Security tab of Mike Danseglio’s user object c. The Member Of tab of Mike Danseglio’s user object D. The Managed By tab of the group
3. Which of the following groups can shut down a domain controller? (Choose all that apply.)
a. Account Operators B. Print Operators c. Backup Operators D. Server Operators e. Interactive