Windows 2000 Administration
ITP 9986 --Lenny Bailes (Wednesdays, 11/6-11/20; - 10am-5pm)
Day 3 Agenda
1. Finish Account Management Exercise under ADS (45 min)
Local groups -- used on a workgroup under the Computer Management snap-in to assign access privileges for local resources on a single computer or to organize user accounts on a single computer. ((If a member workstation or server has joined a domain, Local Users and Groups can contain global groups from any domain on the network)).
Domain local groups -- are usually used under Active Directory Users and Computers to assign domain-wide access privileges to shared resources (such as files, folders, and printers) that reside on DCs, member servers, or workstations throughout the domain. ((Can also contain users and computers from any domain. Can't be used to assign permissions to resources located in other domains.))
Global groups -- are usually used to organize user accounts within a single Windows 2000 domain by job responsibilities. In Windows 2000 Native mode they can be inserted into other global, local, or domain local groups on a domain. (Can also be used to contain/assign users/groups to resources in other domains or forests. In Mixed Mode (NT4 DCs on the network), only individual user accounts can be members.
Universal groups -- Can contain users from any domain and are used primarily as distribution lists for applications such as Exchange 2000 Server. In Native Mode, the scope of a security group can be changed to universal
See also http://www.microsoft.com/windows2000/en/server/help/sag_ADgroupsNesting.htm
Here is a schema for doing Exercise 5 using the model that Microsoft teaches as the best way to configure shared resources in a domain.
Users contained in an Organizational Unit called McDuck
Gyro -- assigned to Domain Administrators global group
Scrooge, Donald -- assigned to Executives global group (convert from pre DC)
Huey, Dewey -- assigned to Managers global group (convert from pre DC)
Minnie -- assigned to Account Reps global group (convert from pre DC)
Louie -- assigned to Sales Reps global group (convert from pre DC)
2. Shared resources
under McDuck folder
========Inventory Folder -- shared with permissions assigned to Sales Access domain local group
Accounts Folder -- shared with permissions assigned to .Account Access domain local group
3. Global groups of users who need access
are inserted into domain local groups
Domain Admins, Executives, Managers, and Sales Reps placed inside Sales Access d.l.g.
Domain Admins, Executives, Managers, and Account Reps placed inside Accounts Access d.l.g.
[Alternatively, Gyro can be added to the Managers group, relieving the necessity to add Domain Admins
group to each domain local group.
4. Assign resource permissions to domain local groups
Sales Access dlg is assigned change permission for Inventory folder
Accounts Access dlg is assigned change permission for Sales folder
NTFS security permissions on Sales Route document within Sales folder are changed to give Everyone read and execute access, Managers and Domain Admins (or only Managers) get full control.
In order for Gyro to make the security permission change on the Sales Route document to read-only, he will need to temporarily take ownership of the Sales Route file (or log into the file server as Huey to configure the permissions)
2. Logging in to a server through Terminal Services Client (15 min)
Instructor sets up Terminal Server Services on instructor machine in remote administration mode.
Students try logging onto Smaug.com domain, first as administrator, then as Louie.
3. Setting local logon rights to a domain controller for ordinary users (15 min)
Try to log on locally to your DC as Minnie or Louie and see if you succeed.
4. Creating Printer priorities and printer pools (30 min)
What to do when one group needs a printer for rush jobs, but it is also shared with the rest of the domain.
5. TCP/IP Exercise (40 min)
Gateways, DNS Servers, DHCP, Subnets
Using HOSTS and LMHOSTS files to compensate for lack of DNS and WINS
6. Creating/working with User Settings (75 min)
See new exercise handout and Microsoft Step by Step Guide to User Settings
7. Working with global policies (45 min)
See new exercise handout and Microsoft Step-by-Step Guide to Understanding Group Policy
8. Review for final quiz (60 min)
Review of Windows 2000 Server Installation questions
Workgroups, Domains, Trees/Forests, Local/Domain Local/Global Groups
Creating a Domain and installing a Domain Controller
Active Directory Services features
Roaming Profiles/ Global Policies