Creating a Group Object
Groups are an important class of object because they are used to
collect users, computers, and other groups to create a single point of
management. The most straightforward and common use of a group is to
grant permissions to a shared folder. If a group has read access to a folder,
for example, any of the group’s members can read the folder. You do
not have to grant read access directly to each individual member; you
can manage access to the folder simply by adding and removing members
of the group.
To create a group:
-
Open the Active Directory Users And Computers
snap-in. -
In the console tree, expand the node that represents your
domain (for instance, contoso.com) and navigate to the OU or
container (such as Users) in which you want to create the
group. -
Right-click the OU or container, point to New, and then
click Group.
The New Object – Group dialog box appears, as shown in Figure 2. -
Type the name of the new group in the Group Name box.
Most organizations have naming conventions that specify how
group names should be created. Be sure to follow the guidelines of
your organization.
By default, the name you type is also entered as the
pre–Windows 2000 name of the new group. It is very highly
recommended that you keep the two names the same. -
Do not change the name in the Group Name (Pre–Windows 2000)
box. -
Choose the Group type.
-
A Security group can be given permissions to resources.
It can also be configured as an email distribution list. -
A Distribution group is an email-enabled group that
cannot be given permissions to resources and is, therefore,
used only when a group is an email distribution list that has
no possible requirement for access to resources.
-
Select the Group Scope.
-
A Global group is used to identify users based on
criteria such as job function, location, and so on. -
A Domain Local group is used to collect users and
groups who share similar resource access needs, such as all
users who need to be able to modify a project report. -
A Universal group is used to collect users and groups
from multiple domains.
Note that if the domain in which you are creating the
group object is at a mixed or interim domain functional level,
you can select only Domain Local or Global scopes for security
groups.
-
Click OK.
Group objects have several properties that are
useful to configure. These can be specified after the object has
been created. -
Right-click the group and click Properties. -
Configure the properties of the group.
Be sure to follow the naming conventions and other standards
of your organization.
The group’s Members and Member Of tabs specify who belongs
to the group and what groups the group itself belongs to.
The group’s Description field, because it is easily visible
in the details pane of the Active Directory Users And Computers
snap-in, is a good place to summarize the purpose of the group and
the contact information for individuals responsible for deciding
who is and is not a member of the group.
The group’s Notes field can be used to provide more detail
about the group.
The Managed By tab can be used to link to the user or
group that is responsible for the group. Click
Change under the Name box. To search for a group, you must first
click Object Types and select Groups. The Select User, Contact, Or
Group dialog box is discussed later in this lesson.
The remaining contact information on the Managed By tab is
populated from the account specified in the Name box. The Managed
By tab is typically used for contact information so that if a user
wants to join the group, you can decide who in the business should
be contacted to authorize the new member. However, if you select
the Manager Can Update Membership List option, the account
specified in the Name box is given permission to add and remove
members of the group. This is one method for delegating
administrative control over the group. -
Click OK.
Creating a Computer Object
Computers are represented as accounts and objects in Active
Directory, just as users are. In fact, behind the scenes, a computer
logs on to the domain just as a user does. The computer has a user
name—the computer’s name with a dollar sign appended (for instance,
DESKTOP101$)—and a password that is established when you join the
computer to the domain. The password is changed automatically every 30
days or so thereafter. To create a computer object in Active
Directory:
-
Open the Active Directory Users And Computers
snap-in. -
In the console tree, expand the node that represents your
domain (such as contoso.com) and navigate to the OU or container
(for instance, Users) in which you want to create the
computer. -
Right-click the OU or container, point to New, and then
click Computer.
The New Object – Computer dialog box appears, as shown in
Figure 3. -
In the Computer Name box, type the computer’s name.
Your entry automatically populates the Computer Name
(Pre–Windows 2000) box. -
Do not change the name in the Computer Name (Pre–Windows
2000) box. -
The account specified in the User Or Group field will be
able to join the computer to the domain. The default value is
Domain Admins. Click Change to select another group or
user.
Generally, you will select a group that represents your
deployment, desktop support, or help desk team. You can also
select the user to whom the computer is assigned. -
Do not select the check box labeled Assign This Computer
Account As A Pre-Windows 2000 Computer unless the account is for a
computer running Microsoft Windows NT 4.0.
-
Click OK.
Computer objects have several properties that are
useful to configure. These can be specified after the object has
been created. -
Right-click the computer and click Properties. -
Enter the properties for the computer.
Be sure to follow the naming conventions and other standards
of your organization.
The computer’s Description field can be used to indicate who
the computer is assigned to, its role (for instance, a
training-room computer), or other descriptive information. Because
Description is visible in the details pane of the Active Directory
Users And Computers snap-in, it is a good place to store the
information you find most useful to know about a computer.
Several properties describe the computer, including DNS
Name, DC Type, Site, Operating System Name, Version, and Service
Pack. These properties are populated automatically when the
computer joins the domain.
The Managed By tab can be used to link to the user or group
responsible for the computer. Click Change under the Name box. The
Select Users, Contacts, Or Groups dialog box is discussed later in
this lesson. The remaining contact information on the Managed By
tab is populated from the account specified in the Name box. The
Managed By tab is typically used for contact information. Some
organizations use the tab to indicate the support team (group)
responsible for the computer. Others use the information to track
the user to whom the computer is assigned. -
Click OK.
|
