Overview
Introduction to Users and Groups
In a Windows Server domain, users and groups are fundamental components of managing access to resources, enforcing security policies, and streamlining administrative tasks. By organizing users into groups, administrators can control permissions, access rights, and group policies more efficiently.
Let’s explore the concepts of users and groups in a Windows Server environment, how they interact with Active Directory (AD), and how administrators can manage them.
Create User Accounts for Each Person Who Regularly Uses the Network
Create Multiple User Accounts for New Users in a Single Batch Operation
Group User Accounts to Manage User Access to Shared Resources
Nest Groups Within Other Groups to Reduce Administration
User Logon Names
Introduction to User Logon Names
User Principal Name
The suffix defaults to the name of the root domain, but it can be changed and others added
User Logon Name (Pre-Windows 2012)
A user selects the domain when logging on
User Logon Name Uniqueness Rules
Full name must be unique within the container
User principal name is unique within the forest
User logon name (pre-Windows 2012) is unique within the domain
Creating a User Principal Name Suffix
Creating Multiple User Accounts
The Bulk Import Process
For Each User Object, the File:
Must include the path to the user account’s OU, object type, and user logon name (pre-Windows 2012)
Should include the user principal name and whether the user account is enabled or disabled
Can include personal user information
Cannot include a password
Using CSVDE to Create Multiple User Accounts
Attribute line containing the names of the attributes:
User account line containing values for attributes:
"cn=Suzan Fine,ou=Human Resources,dc=asia,dc=contoso,dc=msft", user,suzanf,suzanf@contoso.msft,Suzan Fine,512
Using LDIFDE to Create Multiple User Accounts
DN:CN=Suzan Fine,OU=Human Resources,DC=asia,DC=contoso,DC=msftobjectClass: user
samAccountName: suzanf
userPrincipalName: suzanf@contoso.msft
displayName: Suzan Fine
userAccountControl: 512
Administering User Accounts
Performing Common Administrative Tasks
Locating User Accounts
Using Groups in Active Directory
Introduction to Groups in Active Directory
Using Global Groups
| Membership |
=>Mixed mode: User accounts from same domain=>Native mode: User accounts and global groups from same domain
|
| Can Be a Member of |
=>Mixed mode: Domain local groups=>Native mode: Universal and domain local groups in any domain, and global groups in the same domain
|
| Scope |
Visible in its own domain and all trusted domains
|
| Permissions for |
All domains in the forest |
Using Domain Local Groups
| Membership |
=>Mixed mode: User accounts and global groups from any domain
Native mode: User accounts, global groups, and universal groups from any domain in the forest, and domain local groups from the same domain |
| Can Be a Member of |
=>Mixed mode: Not a member of any group=>Native mode: Domain local groups in the same domain
|
| Scope |
Only visible in its own domain
|
| Permissions for |
Domain in which the domain local group exists
|
Using Universal Groups
| Membership |
=>Mixed mode: Not applicable Native mode: User accounts, global groups, and other universal groups from any domain in the forest |
| Can Be a Member of |
=>Mixed mode: Not applicable=>Native mode: Domain local and universal groups in any domain |
| Scope |
Visible in all domains in a forest |
| Permissions for |
All domains in a forest |
Strategies for Using Groups in a Domain
Using Global and Domain Local Groups
Add Domain User Accounts into Global Groups
(Optional) Add Global Groups into Another Global Group
Add Global Group into Domain Local Group
Assign Resource Permissions to the Domain Local Group
Class Discussion: Using Groups in a Single Domain
Troubleshooting Domain User Accounts and Groups
Cannot Create a User Account or a Group
Cannot Update Attributes of a User Account
User Cannot Access Resources