Active Directory Groups Overview

Questions and Answers

What is the primary use of a contact in Active Directory?

To assign rights to users

To manage group permissions

For informational purposes only (correct)

To send emails to multiple recipients

A distribution group can include user accounts, contacts, and security groups as members.

True

What are the two settings assigned when creating a group in Active Directory Users and Computers (ADUC)?

Group type and group scope

A ________ group is recommended for assigning rights and permissions to domain resources.

domain local

Which of the following is NOT a group scope option available in Windows Server 2012?

Site-based

Match the group types with their functions:

Security groups = Manage network resource access Distribution groups = Send e-mails to multiple users Domain local groups = Assign rights and permissions to domain resources Global groups = Limited scope to a specific domain

Security groups can only contain user accounts as members.

False

What is the main purpose of security groups in Active Directory?

To manage network resource access and grant rights to users

How can a computer account be created in Active Directory?

By changing from Workgroup to Domain

A computer account is not a security principal.

False

What should be done if a computer account becomes unsynchronized with the domain controller?

Reset the computer account.

An administrator can create a computer account _____ in Active Directory.

manually

What happens to a computer account when the computer leaves the domain?

It is disabled automatically

Match the following Active Directory components with their functions:

OU = Mirroring a company's organizational chart ADUC = Creating and maintaining user accounts User templates = Facilitating user creation with common attributes Groups = Granting rights and permissions

User accounts contain information used only for authentication.

False

What must a computer account do to be accepted by the domain?

Authenticate

What is the primary purpose of a global group in a single domain environment?

To group users from the same domain with similar access requirements.

A universal group can only contain users from a single domain.

False

What role does the Domain Local group play in the AGDLP strategy?

It is assigned permissions to resources.

A ____ group can include users from different domains in the forest and its membership information is stored on global catalog servers.

universal

Which account types can be members of local groups?

Local user accounts and domain user accounts from any domain

Nesting groups is the practice of making a group a member of another group.

True

Which group types can be members of a domain local group?

Local user accounts, domain user accounts, domain local groups, global groups, universal groups.

Match the following group types with their descriptions:

Global Group = Groups users from the same domain with similar access requirements. Universal Group = Contains users from any domain in the forest. Local Group = Created in the local SAM database on a member server. Nesting Groups = Making one group a member of another group.

What is the primary use of a distribution group?

To send e-mails to multiple users at once

Domain local groups can contain users from other domains.

False

Name the three group scope options available in a Windows Server 2012 forest.

Domain local, Global, Universal

A ________ group is primarily used to manage network resource access.

security

Match each group type with its role:

Domain local = Assigning rights and permissions to domain resources Global = Grouping users across multiple domains Universal = E-mail distribution within a single domain Security = Managing access to network resources

Which object types can be members of a distribution group?

User accounts, contacts, and other groups

A contact in Active Directory represents a user account with permissions.

False

What are the two settings that must be assigned when creating a group in Active Directory Users and Computers (ADUC)?

Group type, Group scope

What is the primary purpose of a global group in a domain environment?

To group users from the same domain with similar access requirements

A universal group can only contain users from the same domain.

False

What happens to the membership of local groups when a computer joins a domain?

Domain Admins global group is made a member of Administrators, and Domain Users global group is made a member of Users.

The AGDLP role-based strategy involves Accounts being made members of _____ groups, which are then made members of Domain _____ groups.

Global, Local

Match the following group types with their descriptions:

Global Group = Groups users from the same domain Universal Group = Can contain users from any domain in the forest Local Group = Created in the local SAM database Nesting Groups = Making a group a member of another group

Which group type can only contain local user accounts?

Local group

Nesting groups is a practice used to combine users from the same department.

False

What is the function of a Domain Local group in the AGDLP strategy?

To assign permissions to resources.

How can a computer account be created in Active Directory?

By changing the computer membership from Workgroup to Domain

A computer account is created manually in Active Directory only when an administrator changes the membership.

False

What must happen if a computer account has become unsynchronized with the domain controller?

It must be reset.

When a computer leaves the domain, its computer account is automatically _____ .

disabled

Match the following actions related to computer accounts:

Changing to Domain = Automatically creates a computer account Manual creation = Done by an administrator in AD Unsynchronized account = Needs to be reset Leaving the domain = Account is disabled

Which of the following statements is true regarding computer accounts?

Computer accounts act as security principals.

It is necessary to manually disable a computer account if the computer will not contact the domain controller for a short duration.

False

What are user templates used for in Active Directory?

Facilitating the creation of users with common attributes.

Study Notes

Contacts and Distribution Groups

• Contacts are created in Active Directory (AD) and usually represent people, but they are primarily for informational purposes.
• The most common use of contacts is for integration in the Microsoft Exchange address book.
• Distribution groups are used with Microsoft Exchange to send emails to multiple people at once.

Managing Group Accounts

• Group objects in Active Directory are the main security principal that administrators use to grant rights and permissions to users.
• Groups make it easier to manage network resources and permissions.

Group Types

• There are two types of groups in AD: security and distribution groups.
• Distribution groups are primarily used for sending emails to several people, typically with an email application like Microsoft Exchange.
• Distribution groups can include users, contacts, other distribution groups, security groups, and computers.
• Security groups are the main AD object that administrators use to manage network resource access and grant rights to users.
• Security groups can contain the same account types as distribution groups.

Group Scope

• Group scope determines how far-reaching a group's permissions apply, whether within a single domain or across the entire forest.
• There are four types of group scopes:
  • Domain local
  • Global
  • Universal
  • Local (used for groups created in the Security Account Manager (SAM) database on individual computers)

Domain Local Groups

• Domain local groups are recommended for assigning rights and permissions to domain resources.
• In a single domain environment or when users from only one domain need access to a resource, use the AGDLP role-based strategy:
  • Create global groups for users.
  • Make those global groups members of domain local groups.
  • Assign domain local groups permissions to resources.

Global Groups

• Global groups are used to group users from the same domain who have similar access or rights requirements.
• Global groups can be made members of domain local groups in any domain within the forest.
• A common use for global groups is to organize users by department, location, or both.

Universal Groups

• Universal groups can include users from any domain within the forest and can be assigned permissions to resources in any domain within the forest.
• Universal groups can be members of other universal groups, domain local groups, or global groups, regardless of domain.

Local Groups

• Local groups are created in the SAM database on individual computers, either stand-alone or member computers.
• When a computer joins a domain, two local groups are automatically changed:
  • Administrators - Domain Admins global group is made a member.
  • Users - Domain users global group is made a member.
• Local groups can include:
  • Local user accounts.
  • Domain user accounts and computer accounts from any domain in the forest.
  • Domain local groups from the same domain.
  • Global or universal groups from any domain in the forest.

Nesting Groups

• Nesting groups refers to making a group a member of another group.
• This is typically used to group users with similar roles but who work in different departments.

Creating Computer Accounts

• Computer accounts are created in Active Directory when a client computer joins a domain.
• Computer accounts are security principals with a security identifier (SID) and a password, and they must authenticate to the domain.
• Computer accounts are created in AD:
  • Automatically when a user changes the computer membership from Workgroup to Domain.
  • Manually by an administrator in Active Directory.

Managing Computer Accounts

• It may be necessary to reset a computer account if it becomes unsynchronized with the domain controller.

Disabling Computer Accounts

• When a computer leaves the domain, its computer account is automatically disabled.
• It may be necessary to manually disable a computer account if the computer won't be in contact with the domain controller for an extended duration.

Summary

• Organizational Units (OUs) can be structured to reflect a company's organization chart.
• Permissions in OUs are similar to those in the file system.
• User accounts allow authentication to the network and store information for a company directory.
• ADUC (Active Directory Users and Computers) and ADAC (Active Directory Administrative Center) are graphical tools used to create, modify, and manage user accounts.
• User templates can speed up account creation by applying common attributes to multiple users, such as group membership.
• This chapter also covers the user account properties within the General, Account, Profile, and Member Of tabs.
• Groups are the central element for managing access rights and permissions in Active Directory.

Contacts and Distribution Groups

• Contacts are typically used for informational purposes and integrated into Microsoft Exchange's address book.
• Distribution groups are used in conjunction with Microsoft Exchange for sending emails to multiple people at once.

Managing Group Accounts

• Active Directory group objects are the primary method for administrators to grant permissions and rights to users.
• Groups are easier to manage because users with similar access requirements can be grouped together.
• When creating groups, administrators must define the group type and scope.

Group Types

• Distribution groups are primarily used to send emails to multiple recipients within an Active Directory integrated email application like Microsoft Exchange.
• Distribution groups can have the following members:
  • User accounts
  • Contacts
  • Distribution groups
  • Security groups
  • Computers
• Security groups are the main AD objects used by administrators to manage network resource access and grant user rights.
• Security groups can contain the same object types as distribution groups.

Group Scope

• Group scope determines the reach of a group's application within a domain or forest.
• There are three possible group scope options in a Windows Server 2012 forest:
  • Domain local: The most common type of group, recommended for assigning permissions to domain resources.
  • Global: Used to group users from the same domain with similar access requirements.
  • Universal: Used to group users from any domain in the forest and assign permissions to resources in any domain.
• A fourth scope ("local") applies only to groups created in the Security Account Manager (SAM) database of a member or standalone computer.

Domain Local Groups

• Domain local groups are ideal for assigning rights and permissions to domain resources.
• In single-domain environments or when users from only one domain need access, a role-based strategy is recommended:
  • Accounts are members of global groups.
  • Global groups are members of domain local groups.
  • Domain local groups have permissions assigned to resources.

Global Groups

• Global groups are used to group users from the same domain with similar access or rights requirements.
• They can be members of domain local groups in any domain within the forest or trusted domains in other forests.
• A common use is to create a global group for each department, location, or both.

Universal Groups

• Universal groups can contain users from any domain in the forest and be assigned permissions to resources in any domain in the forest.
• They can be members of other universal groups or domain local groups from any domain in the forest.
• Their membership information is stored on global catalog servers.

Local Groups

• Local groups are created in the local SAM database on a member server, workstation, or standalone computer.
• When a computer joins a domain, Windows automatically changes the membership of two local groups:
  • Administrators: The Domain Admins global group becomes a member.
  • Users: The Domain Users global group becomes a member.
• Local groups can include:
  • Local user accounts
  • Domain user accounts and computer accounts from any domain in the forest
  • Domain local groups from the same domain
  • Global or universal groups from any domain in the forest

Nesting Groups

• A group can be a member of another group, referred to as nesting. This method is typically used to group users with similar roles but different departments.

Creating Computer Accounts

• Computer accounts are created in Active Directory when a client computer joins a domain.
• These accounts are security principals with an SID and password that must authenticate to the domain.
• Computer accounts can be created in two ways:
  • When a user changes the computer membership from Workgroup to Domain in the System Properties dialog box.
  • When an administrator manually creates an account in Active Directory.

Managing Computer Accounts

• Resetting a computer account may be necessary if the computer account has become unsynchronized with the domain controller.

Disabling Computer Accounts

• When a computer leaves a domain, its computer account is disabled automatically.
• Manual disabling of a computer account may be required if the computer will be disconnected from the domain controller for an extended period.

Summary Key Points

• Organizational Units (OUs) can be designed to mirror a company's organizational chart.
• Permissions in OUs function similarly to permissions in the file system.
• User accounts provide authentication for network access and contain user information for a company directory.
• Active Directory Users and Computers (ADUC) and Active Directory Administrative Center (ADAC) are graphical tools for creating and managing user accounts.
• User templates streamline user creation by establishing common attributes, such as group memberships.

Description

This quiz explores the basics of Contacts and Distribution Groups in Active Directory, focusing on their purposes and management. You'll learn about the types of groups in AD, how they are used in Microsoft Exchange, and their importance in managing permissions and resources within a network.