MCITP 70-640: Active Directory Groups


Uploaded by itfreetraining on 07.05.2012

Transcript:
Welcome to the next free video for the free Active Directory training course. This video
looks at how groups work in Active Directory. In a changing environment people come and
go and roles change as companies restructure and people get promoted. Groups allow the
administrator to assign permissions once to a resource and easily change who has access
to that resource by changing the members in the group.
Consider if you created a file share called invoice. Without groups you would need to
assign the users directly to the share. With only a few users it is not that hard to manage,
but once you add a few more users it starts to get more complex. At present, each time
you want to give a new user access you need to modify the permissions on the server. This
requires the administrator that is making the change to know the name of the share
and the server on which it is located. Now consider that you have multiple offices
around the country and each office has a server with an invoice share on it. Each time a new
user requires access or access needs to be removed, the permissions on each share on
each server needs to be modified. This requires the administrator to know every server that
has an invoice share on it and requires them to makes changes on each one.
To make things simpler Active Directory allows you to create groups. A group is like a user
or computer account in that it has a security identifier or Sid associated with it. It is
possible to create a group without a security identifier. These are mainly used with software
like exchange to create e-mail distribution groups. In the next video I will look at how
these kinds of groups work. Once a group is created it is added to the resource for which
you want to control access, just like you would with a user.
In this example, imagine that the accounts department requires access to the share. To
achieve this you create a group called accounts and give it read and write access to all the
invoice shares. The next point to consider is what would happen
if another group of users needed access to the share, for example the sales department.
To achieve this, the sales group is created and assigned permissions to all the invoice
shares giving them read and write access. In a small company this kind of administration
works well and it is best when possible to keep things simple. But let’s consider if
the company is a lot bigger and there are a lot more servers. It is a simple matter
to visit each server and change the permissions but the process of making the changes is starting
to become time consuming. Also the process requires the administrator to know all the
servers that have the share on it and care must be taken to ensure that every server
is updated. Let’s consider what would happen if the
management decided that the sales department did not require write access and only needed
read access. This would require the administrator to visit each server and change the permissions
for the sales department. After a flood of calls to the helpdesk for people in the sales
department not being able to do their job, it is decided that they really did need write
access to the invoice share. Once again each server needs to be visited again and the permissions
changed back to what they were. Just after this is done, a request comes through for
a new auditing group that will require read access to the invoice shares. Once again,
each share needs to be modified and the permissions updated. Weren’t groups supposed to make
things easier? There is no solution that will fit every situation
and if you ask 10 different IT administrators how to perform group management you would
probably get 11 different answers. Let’s start again with this example using
a different approach. This time instead of assigning the permissions
of the share directly to the accounts department you instead create a new group called invoice_modify.
This group you assign to all the invoice shares giving it read and write access. Next you
simply need to add the accounts group to the group invoice_modify group. Placing groups
inside other groups like this is called nesting. Once the request comes through for the sales
department to have read and write access to the invoice shares, you simply add the sales
group to the invoice_modify group. Easy as that, no need to visit each server again.
When the request comes through to change the sales group to read only, you create a new
group called invoice_read. The invoice_read group is assigned to all the invoice shares
with read access. Once this is done, take the sales group out of invoice_modify and
put them in invoice_read. When the request comes through to give the
sales group write access to the invoice shares again, all the hard work is already done.
All that needs to be done is to move the sales group from invoice_read to invoice_modify.
Lastly, when the request comes through to give the audit group read access, this is
easy. Since the group invoice_read has already been created and permissions assigned, the
audit group is created and added to the invoice_read group.
You can see that using this approach makes administration easier when changes occur.
Also if someone were to ask who had access to the invoice share, you simply need to look
at which users are in the invoice_read and invoice_modfy groups.
Configuring access like this is called role based access control. When using this approach
permissions are granted based on the role the user has in the organization. Users are
not assigned permissions directly using this approach. Using role based access control,
a user acquires access through their role in the organization. If the user were to change
jobs or departments, the roles assigned to that user would change to suit their needs.
Using this approach an administrator can quickly make these changes. The administrator also
does not require knowledge of how the permissions at the lower level are assigned.
This approach has its advantages but also does also add an extra level of complexity to your
network. When deciding which approach to use for groups, consider how big your network
is and how complex it is. On a small network it is generally not worth the time to create
a lot of nested groups. On a large network with a lot of servers, these extra groups
will save you a lot of time. In a later video I will discuss group strategy in more detail.
When you start creating groups you should spend some time considering the naming standard
that you will use. In this case invoice_read is quite simple but you could also have a
group name such as “invoice share read.” In this case I have used spaces rather than
underscores. This will work just as well as underscores but if the group is used in a
script the group name will need to be enclosed in quotes. This does make scripting more complex
so a lot of administrators will avoid using spaces. Also consider that if you have an
e-mail system like exchange, these groups can be used inside exchange as e-mail groups.
For example, you could create a group called NewYork_Sales and put all the sales users
for New York into this group. If you want to e-mail all the sales staff in New York
you simply e-mail this group. For each office you could add a group for
those sales users in that office. These groups could also be put into another group called
USA_Sales. If you had an office in the UK you could create a group called UK_Sales.
Both these groups could be put into another group called All_Sales_Employees. Since each
location would know which employees belong in their local sales group, a local administrator
in each area would be the best choice to make sure this group is kept up to date.
With correct group management and forethought you can make your administration a lot easier
and save yourself a lot of headaches later on. There are a number of different types
of groups in Active Directory. Each group has a different scope and thus there are advantages
and disadvantages to using each type of group. In the next video I will look at the different
types of groups that Active Directory has to offer and the scopes these groups have.
The type of group that you select determines which domain or domains will have access to
that group and also the replication that will be used for that group.
Thanks for watching another free video in this Active Directory free course. For the
latest videos please subscribe to us on YouTube or like us on facebook. See you next time.