MCITP 70-640: Active Directory Groups

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Welcome to the next free video for the free Active Directory training course. This video looks at how groups work in Active Directory. In a changing environment people come and go and roles change as companies restructure and people get promoted. Groups allow the administrator to assign permissions once to a resource and easily change who has access to that resource by changing the members in the group. Consider if you created a file share called invoice. Without groups you would need to assign the users directly to the share. With only a few users it is not that hard to manage, but once you add a few more users it starts to get more complex. At present, each time you want to give a new user access you need to modify the permissions on the server. This requires the administrator that is making the change to know the name of the share and the server on which it is located. Now consider that you have multiple offices around the country and each office has a server with an invoice share on it. Each time a new user requires access or access needs to be removed, the permissions on each share on each server needs to be modified. This requires the administrator to know every server that has an invoice share on it and requires them to makes changes on each one. To make things simpler Active Directory allows you to create groups. A group is like a user or computer account in that it has a security identifier or Sid associated with it. It is possible to create a group without a security identifier. These are mainly used with software like exchange to create e-mail distribution groups. In the next video I will look at how these kinds of groups work. Once a group is created it is added to the resource for which you want to control access, just like you would with a user. In this example, imagine that the accounts department requires access to the share. To achieve this you create a group called accounts and give it read and write access to all the invoice shares. The next point to consider is what would happen if another group of users needed access to the share, for example the sales department. To achieve this, the sales group is created and assigned permissions to all the invoice shares giving them read and write access. In a small company this kind of administration works well and it is best when possible to keep things simple. But let’s consider if the company is a lot bigger and there are a lot more servers. It is a simple matter to visit each server and change the permissions but the process of making the changes is starting to become time consuming. Also the process requires the administrator to know all the servers that have the share on it and care must be taken to ensure that every server is updated. Let’s consider what would happen if the management decided that the sales department did not require write access and only needed read access. This would require the administrator to visit each server and change the permissions for the sales department. After a flood of calls to the helpdesk for people in the sales department not being able to do their job, it is decided that they really did need write access to the invoice share. Once again each server needs to be visited again and the permissions changed back to what they were. Just after this is done, a request comes through for a new auditing group that will require read access to the invoice shares. Once again, each share needs to be modified and the permissions updated. Weren’t groups supposed to make things easier? There is no solution that will fit every situation and if you ask 10 different IT administrators how to perform group management you would probably get 11 different answers. Let’s start again with this example using a different approach. This time instead of assigning the permissions of the share directly to the accounts department you instead create a new group called invoice_modify. This group you assign to all the invoice shares giving it read and write access. Next you simply need to add the accounts group to the group invoice_modify group. Placing groups inside other groups like this is called nesting. Once the request comes through for the sales department to have read and write access to the invoice shares, you simply add the sales group to the invoice_modify group. Easy as that, no need to visit each server again. When the request comes through to change the sales group to read only, you create a new group called invoice_read. The invoice_read group is assigned to all the invoice shares with read access. Once this is done, take the sales group out of invoice_modify and put them in invoice_read. When the request comes through to give the sales group write access to the invoice shares again, all the hard work is already done. All that needs to be done is to move the sales group from invoice_read to invoice_modify. Lastly, when the request comes through to give the audit group read access, this is easy. Since the group invoice_read has already been created and permissions assigned, the audit group is created and added to the invoice_read group. You can see that using this approach makes administration easier when changes occur. Also if someone were to ask who had access to the invoice share, you simply need to look at which users are in the invoice_read and invoice_modfy groups. Configuring access like this is called role based access control. When using this approach permissions are granted based on the role the user has in the organization. Users are not assigned permissions directly using this approach. Using role based access control, a user acquires access through their role in the organization. If the user were to change jobs or departments, the roles assigned to that user would change to suit their needs. Using this approach an administrator can quickly make these changes. The administrator also does not require knowledge of how the permissions at the lower level are assigned. This approach has its advantages but also does also add an extra level of complexity to your network. When deciding which approach to use for groups, consider how big your network is and how complex it is. On a small network it is generally not worth the time to create a lot of nested groups. On a large network with a lot of servers, these extra groups will save you a lot of time. In a later video I will discuss group strategy in more detail. When you start creating groups you should spend some time considering the naming standard that you will use. In this case invoice_read is quite simple but you could also have a group name such as “invoice share read.” In this case I have used spaces rather than underscores. This will work just as well as underscores but if the group is used in a script the group name will need to be enclosed in quotes. This does make scripting more complex so a lot of administrators will avoid using spaces. Also consider that if you have an e-mail system like exchange, these groups can be used inside exchange as e-mail groups. For example, you could create a group called NewYork_Sales and put all the sales users for New York into this group. If you want to e-mail all the sales staff in New York you simply e-mail this group. For each office you could add a group for those sales users in that office. These groups could also be put into another group called USA_Sales. If you had an office in the UK you could create a group called UK_Sales. Both these groups could be put into another group called All_Sales_Employees. Since each location would know which employees belong in their local sales group, a local administrator in each area would be the best choice to make sure this group is kept up to date. With correct group management and forethought you can make your administration a lot easier and save yourself a lot of headaches later on. There are a number of different types of groups in Active Directory. Each group has a different scope and thus there are advantages and disadvantages to using each type of group. In the next video I will look at the different types of groups that Active Directory has to offer and the scopes these groups have. The type of group that you select determines which domain or domains will have access to that group and also the replication that will be used for that group. Thanks for watching another free video in this Active Directory free course. For the latest videos please subscribe to us on YouTube or like us on facebook. See you next time.
Info
Channel: itfreetraining
Views: 67,388
Rating: undefined out of 5
Keywords: Groups, Nesting groups, role based access control, Active Directory, 70-640, MCITP, MCTS, ITFreeTraining
Id: CRQXrA0J4lo
Channel Id: undefined
Length: 9min 37sec (577 seconds)
Published: Mon May 07 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.