Manage Users and Computers

Managing properties on multiple accounts simultaneously

Windows Server has some new functionality in Active Directory Users and Computers. You can now modify certain properties of multiple user accounts at the same time. To do this, you use the CTRL key in the same way as you would in Windows Explorer to select multiple objects. You hold down the CTRL key as you click each user object. Be sure to select only objects of one object class, such as users. Once you have selected multiple objects, click the Action menu and then choose Properties. The screenshot below shows the limited tabs available for modification when you have selected more than one user:

image055

When you have selected multiple user objects, you can modify the properties on the following tabs:

  • General: Description, Office, Telephone Number, Fax, Web Page, E-mail.
  • Account: UPN Suffix, Logon Hours, Computer Restrictions (Logon Workstations), All Account Options, and Account Expires.
  • Address: Street, P.O. Box, City, State/Province, Postal Code, and Country/Region.
  • Profile: Profile Path, Logon Script, Home Folder.
  • Organization: Title, Department, Company, Manager.

Moving a user

If a user is transferred to a different department or unit within your company, you might need to move their user object to reflect administration or configuration changes. To move an object in Active Directory Users and Computers, first select the object and then choose Move from the Action menu. Alternatively, you can right-click the object and select Move from the Shortcut menu. Once the Move dialog box appears, you can select the container the object should be moved into.

Windows Server now allows drag-and-drop operations within many administrative tools, including Active Directory Users and Computers. This makes it much easier to use and is very similar to Windows Explorer. You can drag and drop a user, or a number of users if you have multi-selected them, from one container to another.

Using user templates

You can set up templates for common user objects such as telesales, administration, and field sales where you are going to be giving users standardised permissions. For example, all administration staff might work between 9:00 am and 5:00 pm, Monday to Friday. Therefore the logon hours properties of the user object would reflect this. Also,they might all require read access to procedure files and write access to customer records.

To create a template, first create a new user object and populate the properties that will be common to all users that you are creating the template for logon hours, group membership, etc. Make sure that the account you are creating as a template is disabled so it cannot be used. You might want to consider prefixing the user name with an underscore (_) to identify the user as a user template. This means that when you sort by name in Active Directory Users and Computers the templates will appear at the top. Only a subsection of the properties from each tab are copied when you copy a user, as follows:

  • General: none.
  • Address: all properties except Street Address.
  • Account: all properties except logon names, which you are prompted to enter when copying the template.
  • Profile: all properties and the profile and home-folder paths are modified to reflect the new user’s logon name.
  • Telephones: none.
  • Organization: all properties except Title.
  • Member of: all properties are copied.

Note: if you create a user by copying a template, it will have the same group memberships as the template, but any rights or permissions assigned directly to the user are NOT copied over.

Creating and managing groups

To make administration easier, users with common needs (i.e. common requirements for permissions and user rights) are grouped together. If you use groups (Microsoft recommends that you do), you only need to assign a permission once to the group not to each individual user. If the group had 100 members, for example, for each permission you would be cutting your administrative work by a factor of 100. And you can nest groups within groups, further reducing your workload.

In Windows there are a two group types. They are designed for use in different situations. Security groups are used for the purpose of assigning permissions and rights to shared resources, while distribution groups are used to create distribution lists for use with directory-enabled e-mail applications such as Microsoft Exchange Server.

Security groups

A security group is a security-related object much like a user account/object. In the same way that user accounts have an associated SID, so do security groups. Because of this, members of a security group can be assigned rights and permissions to resources in an Active Directory environment. It is crucial to understand the differences between permissions and rights. Permissions grant users a certain level of access to shared network resources, such as the ability to read a file or manage documents for a particular printer. Rights represent abilities throughout an Active Directory domain or forest. For example, the ability to log on locally to a domain controller would be a user right, as would the ability to back up files and folders.

In Active Directory environments, rights are assigned to groups through the configuration of group policy settings. There are three levels: Domain Controller Security Policy, Domain Security Policy and Local Policy (when not part of a domain). Be careful when you are changing rights to make sure that it is the effective policy you are changing. If you go into the Local Policy option from Default Domain Security Settings to check security options and right-click the rights you will see the screen shown below.

image064

Account policy options are only effective at domain level, so if you set password complexity at OU level, it is ignored. Also if the same right is defined at a higher level, it can be overridden. So fault-finding rights can be quite complex.

Local policies are applied, then site policies, then domain policies (domain controller policies if you are connecting to a domain controller), then finally OU policies.

Remember this as follows:

L S D OU (Which sounds a little like ‘el stew’ This association might help you remember the order!)

Windows has some additional tools you can download and install to make this easier, such as GPMC (Group Policy Management Console).  When a domain is configured to the Windows native or Windows Server domain functional level, you can change the type of a group after it has been originally defined. For example, an administrator might have created a security group when they meant to create a distribution group, or vice versa. It is important to remember that when you change a group’s type from security to distribution, any permissions or rights that were originally associated with the security group will be lost.

Note: To change the type of an existing group, you must have the appropriate authority.

Domain local groups

These were new with Windows Active Directory; They are used to assign rights and permissions within the domain in which they exist. Unlike local groups, domain local groups are defined in Active Directory and can be used on different Windows client and Windows Server systems within a domain (depending on the domain functional level). These groups help to ease the administrative workload associated with the use of local groups, which can be used only to apply rights or permissions to the system on which they are created. They exist in all forest and domain functional levels, but they can be applied only to systems in the domain in which the group exists; i.e. you cannot apply permissions to a domain local group for resources outside of its home domain.

When a domain is configured to the Windows mixed functional level, a domain local group can be used only on domain controllers, much like a local group. It can include members from global groups in the same domain or any trusted domain,universal groups from the same forest or any trusted forest, and other domain local groups in the same domain. Microsoft recommends that administrators add users to global groups, then add the global groups to the domain local groups. If possible, do not add users directly to domain local groups. It makes it easier to maintain and administer.

Global groups

These also existed in Windows 2000 Active Directory. Their purpose is to group together users with similar security requirements. It is common for global groups to be used to group together users or computers from the same domain that share similar jobs, roles, or functions. For example, a company might create a global group to aggregate its entire administration staff or all users working on a particular project, such as the merger group for users working on a merger project. Global groups are available in all domain and forest functional levels. They can be used to assign rights or permissions for resources in any domain throughout a forest, as well as in any trusting domains outside the forest. They can be made a member of any local group or domain local group in the same forest, as well as in any trusting domains outside of the forest.

Global groups can be made a member of any universal group in the same forest and when the domain is configured to the Windows native or Windows Server domain functional levels they can contain other global groups from the same domain.

Microsoft recommends that rights and permissions are assigned to domain local groups and the global groups added to the domain local groups as members.

Note: Try to avoid assigning permissions or rights directly to global groups; it makes administration easier to manage and maintain.

Universal groups

Universal groups were new with Windows 2000 Active Directory. They are used to group together users and groups from different domains with similar needs. Commonly, universal groups are used to collect users or groups from the same forest that share similar jobs, roles, or functions. For example, a company might create a universal group to aggregate its entire sales staff. Unlike a global group, which contains members from the same domain only, a universal group can contain members from different domains. In this example, the sales universal group would likely contain all the sales global groups from the various domains in the same forest. Then, when permissions or rights need to be assigned to all sales users throughout the forest, they can be applied to the single universal group rather than to each individual global group, thus reducing administrative workload.

Universal groups only exist at the Windows 2000 native and Windows Server 2003 domain functional levels. You can use universal groups to assign rights or permissions to resources in any domain throughout a forest, as well as in any trusting domains outside the forest .You can include members from any domain in the same forest, including global groups and other universal groups. Universal groups are stored on global catalogue servers in the forest where the group was defined. Microsoft recommends that permissions and rights are not assigned directly to universal groups, but assigned to domain local groups and the universal groups added to the domain local group. It is also advisable not to place users directly in universal groups but place the users in global groups, then add the Global groups to the Universal groups.

Group membership options and changing group

In the same manner as configuring a group type, the scope of an Active Directory group is configured as part of creating a new group. However, when a domain is configured to the Windows Server domain functional level, you can change the group scope, although the ability to do so depends on what the group currently contains as members. For each group scope, there are rules as to the types of objects that are valid as members.

At Windows 2000 native or Windows Server 2003/2008/2012, the following are valid: domain functional level, domain local users, computers, global groups, and universal groups from the same domain or any trusted domain; domain local groups (nested) from the same domain, global users, computers, and other global groups (nested) from same domain; universal users, computers, global groups and other universal groups (nested) from any domain in same forest.

At Windows 2000 mixed or Windows Server 2003 or later, the following are valid:

  • interim domain functional level domain local users
  • computers and global groups from any domain in the same forest
  • global users and computers from same domain only

Universal groups are not valid.

Once a domain is configured to Windows Server or later domain functional levels, you can change the scope of a group, but only if doing so does not break any of the membership rules listed below. The following points outline the group scope conversions supported in Windows Server as well as the restrictions associated with each:

  • Global to universal: a global group can be converted to a universal group, but only if it is not a member of any other global groups.
  • Domain local to universal: a domain local group can be converted to a universal group, but only if it does not have any other domain local groups as members.
  • Universal to global: a universal group can be converted to a global group, but only if it does not have any other universal groups as members.
  • Universal to domain local: a universal group can be converted to a domain local group at any time without restrictions.

Note: To change the type of an existing group, you must have administrative permissions for scope conversions to be possible.

Windows Server automatically creates a number of security groups when Active Directory is installed on the first domain controller in a new domain. Administrators can use these default groups to control access to network resources or to assign rights to users and groups. Many of the default roups already have rights associated with them that are required to carry out common network functions.

Members of the Backup Operators group are pre-assigned the rights to back up files and directories, allow logon locally, restore files and directories and shut down the system. Default groups are stored in two different locations, the Built-in container and the Users container.

Default groups in the User container

  • Account Operators: can create, modify, and delete accounts for users, groups, and computers in all containers in the domain, with the exception of the Domain Controllers OU. Members cannot modify the membership of the Administrators or Domain Admins groups, but they can log on to domain controllers and shut them down.
  • Administrators: have full control of domain resources. Default members include the Administrator account, along with Domain Admins and Enterprise Admins.
  • Backup Operators: can back up and restore files on domain controllers, as well as log on to domain controllers and shut them down. Guest members of this group have restricted access to the domain environment. By default, both the Domain Guests and built-in Guest account (disabled by default) are members.
  • Incoming Forest Trust: can create one-way incoming trust relationships to the forest root domain, allowing users in the same forest to access resources in another. This group exists only in the forest root domain and has no members by default.
  • Network Configuration Operators: can change the TCP/IP settings on a domain controller. This group has no members by default.
  • Performance Log: can manage performance counters, logs and alerts for both local and remote domain controllers in the domain.
  • Performance Monitor Users: can manage performance counters for both local and remote domain controllers in the domain. This group has no members by default.
  • Pre-Windows 2000 Compatible: have the read permission for all user and group objects in the domain. This group is used for backward compatibility with Windows NT 4.0. The special identity Authenticated User is a member of this group by default.
  • Print Operators: can manage, create, add and delete printers connected to any domain controller and manage printer objects in Active Directory. Members of this group can also log on locally to a domain controller and shut it down.
    This group has no members by default.
    Remote Desktop Users: can remotely log on to domain controllers in the domain by using Remote Desktop. This group has no members by default.

Default groups in the Built-in container

  • Server Operators: can create and delete shared resources, stop and start services, back up and restore files, format drives, and shut down domain controllers. This group has no members by default.
  • Description Replicator: used to support replication functions required by the File Replication Service (FRS). This group has no members by default, and users should not be added to this group.
  • Users: can perform common network tasks such as running applications and accessing shared resources. The Domain Users, Authenticated Users, and Interactive objects are members of this group by default.
  • Cert Publishers: can publish certificates for both users and computers. This group has no members by default. DnsAdmins Members of this group have administrative access to the DNS (installed with DNS) service. This group has no members by default
  • DnsUpdateProxy (installed with DNS): DNS clients that can perform dynamic updates on behalf of other clients such as DHCP servers. This group has no members by default.
  • Domain Admins: have full control of the domain. The only member of this group by default is the Administrator account. This group is a member of the Administrators group.
  • Domain Computers: contains all the computers added to the domain. When computers are added to the domain, they automatically become a member of this group.
  • Domain Controllers: contains all the domain controllers in the domain. When computers are promoted to domain controllers, they automatically become a member of this group.
  • Domain Guests: contains all domain guests.
  • Domain Users: contains all domain users. All new user accounts created in the domain automatically become a member of this group. This group is a member of the Users group by default.
  • Enterprise Admins: exists in the forest root domain only and has full control of all domains in the same Active Directory forest. By default, only the Administrator account in the forest root domain is a member of this group. This group is a member of the Administrators group in all domains in the same forest.
  • Creator Owners: can modify Group Policy objects in the domain. The Administrator account is the only member by default.
  • IIS_WPG (installed with IIS group): the worker process group used with Internet Information Services (IIS) version 6. Accounts added to this group are used to serve specific namespaces on an IIS server. Users should not be added to this group. This group has no members by default. RAS (Remote Access Services) and IAS (Internet Authentication Services) servers placed in this group have access to the remote access properties of user accounts.
  • Schema Admins: exists in the forest root domain only and can modify the Active Directory schema. The Administrator account from the forest root domain is the only member of this group by default.
  • TelnetClients: members of this group are able to access the Telnet service on the system. The group has no members by default.

Special identities

Special identities are managed by the operating system. Special identities cannot be created or deleted and their membership cannot be modified by administrators. Special identities do not appear in the Active Directory Users and Computers snap-in or in any other computer management tool, but they can be assigned permissions in an ACL.

  • Everyone: represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, that user is automatically added to the Everyone group.
  • Network: represents users currently accessing a given resource over the network (as opposed to users who access a resource by logging on locally). Whenever a user accesses a given resource over the network, the user is considered part of the Network group.
  • Interactive: represents all users currently logged on to a particular computer and accessing a resource located on that computer (as opposed to users who access the resource over the network
  • Anonymous Logon: refers to any user who is using network resources but did not go through the authentication process. In a Windows Server Active Directory environment, the Anonymous Logon group is not a member of the Everyone group.
  • Authenticated Users: includes all users who are authenticated into the network by using a valid user account.
  • Creator Owner: refers to the user who created or has ultimately taken ownership of a resource.
  • Dialup: includes anyone who is connected to the network through a remote access connection.

Note: Special identities can be assigned permissions to network resources, but be careful when assigning permissions to some of these groups. For example, if you assign permissions for a shared folder to the Everyone group, users connecting from trusted domains will also have access to the resource.

Creating security groups

The main tool used to create groups in Windows Server is Active Directory Users and Computers. To create a new group, then, as would with users, right-click where you want to create your new group. (You can always move it later if you want to.) New group objects can be created in the root of the domain, any of the built-in containers or defined OUs. Select New from the pull-down menu then Group. You are then asked to enter the group scope (domain local, global or universal) and the group type (security or distribution). Once you have created the group, you can move users and groups into it, or you can right-click it and create new users and groups from within it.

Managing groups and computers

When a domain is configured the New Object-Group window defaults to the global group scope and security group type automatically. If the domain functional level is set to Windows 2000 mixed or Windows Server interim, the universal group scope cannot be selected. When creating a new group of any type or scope, you must provide a name that is unique within the domain. As this name is typed into the Group Name field, the same name is automatically populated in the Group Name (Pre-Windows 2000) field. Once a group has been created, access its properties to change configuration or membership settings as necessary. You can do this from the group properties, which are accessed by right-clicking the group, the General tab of a global group allows the group type to be changed from security to distribution if necessary, but the group scope can only be changed to universal.

image065

Windows Server does not allow you to convert a global group to a domain local group, as mentioned earlier in this section.

Modifying group membership

Once a new group has been created, members can be added to the group by using a variety of methods in Active Directory Users and Computers. Some common methods for adding members to groups are:

  • right-clicking a user object and selecting Add To A Group;
  • accessing the properties of a user, computer, or group; selecting the Member Of tab; and then clicking Add.

Note: Although the Members and Member Of tabs in the properties of a group will display both the members of a group and its membership in other groups, the information provided by the interface is only one level deep. For example, if the Finance global group was a member of the Finance universal group, and then the Finance universal group was a member of the European universal group, the Members tab in the properties of the European universal group would show only the Finance universal group as a member.

The Members and Member Of tabs do not display the multiple levels of nesting that might exist in your environment. Also, the properties of a user or computer object also include a Member Of tab. If you select the Member Of tab from a user account’s properties you will see the groups they are directly members of. If these groups are nested in other groups this will not show. See screenshot below:

image066

Using the command line interface

There are also some command line utilities you can use to create users, particularly users that have been created in other systems. You can also use them to export Active Directory objects to other systems. They are the Csvde.exe and the Ldifde.exe utilities

Csvde.exe

Csvde.exe is a command-line utility that allows you to import or export objects in Active Directory to or from a comma-delimited text file. You can export/import information from Active Directory for use with other applications such as Microsoft Excel and Microsoft Access.

The basic syntax of the Csvde command is:

csvde [-i] [-f FileName] [-k]

You need to specify [-i] if you want to import, as the default is export. [-f FileName] identifies the import file name, [-k] ignores errors, including ‘object already exists’, ‘constraint violation’, and ‘attribute or value already exists’ during the import operation, and continues processing. The file used by Csvde is a comma delimited text file (*.csv or *.txt), in which the first line is a list of LDAP names for the attributes to be imported, followed by one line for each individual object.

Each object must contain the attributes listed on the first line, as shown in the following example:

DN, objectClass, sAMAccountName, sn, givenName,userPrincipalName

“CN=John Smith, OU=Employees, DC=CiscoServer, DC=com”,

user,jsmith,Smith,John,jsmith@CiscoServer.com

In this example, the text file used with Csvde would create a user object in the employee’s OU, named John Smith. The file also configures the associated user logon name, first name, last name, and UPN.

Ldifde.exe

Ldifde is the command-line utility included in Windows Server to support batch operations based on the LDIF file format standard. The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file formats used to perform batch operations against directories that conform to LDAP standards. LDIF can be used to both import and export data, allowing batch operations such as add, create, and modify to be performed against Active Directory.

Use Ldifde.exe if you are creating a large number of groups at once, e.g. if you are migrating users from another system or getting input from another system to create users and groups. For example, colleges have an enrolment system and data from this is exported to their computer system to create user accounts automatically for a large number of students at the same time. Ldifde.exe provides both import and export capabilities, allowing large numbers of security objects (users, computers and groups) to be created at once with the least possible administrative effort. The primary switches available for the Ldifde command are listed in the table below. Variables in italics, such as filename, have to be replaced with the name of the file; e.g. if you were importing student names from a file called student.ldf you would replace filename with student.ldf.

Switch Explanation

-i Import mode (the default is export)

-f filename Input or output filename

-s servername The server to bind to

-c FromDNToDN Replace occurrences of FromDN to ToDN

-v Verbose mode

-j path Log File Location.

-t port Port number (default = 389)

-? Help. For a full list of parameters use the ? parameter

-k Useful if importing, as it causes the import operation to ignore the errors ‘Constraint Violation’ and ‘Object Already Exists’ and continue

-a UserDN A credential parameter that sets the command to run using the supplied user distinguished name and password, i.e.:

“CN=administrator,DC=CiscoServer,DC=com  password”-b UserName

Domain

Another credential parameter and sets the command to run as username domain password. The default is to run using the credentials of the currently logged-on user which might not be sufficient.

When using the LDIF file to import data into Active Directory, the changeType value specifies the type of operation that needs to occur. The three valid changeType values are add, modify, and delete. Add imports new content into the directory, modify changes the configuration of existing content and delete removes the specified content. For example, if you wanted to use Ldifde to create two global groups named Sales and Admin in the Users container of the CiscoServer.com domain, the contents of the LDIF file would look similar to the following example:

DN: CN=Sales,CN=Users,DC=CiscoServer,DC=Com

changeType: add

CN: Sales

description: Sales Users

objectClass: group

sAMAccountName: Sales

DN: CN=Admin,CN=Users,DC=CiscoServer,DC=Com

changeType: add

CN: Admin

description: Admin Users

objectClass: group

sAMAccountName: Admin

Although doing so is not essential, this text file would usually be saved with a .ldf extension, e.g. newgroups.ldf. To import the contents of this LDIF file from the command line, use the command:

ldifde.exe –i –f newgroups.ldf

Once this command is issued, two new global groups named Sales and Admin would be added to the Users container of the CiscoServer.com domain.

Note: The Csvde.exe utility can also be used to add group objects to Active Directory, but Csvde.exe does not support the ability to modify or remove directory objects, while Ldifde.exe does.

 Windows Server also includes a variety of new command line utilities used to add,modify, delete, and query Active Directory objects. These tools can also be used to add, modify, delete and query groups. They are Dsadd, Dsmod, Dsrm, and Dsquery. Below are some examples of their use.

dsadd group

The dsadd group command allows you to create new group objects from the command line. As part of creating a new group, various configuration settings can also be specified, including the type and scope of the group. For example, to create a new global security group named Sales in the Users container of the CiscoServer.com domain, the command would be:

dsadd group “CN=Sales,CN=Users,DC=CiscoServer,DC=Com” -samid Sales

-secgrp yes -scope g

In this example, the dsadd group command is followed by the  distinguished name of the new object. The -samid switch configures the SAM name for the new group – in this case Sales. The -secgrp yes part of the command specifies the group as a security group (whereas a value of no would create a distribution group), while -scope g specifies that the group scope should be global. If you want a domain local group, specify a value of l after -scope or u if you want to create a universal group.

Note: For a complete list of the switches available with the dsadd group command, see the Dsadd topic at Microsoft’s Help and Support Center.

dsmod group

The dsmod group command is used to modify existing groups. Changing/modifying existing groups could involve changing the type or scope of a group, but more commonly it would involve changing the membership of a group or changing the groups that a particular group is a member of. The following example demonstrates how the Sales group created previously could be changed from a security group to a distribution group:

dsmod group “CN=Sales,CN=Users,DC=Contoso,DC=Com” -secgrp no

However, if your goal was to add a user named Bianca White to the Sales global security group of the Users container of swimmer.com, the proper dsmod group command would be:

dsmod group “CN=Sales,CN=Users,DC=CiscoServer,DC=Com” -addmbr

“CN=Bianca White,CN=Users,DC=CiscoServer,DC=Com”

Also you can use the dsget command to pipe output to another command (the output from the dsget command is used as input for the next command). In the following example, the dsget command is used to get information about all the members of the Sales group and then to add those users to the Admin group:

dsget group “CN=Sales,CN=Users,DC=CiscoServer,DC=Com” –members |

dsmod group “CN=Admin,CN=Users,DC=CiscoServer,DC=Com” –addmbr

Note: For a complete list of the switches available with the dsmod group command, see the Dsmod topic at Microsoft’s Help and Support Center.

dsrm

The dsrm command can be used to delete an existing group. The syntax of this command is very basic because it only requires dsrm followed by the DN of the group to be removed. For example, to delete the Sales global security group created earlier, the command would be:

dsrm “CN=Sales,CN=Users,DC=CiscoServer,DC=Com”

Note: For a complete list of the switches available with the dsrm command, see the Dsrm topic at Microsoft’s Help and Support Center.

dsquery group

In the same way that the dsquery command can be used to search for user objectswithin a portion of Active Directory, it can also be used to search for groups based on arange of different criteria. For example, to view a list of all groups that currently exist in the CiscoServer.com domain, the command would be:

dsquery group “DC=CiscoServer,DC=Com”

In a similar fashion, if you wanted to search for all groups within an Active Directory forest that starts with the letters ‘mark’, the command would be:

dsquery group forestroot –name mark*

Because this query searches for groups throughout a forest, a global catalog server would handle the query. If you are looking for an easy way to gather and document information about the various groups in an Active Directory environment, think about redirecting the output of the command to a text file. In the following example, all groups in the Admin OU (and any sub-OUs) would be redirected to a text file named admingroups.txt:

dsquery group “OU=Admin,DC=CiscoServer,DC=Com” –scope subtree >> admingroups.txt

Note: For a complete list of the switches available with the Dsquery Group command, see the Dsquery topic in Microsoft’s Help and Support Center.

Managing users and groups

Follow the step-by-step instructions below.

Create a global security group

You are going to create a global security group called Cartoons, as follows:

  1. Open Active Directory Users and Computers.
  2. Right-click the OU Support and select New, then select Group.
  3. Enter Cartoons as the group name, the default is a group scope of global and group type of security. Keep the defaults. Click OK. The Cartoons group is now displayed in the Support OU.
  4. To add members to the group, right-click Cartoons and select Properties.
  5. Select the Members tab, then click Add.
  6. In Enter the object names, enter b, then click OK. All the user accounts beginning with b are displayed.
  7. Select all of them (hold down the CTRL key) and click Add, then select Apply and click OK.

You have now added these users to this group and if you assign permissions to this group or add this group to a domain local group as recommended, all the members will have these permissions unless explicitly denied.

Create a domain local security group and assign permissions

To create a domain local security group:

  1. Open Active Directory Users and Computers.
  2. Right-click Support OU, select New, then select Group.
  3. Name the group Permissions and give it a scope of Domain local and group type of Security. Click OK.

You are now going to create a file in notepad and allow only the Permissions group access to it.

  1. Select Notepad from Start menu and enter “Mary had a little lamb”. Save as Nursery on the desktop.
  2. Right-click Nursery, select Properties and select the Security tab.
  3. Select Add in object name, enter p and click OK.
  4. Select Permissions from the list of users and groups starting with p. Click OK.
  5. Switch off inheritable permissions and remove all other groups. Click Advanced.
  6. Click the box beside Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.
  7. Select Remove, then click Apply and OK.

This removes all inherited permissions and only the permissions group can access nursery.

Add the global group to the domain local account

To add the global group containing the user accounts to the domain local account with the permissions:

  1. Open Active Directory Users and Computers, right-click Support OU.
  2. Right-click the Permissions group and select Properties.
  3. Select the Members tab and click Add.
  4. Under Object name to be selected, enter c and click OK.
  5. From the list of users and groups beginning with c select Cartoons and click OK, then Apply. Click OK.
  6. Log on as a member of the Cartoon group and try and access the Nursery file. You should be able to do this.
  7. Log on as administrator and try and access Nursery file. You should not be able to do this, as you are not on the list.

Change the domain functional level

To use universal groups and group nesting you have to raise the domain functional level to functional level:

  1. Right-click Domain from Active Directory Users and Computers.
  2. Select Raise Domain Functional Level.

Convert a global group to a universal group

You might need to do this if your company grew or was involved in takeovers.

  1. From Active Directory Users and Computers, click Support OU.
  2. Right-click the Cartoons group, select Properties and click Universal. You will notice that domain local is greyed out as you cannot convert from global to domain local).
  3. Select Apply and OK.

Change group type from Security to Distribution

Things change within organisations and you might decide that you do not want to use this group as a security group, but as a distribution group to make sending e-mails easier. To change the group type do the following:

  1. From Active Directory Users and Computers, click Support OU.
  2. Right-click the Cartoons group, select Properties and click Distribution. Select Yes. You will notice that the type it is now Distribution Group.
  3. Try logging on as one of the members of Cartoons and accessing the Nursery file. You should not be able to, as Cartoons is now a distribution group.

 Next – Account Management and Administration