2019-03-23
Working with Working with
Organizational Units Organizational Units
• OUs can be nested to create a design that • There is only one built-in OU by default:
enables administrators to take advantage the Domain Controllers OU.
of inheritance. • All other OUs must be created by the
• Limit the number of OUs that are nested, domain administrator.
because too many levels can:
o Slow the response time to resource requests
o Complicate the application of Group Policy
settings
© 2013 John Wiley & Sons, Inc. 9 © 2013 John Wiley & Sons, Inc. 10
Using OUs to Delegate
AD Management Tasks
• Creating OUs enables you to implement a
decentralized administration model, in which
others manage portions of the AD DS hierarchy,
without affecting the rest of the structure.
• Delegating authority at a site level affects all
Creating OU’s
domains and users within the site.
• Delegating authority at the domain level
affects the entire domain.
Demonstration • Delegating authority at the OU level affects
only that OU and its subordinate objects.
© 2013 John Wiley & Sons, Inc. 12
3
� 2019-03-23
Using OUs to Delegate Delegate Administrative Control
of an OU
AD Management Tasks
By granting administrative authority over an OU
structure, as opposed to an entire domain or
site, you gain the following advantages:
• Minimal number of administrators with global
privileges: By creating a hierarchy of
administrative levels, you limit the number of
people who require global access.
• Limited scope of errors: Administrative mistakes
such as a container deletion or group object
deletion affect only the respective OU structure.
The Users or Groups page of the Delegation of
Control Wizard
© 2013 John Wiley & Sons, Inc. 13 © 2013 John Wiley & Sons, Inc. 14
Delegate Administrative Control Delegate Administrative Control
of an OU of an OU
The Tasks to Delegate page of the Delegation of The Active Directory Object Type page of the
Control Wizard Delegation of Control Wizard
© 2013 John Wiley & Sons, Inc. 15 © 2013 John Wiley & Sons, Inc. 16
4
� 2019-03-23
Delegate Administrative Control Delegate Administrative Control
of an OU of an OU
The Permissions page of the Delegation of The Security tab of an organizational unit’s
Control Wizard Properties sheet
© 2013 John Wiley & Sons, Inc. 17 © 2013 John Wiley & Sons, Inc. 18
Working with Groups
Working with Groups
Lesson 15: Creating and Managing Active
Directory Groups and Organizational Units
© 2013 John Wiley & Sons, Inc. 19 © 2013 John Wiley & Sons, Inc. 20
5
� 2019-03-23
Group Types Group Scopes
There are two Windows Server 2012 group • The group scope controls which objects the
types: group can contain.
• Distribution groups: Non-security-related • Limits the objects to the same domain or
groups created for the distribution of permits objects from remote domains.
information to one or more persons. • Controls the location in the domain or forest
• Security groups: Security-related groups where the group can be used.
created for purposes of granting resource • Group scopes available in an Active
access permissions to multiple users. Directory domain include domain local
groups, global groups, and universal groups.
© 2013 John Wiley & Sons, Inc. 21 © 2013 John Wiley & Sons, Inc. 22
Domain Local Groups Global Groups
Domain local groups can have any of the Global groups can have the following as
following as members: members:
• User accounts • User accounts
• Computer accounts • Computer accounts
• Global groups from any domain in the forest • Other global groups from the same domain
• Universal groups
• Domain local groups from the same domain
© 2013 John Wiley & Sons, Inc. 23 © 2013 John Wiley & Sons, Inc. 24
6
� 2019-03-23
Universal Groups Default Groups
Universal groups can contain the following • Several built-in security groups are created when
you install AD DS.
members: • Many of the built-in groups have predefined user
• User accounts rights that enable their members to perform certain
system-related tasks, such as backup and restore.
• Computer accounts • Add accounts to these default groups to grant users
the same rights, in addition to any resource access
• Global groups from any domain in the forest permissions the groups possess.
• Other universal groups • The default groups are located in the Built-in and
Users container objects in AD DS.
• The list of predefined groups you see in these
containers varies depending on the installed
services.
© 2013 John Wiley & Sons, Inc. 25 © 2013 John Wiley & Sons, Inc. 26
Nesting Groups Special Identities
Group nesting is the term used when groups are • Special identities exist on all computers
added as members of other groups. running Windows Server 2012.
To allow users from multiple domains to access a • They are not groups because you cannot
resource in the parent domain: create them, delete them, or directly modify
1. Create global groups in each domain that contain all their memberships.
users needing access to the enterprise database. • They do not appear as manageable objects
2. Create a universal group in the parent domain. in the AD DS utilities.
Include each location's global group as a member.
• You can use them like groups, by adding
3. Add the universal group to the required domain local
them to the ACLs of system and network
group to assign the necessary permission to access
and use the enterprise database. resources.
© 2013 John Wiley & Sons, Inc. 27 © 2013 John Wiley & Sons, Inc. 28
7
� 2019-03-23
Special Identities
Some Special Identities
• Authenticated Users: All users with a valid local or domain user
account whose identities have been authenticated. This special
identity does not include the Guest user even if the Guest account
has a password.
• Creator Owner: The account for the user who created or took
ownership of a resource.
• Dialup: All users who are currently logged on through a dial-up
connection.
• Everyone: The Authenticated Users special identity plus the Guest
user account, but not the Anonymous Logon special identity.
• Interactive: All users who are currently logged on locally or through a
Remote Desktop connection.
• Network: All users who are currently logged on through a network
connection.
• Remote Desktop Users: When installed in application serving mode,
this identity includes any users who are currently logged on to the
The Creator Owner special identity on a Security tab system using an RDS terminal server.
© 2013 John Wiley & Sons, Inc. 29 © 2013 John Wiley & Sons, Inc. 30
Converting Groups
Converting Groups
• As group functions change, you might need
to change a group object from one type to
another.
• You can also change a group’s scope.
The General tab in a group object’s Properties sheet
© 2013 John Wiley & Sons, Inc. 31 © 2013 John Wiley & Sons, Inc. 32
8
� 2019-03-23
Deleting a Group
• When you delete a group, Windows Server 2012
does not use the same SID for that group again.
• Even if you create a new group with the same
name as the one you deleted, you cannot restore
the access permissions you assigned to resources.
• You must add the newly re-created group as a
security principal in the resource’s ACL all over
again.
• When you delete a group, you delete only the
group object and the permissions and rights
specifying that group as the security principal.
Creating Groups
• Deleting a group does not delete the objects that
are members of the group.
© 2013 John Wiley & Sons, Inc. 33
Lesson Summary Lesson Summary
• Once you have created a design for your Active • There is no simpler object type to create in the AD
Directory domains and the trees and forests superior to DS hierarchy than an OU. You only have to supply a
them, it is time to zoom in on each domain and consider
the hierarchy you want to create inside it. name for the object and define its location in the
• Adding organizational units (OUs) to your Active Active Directory tree.
Directory hierarchy is not as difficult as adding domains; • Creating OUs enables you to implement a
you don’t need additional hardware, and you can easily decentralized administration model, in which others
move or delete an OU at will.
manage portions of the AD DS hierarchy, without
• When you want to grant a collection of users permission
to access a network resource, such as a file system share affecting the rest of the structure.
or a printer, you cannot assign permissions to an OU; you • Groups enable administrators to assign permissions
must use a security group instead. Although they are to multiple users simultaneously. A group can be
container objects, groups are not part of the Active
Directory hierarchy in the same way that domains and defined as a collection of user or computer
OUs are. accounts that functions as a security principal, in
much the same way that a user does.
© 2013 John Wiley & Sons, Inc. 35 © 2013 John Wiley & Sons, Inc. 36
9
� 2019-03-23
Lesson Summary
• In Active Directory, there are two types of
groups: security and distribution; there are also Copyright 2013 John Wiley & Sons, Inc.
three group scopes: domain local, global, and All rights reserved. Reproduction or translation of this work beyond that
named in Section 117 of the 1976 United States Copyright Act without the
universal. express written consent of the copyright owner is unlawful. Requests for
• Group nesting is the term used when groups are further information should be addressed to the Permissions Department, John
added as members of other groups. Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own
use only and not for distribution or resale. The Publisher assumes no
• It is possible to control group memberships by responsibility for errors, omissions, or damages, caused by the use of these
using Group Policy. When you create Restricted programs or from the use of the information contained herein.
Groups policies, you can specify the
membership for a group and enforce it, so that
no one can add or remove members.
© 2013 John Wiley & Sons, Inc. 37
10
