IT tutorials
 
Technology
 

Active Directory 2008 : Managing an Enterprise with Groups (part 3) - Converting Group Scope and Type, Managing Group Membership

8/9/2013 6:46:51 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

5. Converting Group Scope and Type

If, after creating a group, you determine that you need to modify the group’s scope or type, you can do so. Open the Properties dialog box of an existing group and, on the General tab, shown in Figure 7, you see the existing scope and type. At least one more scope and type are available for selection.

The General tab of a group’s Properties dialog box

Figure 7. The General tab of a group’s Properties dialog box

You can convert the group type at any time by changing the selection in the Group Type section of the General tab. Be cautious, however. When you convert a group from security to distribution, any resources to which the group had been assigned permission will no longer be accessible in the same way. After the group becomes a distribution group, users who log on to the domain will no longer include the group’s SID in their security access tokens.

You can change the group scope in the following ways:

  • Global to universal

  • Domain local to universal

  • Universal to global

  • Universal to domain local

The only scope changes that you cannot make directly are from global to domain local or domain local to global. However, you can make these changes indirectly by first converting to universal scope, then converting to the desired scope. So all scope changes are possible.

Remember, however, that a group’s scope determines the types of objects that can be members of the group. If a group already contains members or is a member of another group that would violate the new scope, you would be prevented from changing scope. For example, if a global group is a member of another global group, you cannot change the first group to universal scope, because a universal group cannot be a member of a global group. An explanatory error message, such as that shown in Figure 8, appears. You must correct the group’s membership conflicts before you can change the group’s scope.

The error produced when a group’s membership will not allow a change of scope

Figure 8. The error produced when a group’s membership will not allow a change of scope

The DSMod command, can be used to change group type and scope by using the following syntax:

dsmod group GroupDN -secgrp { yes | no } -scope { l | g | u }

The GroupDN is the distinguished name of the group to modify. The following two parameters affect group scope and type:

  • -secgrp { yes | no } specifies group type: security (yes) or distribution (no).

  • -scope { l | g | u } determines the group scope: domain local (l), global (g), or universal (u).

6. Managing Group Membership

You can add or remove members of a group by using one of several methods.

The Members Tab

You can open the group’s Properties dialog box and click the Members tab. To manage group membership using the group’s Members tab:

  1. Open the group’s Properties dialog box.

  2. Click the Members tab.

  3. To remove a member, simply select the member and click Remove.

  4. To add a member, click Add. The Select Users, Contacts, Computers, Or Groups dialog box appears, as shown in Figure 9.

Adding a member to a group

Figure 9. Adding a member to a group

There are several tips worth mentioning about this process:

  • In the Select dialog box, in the Enter The Object Names box, you can type multiple accounts separated by semicolons. For example, in Figure 9, both sales and finance are entered, separated by a semicolon.

  • You can type partial names of accounts—you do not need to type the full name. Windows searches Active Directory for accounts that begin with the name you entered. If there is only one match, Windows selects it automatically. If multiple accounts match, the Multiple Names Found dialog box appears, in which you can select the object you want. This shortcut—typing partial names—can save time when adding members to groups and can help when you don’t remember the exact name of a member.

  • By default, Windows searches only for users and groups that match the names you enter in the Select dialog box. If you want to add computers to a group, you must click Object Types and select Computers.

  • By default, Windows searches only domain accounts. If you want to search local accounts, click Locations in the Select dialog box.

  • If you cannot find the member you want to add, click Advanced in the Select dialog box. A more powerful query window appears, giving you more options for searching Active Directory.

The Member Of Tab

To manage group membership using the member object’s Member Of tab:

  1. Open the properties of the member object, and then click its Member Of tab.

  2. To remove the object from a group, select the group and then click Remove.

  3. To add the object to a group, click Add and select the group.

The Add To A Group Command

To manage group membership using the Add To A Group command:

  1. Right-click one or more selected objects in the Active Directory Users And Computers details pane.

  2. Click Add To A Group.

  3. Use the Select dialog box to specify the group.

The Member and MemberOf Attributes

When you add a member to a group, you change the group’s member attribute. The member attribute is a multivalued attribute. Each member is a value represented by the distinguished name (DN) of the member. If the member is moved or renamed, Active Directory automatically updates the member attributes of groups that include the member.

When you add a member to a group, the member’s memberOf attribute is also updated, indirectly. The memberOf attribute is a special type of attribute called a backlink. It is updated by Active Directory when a forward link attribute, such as member, refers to the object. When you add a member to a group, you are always changing the group’s member attribute. Therefore, when you use the Member Of tab of an object to add to a group, you are actually changing the group’s member attribute, and Active Directory updates the member’s memberOf attribute automatically.

Helping Membership Changes Take Effect Quickly

When you add a user to a group, the membership does not take effect immediately. Group membership is evaluated at logon for a user (at startup for a computer). Therefore, a user must log off and log on before the membership change becomes a part of the user’s token.

Additionally, there can be a delay while the group membership change replicates. This is particularly true if your enterprise has more than one Active Directory site. You can facilitate the speed with which a change affects a user by making the change on a domain controller in the user’s site. Right-click the domain in the Active Directory Users And Computers snap-in and choose Change Domain Controller.
 
Others
 
- Active Directory 2008 : Managing an Enterprise with Groups (part 2) - Defining Group Naming Conventions, Understanding Group Scope
- Active Directory 2008 : Managing an Enterprise with Groups (part 1) - Understanding the Importance of Groups
- Exchange Server 2010 : Managing Client Access Servers - Deploying Outlook Anywhere
- Exchange Server 2010 : Configuring POP3 and IMAP4 (part 2) - Configuring POP3 and IMAP4 Authentication, Configuring Connection Settings for POP3 and IMAP4, Configuring Message Retrieval Settings for P
- Exchange Server 2010 : Configuring POP3 and IMAP4 (part 1) - Enabling the Exchange POP3 and IMAP4 Services, Configuring POP3 and IMAP4 Bindings
- Microsoft Lync Server 2010 : Planning for Deploying External Services - Sample Scenarios
- Microsoft Lync Server 2010 : Planning for Deploying External Services - Reverse Proxy
- Microsoft Lync Server 2010 : Planning for Deploying External Services - Certificates
- Windows 8 Tile-Based Apps : Music (part 2) - To create and save a playlist, To add songs to a playlist
- Windows 8 Tile-Based Apps : Music (part 1) - To play a song
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us