Contents
Overview 1
Introduction to Groups 2
Implementing Group Strategies 7
Implementing Groups 11
Implementing Local Groups 16
Lab A: Creating Groups 19
Implementing Built-in Groups 22
Lab B: Using Built-in Groups 28
Best Practices 33
Review 34

This course is a prerelease course and is based on
Microsoft Windows 2000 Beta 3 software. Content in the
final release of the course may be different than the content
included in this prerelease version. All labs in the course
are to be completed using the Beta 3 version of
Microsoft Windows 2000 Advanced Server.

Module 3: Using Groups
to Organize User
Accounts

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended

to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.


1999 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, MS, Windows, Active Directory, PowerPoint, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.


The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Project Lead/Senior Instructional Designer:
Red Johnston
Instructional Designers:
Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.)

Program Manager:
Jim Cochran (Volt Computer)
Lab Simulations Developers:
David Carlile (ArtSource), Tammy Stockton (Write Stuff)
Technical Contributor:
Kim Ralls
Graphic Artist:
Julie Stone (Independent Contractor)
Editing Manager:
Tina Tsiakalis
Editors:
Wendy Cleary (S&T OnSite), Diana George (S&T OnSite)
Online Program Manager:
Nikki McCormick
Online Support:
Tammy Stockton (Write Stuff)
Compact Disc Testing:
ST Labs
Production Support:
Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser)
Manufacturing Manager:
Bo Galford
Manufacturing Support:
Mimi Dukes (S&T OnSite)
Lead Project Manager, Development Services:
Elaine Nuerenberg
Lead Product Manager:
Sandy Alto
Group Product Manager:
Robert Stewart

Module 3: Using Groups to Organize User Accounts iii

Introduction
This module provides students with the knowledge and skills that are necessary
to implement groups in order to streamline administrative tasks. The module
discusses the purpose of using groups, the different types of groups and their
scopes, and the effective strategies for using groups to organize user accounts.
The module then describes the procedures to create and delete groups and add
members to groups. Finally, the module covers strategies for implementing
local and built-in groups.There are two labs in this module. In the first lab,
students will create groups in a domain and add members to them. In the second
lab, students will identify the membership and rights of built-in groups and use
them to assign administrative capabilities to user accounts.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
!"
Microsoft
®
PowerPoint
®
file 1556A_03.ppt
!"
Module 3, “Using Groups to Organize User Accounts”

Preparation
To prepare for this module, you should:
!"

Read all the materials for this module.
!"
Review the Delivery Tips and Key Points for each section and topic.
!"
Complete the two labs.
!"
Study the review questions and prepare alternative answers for discussion.
!"
Anticipate questions that students may ask. Write out the questions and
provide answers to them.

Presentation:
45 Minutes

Labs:
30 Minutes
iv Module 3: Using Groups to Organize User Accounts

Other Activities
There is a class discussion in this module, in which you will work through a
scenario about applying groups in a single domain. Review the slides and
corresponding questions and solutions. This section describes how to present
this interactive discussion.
Class Discussion: Using Groups in a Single Domain
This topic contains two slides. Use the first slide (which corresponds to the
illustration in the workbook) to present the question and the second slide to
present the suggested solution.
Module 3: Using Groups to Organize User Accounts v

Module Strategy

Use the following strategy to present this module:
!"
Introduction to Groups
Provide an overview of the purpose of using groups to perform
administrative tasks. Introduce the different types of groups and then
explain the concept of group scopes. The topic on group scopes has
four slides. Use the first slide to introduce the three group scopes. Then,
explain each group scope in detail using the corresponding slide.
!"
Implementing Group Strategies
Explain the recommended strategies to use global and domain local groups
in a domain. Discuss other possible strategies and their limitations. Use the
class discussion topic to examine a scenario for using groups in a single
domain. Present the question and encourage a discussion. Then present
the suggested solution and discuss other possible solutions.
!"
Implementing Groups
Present the guidelines for creating groups, which include the naming
convention and determining the type of the group and its scope. Then
explain the procedures to create and delete a group, locate a group in
Active Directory
™
directory service, and add members to a group.
!"
Implementing Local Groups
Define local groups and explain their uses. Present their membership rules
and the possible strategies for using them in a domain.
!"
Implementing Built-in Groups
In this section, describe the four types of built-in groups: global, domain

local, local, and system. For each type of built-in group, explain the
purpose of the group and the membership of the group.
!"
Best Practices
Read the Best Practices section before you start the module, and then refer
to the appropriate practice as you teach the corresponding module section.
Then, at the end of the module, summarize all of the best practices for the
module.

vi Module 3: Using Groups to Organize User Accounts

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on the student computers during the labs.
This information is provided to assist you in replicating or customizing
Microsoft Official Curriculum (MOC) courseware.

The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at
the end of the Classroom Setup Guide for course 1556A, Administering
Microsoft Windows 2000.

Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup Requirement 1
The labs in this module require that the Users group have the Log on locally
right. To prepare the student computers to meet this requirement, perform one
of the following actions:
!"
Complete module 2 of course 1556A, Administering

Microsoft Windows 2000.
!"
From the Trainer Materials compact disc, run the LRights.cmd script on
each domain controller in each child domain.

Setup Requirement 2
The labs in this module require the following user accounts: User31A,
User31B, Userr32, and User33.
To prepare the student computers to meet this requirement,
!"
Run the script Lab031.cmd on one of the two domain controllers in each
subdomain.

If you run the script on both domain controllers, the labs will not
function properly.

!"
If you create the users manually, leave the password blank.


Lab Results
Performing the labs in this module introduces the following configuration
changes:
!"
The assignment of the Log on locally right to the Users group.
!"
The addition of User31A, User31B, User32 and User33 in the Users
container.
!"
The addition of User31A and User31B in the Administrators Domain Local

group.


Important
Caution
Module 3: Using Groups to Organize User Accounts 1

Overview
!
Introduction to Groups
!
Implementing Group Strategies
!
Implementing Groups
!
Implementing Local Groups
!
Implementing Built-in Groups
!
Best Practices


A group is a collection of user accounts. You use groups to simplify the
management of user and computer access to various shared resources. Groups
allow you to assign access permissions to a group of users at one time rather
than multiple times to individual users. After you assign the access permission
to a group, you can simply add any user requiring the same permission to the
group.
Microsoft
®

Windows
®
2000 provides different types of groups for different
tasks. In this module, you will learn about the various types of groups and how
to use them.
At the end of this module, you will be able to:
!"
Describe the key features of groups.
!"
Apply group strategies to manage access to resources.
!"
Create and delete groups.
!"
Implement local groups.
!"
Implement built-in groups.
!"
Apply best practices for implementing groups.

Slide Objective
To provide an overview of
the module topics and
objectives.

Lead-in
In this module, you will learn
how to group user accounts
for easier management of
user access to resources
2 Module 3: Using Groups to Organize User Accounts



#

Introduction to Groups
!
Using Groups
!
Group Types
!
Group Scopes


Before you can use groups effectively, you need to understand the functions
of them and the group types that you can create. Windows 2000 provides two
types of groups, distribution and security, that you can create depending on the
task that you need to manage.
Each type of group has a scope attribute, which identifies the extent to which
a group is applied on the network. Group scopes allow you to use groups in
different ways to assign permissions. Windows 2000 provides three scopes:
global, domain local, and universal.

Slide Objective
To introduce groups.
Lead-in
Groups simplify
administration by allowing
you to assign permissions
once rather than multiple
times. This section defines

groups and the group types
that you can create.
Delivery Tip
This section provides an
introduction to groups, types
of groups, and group
scopes. Prepare students
for the topics by providing
the following key points.
Key Points
Windows 2000 provides two
types of groups—distribution
and security.

Each type of group has a
scope attribute that
identifies the range in which
the group can be applied on
the network.

Windows 2000 provides
three scope types—global,
domain local and universal.
Module 3: Using Groups to Organize User Accounts 3


Using Groups
!
Members Receive Permissions Given to Groups
!

Users Can Be Members of Multiple Groups
!
Groups Can Be Members of Other Groups
Permissions
Permissions
Group
Group
Permissions
Permissions
User
User
Permissions
Permissions
User
User
Permissions Assigned
Once for Each User Account
Permissions Assigned
Once for Each User Account
Permissions Assigned
Once for a Group
Permissions Assigned
Once for a Group
Instead of
Instead of
Instead of
Permissions
Permissions
User
User



You use groups to manage user access to shared resources such as network
shares, files, directories, and printer queues. When assigning permissions for
resources, you should assign the required permissions to a group of users rather
than to individual users. In this manner, you assign the permissions once to the
group, instead of several times to individual users. This helps simplify the
maintenance and administration of a network.
In addition to user accounts, you can add computers and other groups to a group
for organizational purposes and other administrative tasks. When you add
members to groups, consider the following:
!"
When you make a user a member of a group, you give the user all the rights
and permissions granted to the group. However, if the user is already logged
on, the rights of the newly assigned group will not take effect until the user
logs off and then logs on again.
!"
Users can be members of multiple groups. This is because a group is simply
a list of members, with references to the actual user accounts.
!"
Groups can be members of other groups. Adding groups to an existing
group is called nesting. Nesting creates a single, consolidated group and can
reduce the number of times that you need to assign permissions. You can
create a nested hierarchy of groups based on the business needs of the
members.

Slide Objective
To define groups and their
purpose.
Lead-in

You use groups to combine
user accounts so that you
can assign rights and
permissions to shared
resources a single time
rather than multiple times.
Delivery Tip
You could use the following
example to explain nesting
of groups: Add managers in
each region to a group that
is specific to that region.
Administrators in each
region control the
membership of the group
that represents managers in
their regions. Then, add all
of the regional groups to
another group, called
Worldwide Managers. When
all managers need access
to resources, assign
permissions only to the
Worldwide Managers group.
Key Point
A user account can be a
member of multiple groups.
4 Module 3: Using Groups to Organize User Accounts



Group Types
!
Security Groups
$
Used to assign permissions
$
Can be used as an e-mail distribution list
!
Distribution Groups
$
Cannot be used to assign permissions
$
Can be used as an e-mail distribution list


Windows 2000 has two group types: security and distribution . The group type
determines the tasks that you manage with the group. Both types of groups are
stored in Active Directory
™
directory service so that you can use them
anywhere in your network.
Security Groups
Use security groups for security related purposes, such as assigning permissions
to gain access to resources. You can also use them to send e-mail messages to
multiple users. Sending an e-mail message to the group sends the message to all
members of the group. Therefore, security groups share the capabilities of
distribution groups.
Distribution Groups
Applications use distribution groups as lists for non-security related functions,
such as sending e-mail messages to groups of users. The primary purpose of

this type of group is to gather related objects, not to assign permissions. Even
though security groups have all the capabilities of distribution groups,
distribution groups are still required, because some applications can only read
distribution groups.

Because distribution groups reside in Active Directory, only
applications that are designed to work with Active Directory can use them.
For example, future versions of Microsoft Exchange Server will be able to
use Windows 2000 groups as distribution lists for e-mail messages.

Slide Objective
To describe the two types of
groups.
Lead-in
Sometimes you create
groups for security-related
purposes, such as
permissions assignment.
Other times you use them
for non-security purposes,
such as to send e-mail
messages. To facilitate this,
Windows 2000 includes two
group types.
Key Points
Use security groups to
assign permissions.

Other applications use
distribution groups. Use

distribution groups only for
non-security related
purposes, such as sending
e-mail messages.

Only programs designed to
work with Active Directory
can use distribution groups.
For example, future versions
of Microsoft Exchange
Server will be able to use
Windows 2000 groups as
distribution lists for e-mail
messages.
Note
Module 3: Using Groups to Organize User Accounts 5


Group Scopes
Domain Local Group
Domain Local Group
Domain Local Group
!
Used to assign permissions to resources
!
Used to assign permissions to resources
Global Group
Global Group
Global Group
!

Used to organize users who share similar
network access requirements
!
Used to organize users who share similar
network access requirements
Universal Group
Universal Group
Universal Group
!
Used to assign permissions to related
resources in multiple domains
!
Used to assign permissions to related
resources in multiple domains


Group scopes allow you to use groups in different ways to assign permissions.
The scope of a group determines:
!"
The domains from which you can add members to the group.
!"
The domains in which you can use the group to grant permissions.
!"
The domains in which you can nest the group within other groups.

The group scope determines the membership of the group. Membership rules
govern the members that a group can contain and the groups of which a group
can be a member. Group members consist of user accounts and other groups.
Adding a group to another group is called nesting. To assign the correct
members to groups and to use nesting, it is important to understand the

characteristics of the scope of a group.
There are three group scopes: global, domain local, and universal.
Global Groups
The most common use of global groups is to organize users who share similar
network access requirements. A global group:
!"
Provides access to resources in any domain. You can use a global group to
assign permissions to gain access to resources that are located in any
domain.
!"
Has limited membership. You can add user accounts and global groups only
from the domain in which you create the global group.
!"
Can be nested within other groups. You can add a global group to another
global group in the same domain or to universal and domain local groups in
other domains.

Slide Objective
To describe the different
group scopes.
Lead-in
Each distribution or security
group has a scope, which
identifies the extent to which
the group is applied on the
network.
Delivery Tip
There are four slides in the
presentation for this topic.
Use the first slide to explain

the broad purpose of each
of the group scopes and the
subsequent slides to explain
the characteristics of each
group scope.
6 Module 3: Using Groups to Organize User Accounts

Domain Local Groups
The most common use of domain local groups is to assign permissions to
resources. A domain local group:
!"
Provides access to resources in one domain. You can use a domain local
group to assign permissions to gain access to resources that are located in
the same domain where you create the domain local group.
!"
Has open membership. You can add user accounts, universal groups, and
global groups from any domain.
!"
Cannot be nested within other groups. You cannot add a domain local group
to any group in any domain.

Universal Groups
The most common use of universal groups is to assign permissions to related
resources in multiple domains. A universal group:
!"
Provides access to resources in any domain. You can use a universal group
to assign permissions to gain access to resources that are located in any
domain.
!"
Has open membership. You can add user accounts, universal groups, and

global groups from any domain.
!"
Can be nested within other groups. You can add a universal group to
domain local or universal groups in any domain.


Minimize the levels of nesting. A single level of nesting is the most
effective, because tracking permissions becomes more complex with multiple
levels. Also, troubleshooting becomes difficult if you have to trace permission
assignments through multiple levels of nesting. To avoid these problems, you
must document group membership to keep track of permission assignments.

Note
Module 3: Using Groups to Organize User Accounts 7


#

Implementing Group Strategies
!
Using Global and Domain Local Groups
!
Developing Group Strategies
!
Class Discussion: Using Groups in a Single Domain


To use groups effectively, you need a strategy for employing the different group
scopes. There are two common group strategies, and the use of one over the
other depends on your Windows 2000 network environment. In a single

domain, the common practice is to use global and domain local groups to assign
permissions to network resources. In a multiple domain scenario, the strategy
could incorporate global and universal groups.

Slide Objective
To introduce group
strategies.
Lead-in
There are two main
strategies for using groups:
one strategy uses global
and domain local groups,
and the other includes
universal groups.
Delivery Tip
This section explains the
use of group strategies in
managing groups. Prepare
students for the topics by
providing the following key
points.
Key Points
Use global and domain local
groups in a single domain
environment.

Use global and universal
groups in a multiple domain
environment.
8 Module 3: Using Groups to Organize User Accounts



Using Global and Domain Local Groups
Strategy
Strategy
Strategy
Organize Users by Administrative Needs;
Create a Global Group
Organize Users by Administrative Needs;
Create a Global Group
Identify Common Resources;
Create a Domain Local Group
Identify Common Resources;
Create a Domain Local Group
Add Global Groups to Domain Local Groups
Add Global Groups to Domain Local Groups
Assign Permissions to the Domain Local Group
Assign Permissions to the Domain Local Group


The following is the recommended strategy to manage global and domain local
groups efficiently:
1. Organize users based on administrative needs, such as their locations and
job responsibilities. Then, create a global group and add the user accounts to
it. For example, in an accounting department, create a global group called
Accounting and add user accounts for all accountants to it.
2. Identify what resources or group of resources, such as related files, to which
users need access, and then create a domain local group for that resource.
For example, if you have a number of color printers in your company, create
a domain local group for them called Color Printers.

3. Make all global groups that share the same access needs for resources
members of the appropriate domain local group. For example, add the
Accounting, Sales, and Management global groups to the Color Printers
domain local group.
4. Assign the required permissions to the domain local group. For example,
assign the necessary permissions to use color printers to the Color Printers
group. In this way, all three global groups—Accounting, Sales, and
Management—have access to the Color Printers domain local group.

Slide Objective
To explain a strategy for
using global and domain
local groups.
Lead-in
It is important to have a
group strategy in place
before you create groups.
We are now going to
discuss one important
strategy that uses global
and domain local groups.
Key Point
This is the recommended
strategy. However, there are
many different ways to
group user accounts and
assign permissions.
Module 3: Using Groups to Organize User Accounts 9



Developing Group Strategies
Strategy 1
May limit flexibility

A
A
A
DL
DL
DL
P
P
P
Strategy 2
May complicate administration

A
A
A
G
G
G
P
P
P
Strategy 3
Recommended

A
A

A
G
G
G
DL
DL
DL
P
P
P


Following are some examples of group strategies and their possible limitations:
!"
User accounts (A) are placed in domain local groups (DL), and permissions
(P) are assigned to the domain local groups. One limitation of this strategy
is that it does not allow you to assign permissions for resources outside of
the domain. Therefore, it reduces the flexibility that you have when your
network grows.
!"
User accounts (A) are placed in global groups (G), and permissions (P) are
assigned to the global groups. The limitation of this strategy is that it will
complicate administration when you use multiple domains. If global groups
from multiple domains require the same permissions, you would have to
assign permissions to each global group individually.

The following strategy is the recommended group strategy:
!"
Place user accounts (A) in global groups (G), place the global groups in the
domain local groups (DL), and then assign permissions (P) to the domain

local groups. This strategy gives you the most flexibility for network growth
and reduces the number of permission assignments.
Slide Objective
To present examples of
group strategies.
Lead-in
Let’s discuss examples of
group strategies where
either the global or domain
local group is not used.
10 Module 3: Using Groups to Organize User Accounts


Class Discussion: Using Groups in a Single Domain
nwtraders.msft
Inventory
Managers need to gain access
to the Inventory database
How do you set up groups?
Managers need to gain access
to the Inventory database
How do you set up groups?
?
?


In this example, Northwind Traders has a single domain that is located in Paris,
France. Northwind Traders managers need access to the Inventory database to
perform their jobs.
!"

What would you do to ensure that the managers have the required access to
the Inventory database?
Place all of the managers in a global group. Create a domain local
group for Inventory database access. Make the global group a member
of the domain local group and assign permissions to gain access to the
Inventory database to the domain local group.



Slide Objective
To determine students’
understanding of how to use
groups in a single domain
environment.
Lead-in
This example shows how to
use groups in a single
domain environment. Take a
few minutes to determine a
solution, and then we will
discuss it as a class.
Delivery Tip
This material is for a class
discussion. There are two
slides for this topic. Use the
first slide to introduce the
scenario and present the
question. Use the second
slide to discuss the answer
with the class.

Module 3: Using Groups to Organize User Accounts 11


#
##
#

Implementing Groups
!
Guidelines for Creating Groups
!
Creating and Deleting Groups
!
Finding a Group in Active Directory
!
Adding Members to a Group


After you assess user needs and organize groups accordingly, you are ready to
implement groups. To implement your group strategy, you should be familiar
with guidelines for creating groups. Then you can create groups, delete groups
when necessary, and add members to groups.
In addition, after you have established the groups, you may need to modify their
properties to suit the changing needs of the network. To do so, you will need to
locate specific groups in Active Directory.

Slide Objective
To introduce implementing
groups.
Lead-in

After you have established a
group plan, you are ready to
create groups, add
members to groups, and
delete groups.
Delivery Tip
This section explains how to
create and use groups.
Prepare students for the
topics by providing the
following key points.
Key Points
Determine the guidelines for
creating groups in the
existing network.

You can create and delete
groups using Active
Directory Users and
Computers.

Use the Find feature
to locate groups in
Active Directory.
12 Module 3: Using Groups to Organize User Accounts


Guidelines for Creating Groups
Determine Whether You Have Permissions to Create Groups
Determine Whether You Have Permissions to Create Groups

Determine the Name of the Group
Determine the Name of the Group
Determine Which Group Scope to Use
Determine Which Group Scope to Use


When creating groups you should:
!"
Determine the required group scope based on how you want to use the
group. For example, use global groups to group user accounts. Alternatively,
use domain local groups to assign permissions to a resource.
!"
Determine whether you have the necessary permissions to create a group in
the appropriate domain:
•
By default, members of the Administrators or Account Operators group
in a domain have the necessary permissions to create groups.
•
An administrator can give a user the permission to create groups in the
domain.
!"
Determine the name of the group. Consider the following:
•
Make the name intuitive so that it reflects the purpose for which it was
created. This is especially useful if administrators from other domains
search for it in Active Directory.
If there are parallel groups in multiple domains, make sure that the names are
also parallel and reflect the domain names. For example, if there is a group for
managers in each domain, these groups should use a similar naming scheme,
such as Managers USA and Managers Australia.


Slide Objective
To explain guidelines for
creating groups.
Lead-in
Follow these guidelines
when you create groups.
Module 3: Using Groups to Organize User Accounts 13


Creating and Deleting Groups
!
Use Active Directory
Users and
Computers to
Create or Delete
Groups
!
Deleting a Group
Removes Rights
and Permissions
Permanently
!
Deleting a Group
Does Not Delete
Group Members
Create New Object - (Group)
Create in: nwtraders.msft/Users
Na
me of new group:

Downlevel name of new group:
Group scope:
Do
main local
G
lobal
U
niversal
Group type:
Security
D
istribution
OK
OK Cancel
Public
Group Name
Group Name
Group Name


Create groups in the Users folder or in a separate folder that you have created
for groups. You must delete groups when you no longer need them so that you
do not accidentally assign permissions to them.
Creating a Group
To create a group, start Active Directory Users and Computers, click the Users
folder, click the Action menu, point to New, and then click Group. The
following table describes the options that you must provide in the Create New
Object – (Group) dialog box.
Option Description


Name of new group
The name of the new group. The name must be unique in the
domain where you create the group.
Downlevel name of
new group
The name used to support clients and servers from earlier
versions of Windows.
Group scope
The group scope. Click
Domain local
,
Global
, or
Universal
.
Group type
The type of group. Click
Security
or
Distribution
.

Deleting a Group
When you delete a group, you delete only the group and remove the
permissions and rights that are associated with it. Deleting a group does not
delete the user accounts that are members of the group.
Each group that you create has a unique, non-reusable identifier, called the
security identifier (SID). Windows 2000 uses the SID to identify the group
and the permissions that are assigned to it. When you delete a group,
Windows 2000 never uses the SID again, even if you create a new group

with the same name as the group that you deleted. Therefore, you cannot
restore access to resources by re-creating the group.
To delete a group, right-click the group, and then click Delete.
Slide Objective
To explain how to create
and delete groups.
Lead-in
To create or delete groups,
use Active Directory Users
and Computers.
Delivery Tip
Demonstrate the procedures
to create a group by using
Active Directory Users and
Computers.

Demonstrate how to delete
a group by using Active
Directory Users and
Computers.
14 Module 3: Using Groups to Organize User Accounts


Finding a Group in Active Directory
Find Users, Contacts, and Groups
File Edit View Help
Find: In: nwtraders
Fi
nd Now
Stop

Stop
Clear All
B
rowse
Advanced
Users, Contacts, and Groups
Users, Contacts, and Groups
Name:
Des
cription:
Public


To perform administrative tasks, such as adding members to a group and
assigning permissions a group, you must locate the group in Active Directory
and select it. However, when the size of Active Directory gets large, locating a
specific group can be difficult. To assist you in this task, Windows 2000
provides the Find feature.
To locate a group using the Find feature:
1. Start Active Directory Users and Computers, and select the folder where the
group is located, if known. If you do not know the folder in which the group
is located, select the domain.
2. Right-click the folder, and then click Find.
3. In the Find Users, Contacts, and Groups dialog box, type the name of the
group that you need to locate, and then click Find Now.

Slide Objective
To explain how to locate a
group in Active Directory.
Lead-in

When you need to perform
administrative tasks on a
group, use the Find
feature in Windows 2000
to locate the group in
Active Directory.
Module 3: Using Groups to Organize User Accounts 15


Adding Members to a Group
Group One Properties
General
Members
Member
O
f Managed By
Members:
Name Directory Folder
Add
Remove
Remove
OK Cancel
Apply
Apply
Select Users, Contacts, Computers, or Groups
Name In Folder
L
ook in: Nwtraders.msft
nwtraders
Perth

Brisbane
Administrator
Guest
TsInternet User
N
ame:
You have selected the following objects:
Name
In Folder
Perth
Brisbane
OK
OK Cancel
A
dd
A
dd
R
emove
R
emove
nwtraders.msft/Domain Controller
nwtraders.msft/Computers
nwtraders.msft/Computers
nwtraders.msft/Users
nwtraders.msft/Users
nwtraders.msft/Users
C
heck Names
nwtraders.msft/Computers

nwtraders.msft/Computers
Add
Add
Add
Select
Select
Select


After creating a group, you should add members. Members of groups can
include user accounts, other groups, and computers. To add members to a
group, use Active Directory Users and Computers.

Add a computer to a group to give one computer access to a shared
resource on another computer (for example, for remote backup).

To add members to a group:
1. In the Properties dialog box for the appropriate group, click the Members
tab, and then click Add.
2. In the Look in list, select a domain from which to display user accounts and
groups. You can also select Entire Directory to view user accounts and
groups from anywhere in Active Directory.
3. Select the user account or group that you want to add, and then click Add.
You can also type the name of the user account or group to add. Repeat this
step to add other user accounts or groups.
4. Click OK to add the members


You can also add a user account or group by using the Member Of tab in
the Properties dialog box for that user account or group. Use this method to

add the same user or group to multiple groups quickly.

Slide Objective
To explain how to add
members to a group.
Lead-in
You can add user accounts,
other groups, and
computers to a group by
using the Select Users,
Contacts, Groups, or
Computers dialog box.
Delivery Tip
Demonstrate the procedure
to add members to a group
by using Active Directory
Users and Computers.
Note
Tip
16 Module 3: Using Groups to Organize User Accounts


#
##
#

Implementing Local Groups
!
Introduction to Local Groups
!

Strategy for Using Local Groups in a Domain


You can create local groups only on member servers and on computers running
Windows 2000 Professional. Individual users create them to provide access to
resources on the local computer when a domain local group is not created for
that purpose.
You can use local groups to give permissions only to resources on the local
computer. After you determine user needs and organize local groups
accordingly, you can create the local groups and assign permissions to them.

Slide Objective
To introduce local groups.
Lead-in
Local groups are also
available for your use. Let’s
look at how they function
and how to create and add
members to a local group.
Delivery Tip
This section explains how to
use local groups. Prepare
students for the topics by
providing the following key
points.
Key Points
Individual users create local
groups on their local
computers.


You can create local groups
only on member servers and
on computers running
Windows 2000 Professional.
Module 3: Using Groups to Organize User Accounts 17


Introduction to Local Groups
!
Use Local Groups
$
Only on the computer on which you create them
$
To control access to resources on the local computer
Can
Contain
Can
Contain
Domain User Accounts
Domain User Accounts
Local User Accounts
Local User Accounts
Global Groups
Global Groups
Universal Groups
Universal Groups


A local group is a collection of user accounts on a stand-alone server or a
computer running Windows 2000 Professional. Use it to assign permissions

to resources on a local computer.
Windows 2000 creates local groups in the local security database on most
computers running Windows 2000 Professional. However, you cannot create
local groups on domain controllers, because domain controllers cannot have a
security database that is independent of Active Directory.
Consider the following guidelines for using local groups:
!"
You can use local groups only on the computer on which you create the
local groups. Although local groups are available on member servers and
domain computers running Windows 2000 Professional, you should not use
local groups on computers that are part of a domain. Using local groups on
domain computers prevents you from centralizing group administration.
Local groups do not appear in Active Directory, and you must administer
local groups separately for each computer.
!"
You can assign permissions to local groups for access only to the resources
on the computer where you create the local groups.

Consider the following membership rules for local groups:
!"
Local groups can contain local user accounts from the computer where you
create the local groups, as well as global and universal groups from any
domain.
!"
Local groups cannot be members of any other group.

Slide Objective
To describe local groups
and how to use them.
Lead-in

You can create local groups
on a stand-alone server or a
computer running
Windows 2000 Professional.
Use local groups to control
access to resources on a
computer.
Key Point
Use local groups on a
computer that is either a
member server or is running
Windows 2000 Professional.
18 Module 3: Using Groups to Organize User Accounts


Strategy for Using Local Groups in a Domain
Local Group
Local Group
Permissions
Permissions
Global Group
Global Group
User Accounts
User Accounts


One strategy for using local groups is to place user accounts in a local group
and assign permissions to the local group. However, this strategy is limited in
that you cannot assign permissions for resources outside the local computer.
To overcome this problem, a better strategy is to place user accounts in a global

group, add the global group to the local group, and then assign permissions to
the local group. This strategy gives you more flexibility with using the local
group.

Use domain local groups whenever possible. Use local groups only when
a domain local group has not been created for the purpose.

Slide Objective
To explain strategies for
using local groups.
Lead-in
Let’s discuss strategies for
using local groups to
provide access to resources
on a local computer.
Note
Module 3: Using Groups to Organize User Accounts 19


Lab A: Creating Groups


Objectives
After completing this lab, you will be able to:
!"
Create groups in a domain.
!"
Add members to groups.

Prerequisites


Before working on this lab, you must be able:
!"
To gain access to and use Active Directory
™
Users and Computers.

Scenario

You have recently experienced growth in the company and have had to hire
more employees to fill the new positions in the newly formed Sales department.
You will assign them permissions to various resources in the company and want
to simplify this task as much as possible. You will create a global group and
place the new employees in the new group.
Lab Setup

To complete this lab, you need the following:
!"
The following user account information

Your domain name________________________________________________
Your computer name ___________________________________________
Estimated time to complete this lab: 15 minutes
Slide Objective
To introduce the lab.
Lead-in
In this lab, you will create
groups in a domain and add
members to groups.
Delivery Tip

Explain the lab objectives.

Go over the information in
the “Before You Begin”
section of the lab.

Review the lab answers.

Ask students if they
encountered any problems
during the lab.