Windows 2000 Administration
ITP 9986 --Lenny Bailes (Wednesdays, 11/6-11/20; - 10am-5pm)

Day 3 Agenda

1.    Finish Account Management Exercise under ADS (45 min)    

Local groups -- used on a workgroup under the Computer Management snap-in to assign access privileges for local resources on a single computer or to organize user accounts on a single computer. ((If a member workstation or server has joined a domain, Local Users and Groups can contain global groups from any domain on the network)).

Domain local groups -- are usually used under Active Directory Users and Computers to assign domain-wide access privileges to shared resources (such as files, folders, and printers) that reside on DCs, member servers, or workstations throughout the domain. ((Can also contain users and computers from any domain. Can't be used to assign permissions to resources located in other domains.))

Global groups -- are usually used to organize user accounts within a single Windows 2000 domain by job responsibilities. In Windows 2000 Native mode they can be inserted into other global, local, or domain local groups on a domain. (Can also be used to contain/assign users/groups to resources in other domains or forests. In Mixed Mode (NT4 DCs on the network), only individual user accounts can be members.

Universal groups -- Can contain users from any domain and are used primarily as distribution lists for applications such as Exchange 2000 Server. In Native Mode, the scope of a security group can be changed to universal

See also

Here is a schema for doing Exercise 5 using the model that Microsoft teaches as the best way to configure shared resources in a domain.

   1. McDuck
      contained in an Organizational Unit called McDuck

                Gyro                   --  assigned to Domain Administrators global group
                Scrooge, Donald -- assigned to Executives global group (convert from pre DC)
                Huey, Dewey      -- assigned to Managers global group (convert from pre DC)
                Minnie                 -- assigned to Account Reps global group (convert from pre DC)
                Louie                   -- assigned to Sales Reps global group (convert from pre DC)

    2.  Shared resources
         under McDuck folder

========Inventory Folder -- shared with permissions assigned to Sales Access domain local group
                  Accounts Folder --  shared with permissions    assigned to .Account Access domain local group

     3. Global groups of users who need access
         are inserted into domain local groups

              Domain Admins, Executives, Managers, and Sales Reps placed inside Sales Access d.l.g.

              Domain Admins, Executives, Managers, and Account Reps placed inside Accounts Access d.l.g.

        [Alternatively, Gyro can be added to the Managers group, relieving the necessity to add Domain Admins
          group to each domain local group.

     4. Assign resource permissions to domain local groups

                  Sales Access dlg is assigned change permission for Inventory folder
                  Accounts Access dlg is assigned change permission for Sales folder

NTFS security permissions on Sales Route document within Sales folder are changed to give Everyone read and execute access, Managers and Domain Admins (or only Managers) get full control.

In order for Gyro to make the security permission change on the Sales Route document to read-only, he will need to temporarily take ownership of the Sales Route file (or log into the file server as Huey to configure the permissions)

2. Logging in to a server through Terminal Services Client (15 min)
Instructor sets up Terminal Server Services on instructor machine in remote administration mode.
    Students try logging onto domain, first as administrator, then as Louie.

3. Setting  local logon rights to a domain controller for ordinary users (15 min)
Try to log on locally to your DC as Minnie or Louie and see if you succeed.
    Permission to

4.    Creating Printer priorities and printer pools (30 min)
What to do when one group needs a printer for rush jobs, but it is also shared with the rest of the domain.

[Lunch break]

5.    TCP/IP Exercise (40 min)
Gateways, DNS Servers, DHCP, Subnets
        Using HOSTS and LMHOSTS files to compensate for lack of DNS and WINS

6.  Creating/working with User Settings (75 min)
       Account templates
       Roaming profiles
       Mandatory profiles
       See new exercise handout and Microsoft Step by Step Guide to User Settings

7.   Working with global policies (45 min)
See new exercise handout and Microsoft Step-by-Step Guide to Understanding Group Policy

8.   Review for final quiz (60 min)

      Review of Windows 2000 Server Installation questions
      Workgroups, Domains, Trees/Forests, Local/Domain Local/Global Groups
      Creating a Domain and installing a Domain Controller
NTFS Permissions
      Active Directory Services features
      Roaming Profiles/ Global Policies