Chapter 9

Chapter 9:
Managing Groups, Folders,
Files, and Object Security
 Learning Objectives
Chapter 9

■ Set up groups, including local, domain

local, global, and universal groups, and
convert Windows NT groups to
Windows 2000 groups
■ Manage objects, such as folders,
through user rights, attributes
permissions, share permissions,
auditing, and Web permissions
Learning Objectives (continued)
Chapter 9

■ Troubleshoot a security conflict

■ Determine how creating, moving, and
copying folders and files affect security
 Managing Resources
Chapter 9

■ Three ways of managing resources and

user accounts include:
◆ By individual user
◆ By resource
◆ By group

■ Managing resources by groups is one

effective way to reduce time spent on
management
 Scope of Influence
Chapter 9

■ Scope of influence: The extent of

permissions for a type of group, such as
access to resources in a single domain
or access to all resources in all domains
in a forest
 Local Security Group
Chapter 9

■ Use local groups on a standalone

server (Active Directory not
implemented), such as to manage
multiple accounts in a small office
■ Local groups are given access to
resources and user accounts are added
into the local group to gain access to
those resources.
 Domain Local Security Group
Chapter 9
■ Typically a domain local security group is
assigned permissions to objects such as
folders, printers and other resources. Global
security groups in the same or in a different
domain gain access to those resources by
becoming members of the domain local
group.
■ Domain local groups can contain user
accounts, but usually that is not the best
approach. Microsoft recommends
adding users to global groups and
adding global groups to local groups.
 Membership Capabilities of a
Domain Local Group Chapter 9

Active Directory Objects That Can Be Members of a Domain
Local Group
User accounts in the same domain
Domain local groups in the same domain
Global groups in any domain in a tree or forest (as long as there
are transitive or two-way trust relationships maintained)
Universal groups in any domain in a tree or forest (as long as
there are transitive or two-way trust relationships maintained)
Active Directory Objects That a Domain
Local Group Can Join as a Member
Access control lists for objects in the same
domain, such as permissions to access a folder,
shared folder, or printer
Domain local groups in the same domain

Table 9-1 Membership Capabilities of a Domain Local

Group
 Implementing Global Groups
Chapter 9

■ Use global groups to contain user

accounts for accessing resources in the
same and in other domains
■ Global groups should contain user
accounts and should be added into
domain local groups.
 Membership Capabilities of a
Global Group
Active Directory Objects That Can Be
Members of a Global Group
User accounts from the domain in which the
global group was created
Other global groups that have been created
in the same domain
Levels of global groups, so that global
groups can be nested to reflect the structure
of organizational units (OUs) in a domain
Table 9-2 Membership Capabilities of a Global Group
Chapter 9
Active Directory Objects That a
Global Group Can Join as a Member
Access control lists for objects in any
domain in a forest (as long as a transitive
trust is maintained between domains)
Domain local groups in any domain in a
forest
Global groups in any domain in a forest
Universal groups in a forest
 Global Group Example
Chapter 9

Figure 9-2 s tu d e n ts .c o lle g e .e d u

Managing security L o c a lE x e c
through domain local d o m a in
lo c a l g ro u p
and global groups

r e s e a r c h .c o lle g e .e d u

L o c a lE x e c
c o lle g e .e d u d o m a in lo c a l
g ro u p

L o c a lE x e c
G lo b a lE x e c
d o m a in lo c a l
g lo b a l
g ro u p
g ro u p
 Implementing Universal Groups
Chapter 9

■ Use universal groups to provide access to

forest-wide resources
■ Think of Universal Groups as super global
groups. They serve the same purpose and
allow you add user accounts from multiple
domains.
 Membership Capabilities of
a Universal Group
Active Directory Objects That Can Be
Members of a Universal Group
User Accounts from any domain in a forest
Global groups from any domain in a forest
Universal groups from any domain in a
forest
Table 9-3 Membership Capabilities of a Universal Group
Chapter 9
Active Directory Objects That a
Universal Local Group Can Join as a
Member
Access control lists for objects in any
domain in a forest
Any domain local group in a forest
Any universal group in a forest
 Microsoft Guidelines
for Using Groups
Chapter 9

■ Add the users who need access to

resources into a global group.
■ Add the global group into a domain local
group or universal group.
■ Use domain local groups or universal
groups to provide access to resources in
a specific domain by adding them to the
ACLs of those resources.
 Guidelines for Using
Groups (continued) Chapter 9

■ Use universal groups to provide extensive

access to resources, such as when the
Active Directory contains trees and forests.
Make universal groups members of ACLs
for objects in any domain, tree, or forest.
Manage user account access by placing
accounts in global groups and joining
those global groups to domain local or
universal groups.
 Example Universal Group Setup
Chapter 9

Figure 9-3 s tu d e n ts .c o lle g e .e d u

Managing security
through universal
and global groups
U n iE x e c
a u n iv e rs a l g ro u p w ith a c c e s s to
r e s o u r c e s in a ll th r e e d o m a in s

c o lle g e .e d u r e s e a r c h .c o lle g e .e d u

G lo b a lE x e c
g lo b a l
g ro u p
 Creating a Group
Chapter 9

■ To create a group:
◆ Right-clickthe container for the new group
◆ Click New, Group
◆ Enter the name of the group
◆ Select the group scope
◆ Select the group type
◆ Click OK
Entering the Group Parameters
Chapter 9

Figure 9-4 Creating a group

 Group Properties Tabs
Chapter 9
■ General: Used to enter a description, set the
scope, and set the group type
■ Members: Used to add group members
■ Member Of: Used to join another group
■ Managed By: Establishes who will manage the
group (add/remove users)
■ Object: Provides information about the group as
an object (on newer versions of Windows 2000)
■ Security: Enables you to set permissions on the
group (on newer versions of Windows 2000)
 Converting NT Groups to
Windows 2000 Server Groups Chapter 9

■ Existing NT local groups on a PDC are

converted to domain local groups
■ Existing NT global groups on a PDC are
converted to global groups
■ If still running in mixed mode, universal
groups are not recognized
■ If running in native mode, but there are still
Windows NT servers, the NT servers treat
Windows 2000 universal groups as NT global
groups
 Windows 2000
Predefined Security Groups
Chapter 9
Security Group Scope AD Default Description
Container Members
Account Operators Built-in local Built-in None Can modify user accounts and
groups

Administrators Built-in local Built-in Administrator Full access to all domain and
account; Domain local resources
admins;
Enterprise
admins
Backup Operators Built-in local Built-in None Enables members to backup any
folders and files on the computer
DHCP Domain Local Users Domain Admins Enables members to administer
Administrators DHCP services if installed

DNS Domain Local Users Domain Admins Enables members to administer

Administrators DNS services if installed

Domain Admins Global Users Administrator Enables members to manage all

user account resources in a domain
 Windows 2000
Predefined Security Groups
Chapter 9
Security Group Scope AD Default Description
Container Members

Domain Users Global Users All user accounts Used to grant access to a
resource to all user accounts in
the domain

Enterprise Admins Universal Users Administrator Used to manage all resources in

Account multiple domains

Schema Admins Universal Users Administrator Members have rights to modify

Account the active directory schema

Server Operators Built-in local Built-in None Used for common day-to-day
server management tasks

Users Built-in local Built-in Domain Users Used to manage general user
group access, including the ability to be
authenticated as a user and to
communicate interactively
 Rights Security
Chapter 9

■ User rights: Enable an account or group

to perform predefined tasks, such as the
right to log on to a server or to increase
disk quotas
■ Some rights are inherited by group
memberships (such as the domain
admins group)
■ Specific rights can be granted to users if
you do not want to add them to a group
that gives them more rights than needed
 Configuring Rights
Chapter 9

■ To configure rights in a domain:

◆ Open the Active Directory Users and Computers
tool
◆ Right-click a domain or OU, for example
◆ Click Properties, click the Group Policy tab, click the
group policy, and click Edit
◆ Double-click (if necessary) Computer
Configuration,Windows Settings, Security Settings,
and Local Policies
◆ Double-click User Rights Assignment
◆ Double-click any policies to configure them
Configuring Rights (continued)
Chapter 9

Figure 9-6 Configuring user rights as part of group policy

 File and Folder Attributes
Chapter 9

■ Attributes: A characteristic associated

with a folder or file used to help manage
access and backups
 FAT Attributes
Chapter 9

■ Read-only
■ Hidden
■ Archive
 FAT Attributes (continued)
Chapter 9

Figure 9-7 Attributes of a folder on a FAT-formatted disk

 NTFS Attributes
Chapter 9

■ Regular attributes
◆ Read-only
◆ Hidden
◆ Archive

■ Extended attributes
◆ Index
◆ Compress
◆ Encrypt
 NTFS Attributes (continued)
Chapter 9

Figure 9-8 Attributes of a folder on an NTFS-formatted disk

 Encrypting File System
Chapter 9
■ The encrypt attribute uses Microsoft Encrypting
File System (EFS) that sets a unique private
encryption key that is associated with the user
account that encrypted the file or folder.
■ Only that account (or an account setup as a
recovery agent) has access to the encrypted file
or folder contents.
■ If you move or copy an encrypted file to another
new location, it remains encrypted in the new
location
 Permissions
Chapter 9

■ Permissions: Privileges to access and

manipulate resource objects, such as
folders and printers; for example,
privilege to read a file, delete a file, or to
create a new file
 Configuring Permissions
Chapter 9

Figure 9-10 Configuring permissions by groups and users

 Inherited Permissions
Chapter 9

■ Inherited permissions: Permissions of a

parent object that also apply to child
objects of the parent, such as to
subfolders within a folder
 Configuring Inherited
Permissions Chapter 9

Figure 9-11 Configuring inherited permissions

 Ownership
Chapter 9

■ Ownership: Having the privilege to

change permissions on an object and to
fully manipulate the object.
■ The account that creates an object, such
as a folder or printer, initially has
ownership.
■ Ownership can be taken by an
administrator or anyone who is given
ownership over the object.
 Ownership
Chapter 9

■ Guidelines for ownership:

◆ The account that creates an object is the
initial owner
◆ Ownership is changed by first having
permission to take ownership and then by
taking ownership
◆ Full Control permissions are required to
take ownership (or the special permission,
Take Ownership)
 NTFS Folder and
File Permissions Chapter 9
Permission Description Applies to

Full Control Can read, add, delete, execute, and modify files plus Folders and files

change permissions and attributes, and take ownership

List Folder Can list (traverse) files in the folder or switch to a Folders only

Contents subfolder, view folder attributes and permissions, and

execute files, but cannot view file contents

Modify Can read, add, delete, execute, and modify files; but Folders and files

cannot delete subfolders and their file contents, change

permissions, or take ownership

Table 9-6 NTFS Folder and File Permissions

 NTFS Folder and
File Permissions (continued) Chapter 9
Permission Description Applies to

Read Can view file contents, view folder attributes and Folders and files

permissions, but cannot traverse folders or execute

files

Read & Execute Implies the capabilities of both List Folder Contents Folders and files

and Read (traverse folders, view file contents, view

attributes and permissions, and execute files)

Write Can create files, write data to files, appended data to Folders and files

files, create folders, delete files (but not subfolders and

their files), and modify folder and file attributes

 Special Permissions
Chapter 9

■ You can customize permissions to meet

particular security needs by using
special permissions
■ Special permissions can be used to be
extremely specific in granting users one
or two particular permissions instead of
the generic “Modify” permission.
Configuring Special Permissions
Chapter 9

Figure 9-12 Configuring special permissions

 Planning Tip
Chapter 9

■ Err on the side of too much security at

first, because it is easier to give users
more permissions later than to take
away permissions after users are used
to having them
 Auditing
Chapter 9

■ Auditing: Tracking the success or failure

of events associated with an object, such
as writing to a file, and recording the
audited events in an event log of a
Windows 2000 server or workstation
 Configuring Auditing
Chapter 9

■ Start by configuring a group policy for

auditing
■ Configure auditing on an as needed
basis for particular objects, such as a
folder or file
 Folder Auditing
Chapter 9

Figure 9-13 Configuring folder auditing

 Setting an Audit Policy
Chapter 9

Figure 9-14
Configuring audit policy as part of the default domain policy
 Share Permissions
Chapter 9

■ Share permissions: Limited permissions

that apply to a particular shared object,
such as a shared folder or printer
Configuring Share Permissions
Chapter 9

Figure 9-15 Configuring a shared folder

 Share Permissions for a Folder
Chapter 9

■ Read: Permits groups or users to read

and execute files
■ Change: Enables users to read, add,
modify, execute, and delete files
■ Full Control: Permits full access to the
folder, including the ability to take
ownership control or change
permissions
 Offline Access to a Folder
through Caching Chapter 9

■ Use the Caching button in the folder

Properties dialog box on the the
Sharing tab to set up a folder for offline
access via caching
■ Caching a folder means that it can be
accessed by a client even when the
client computer is not connected to the
network
 Folder Caching Options
Chapter 9

■ Automatic Caching for Documents:

Documents are cached without using
intervention – all files in the folder that are
opened by the client are cached automatically
■ Manual Caching for Documents: documents
are cached only per the user’s request
■ Automatic Caching of Programs: document
and program files are automatically cached
when opened, but cannot be modified
 Multiple Permission Rules
NTFS Permissions
Chapter 9
■ Users can be members of multiple groups and
each group can be granted different permissions
for a resource. NTFS permissions are
cumulative.
■ For example: Bob’s user account is a member of
the Sales group and Marketing group. The Sales
group has the NTFS “Modify” permission on the
“Sales” folder. The Marketing group has the
NTFS “Read” permission on the “Sales” folder
■ What NTFS permission does Bob have to the
Sales folder?
 Multiple Permission Rules
NTFS Permission
Chapter 9

■ Because NTFS permissions are

cumulative, Bob’s effective NTFS
permission to the Sales folder is “modify”.
■ When granted different NTFS permissions
for a resource, the user is granted the least
restrictive of the NTFS permissions…..
■ EXCEPT: an explicit denial of permissions
overrides all other permissions
 Multiple Permission Rules
Share Permissions
Chapter 9
■ Share permissions are cumulative.
■ For example: Bob’s user account is a
member of the Sales group and the
Marketing group. The Sales group has
“full control” share permission to the Sales
share. The Marketing group has “read”
share permission to the Sales share.
■ What share permission does Bob have to
the Sales share?
 Multiple Permission Rules
Share Permissions
Chapter 9

■ Because share permissions are cumulative,

Bob’s effective share permission is “full
control”
■ When granted different share permissions for
a share, the user is granted the least
restrictive of the share permissions
■ EXCEPT: an explicit denial of permissions
overrides all other permissions
 Combined NTFS and
Share Permissions
Chapter 9

■ If a user is granted different levels of NTFS

and share permissions, the effective
permission is the MOST RESTRICTIVE.
■ In this example, Bob’s effective NTFS
permission is “modify” and his effective
share permission is “full control”. When Bob
attaches to the Sales share, his effective
overall permission will be “modify” because
this is the most restrictive of the two.
 Troubleshooting a
Permissions Conflict Chapter 9
■ Check the groups to which a user or group belongs
■ Find the least restrictive NTFS permissions of all
the groups.
■ Find the least restrictive share permissions of all
the groups.
■ Of these two, the effective permission will be the
most restrictive.
■ The “deny” permission will override all other
permissions granted either explicitly or through a
group.
 More Examples
Chapter 9
Group Memberships and Group Memberships and Effective
User NTFS Permissions Share Permissions Permissions
Bob Marketing – Modify Marketing – full control Modify
Sales – Read Sales – Change

Maria Accounting – Read Accounting – Full Control Read

Jeff R&D – Read R&D – Change Read

Users – Read Users – Full control

Susan Support – Full control Accounting – Change Change

Mike Users – Read Users – Full Control Deny

Sales – Modify Sales – Full Control
Marketing – Deny Marketing – Full Control
 Moving and Copying
Files and Folders Chapter 9

■ A newly created file inherits the permissions

already set up in a folder
■ A file that is copied from one folder to
another on the same volume inherits the
permissions of the folder to which it is copied
■ A file that is moved from one folder to
another on the same volume takes with it
the permissions it had in the original folder
 Moving and Copying
Files and Folders (continued) Chapter 9
■ A file or folder that is moved or copied to a
folder on a different volume inherits the
permissions of the folder to which it is moved
or copied
■ A file or folder that is moved or copied from
an NTFS volume to a shared FAT folder
inherits the share permissions of the FAT
folder
■ A file or folder moved from a FAT to an NTFS
folder inherits the NTFS permissions of that
folder
 Chapter Summary
Chapter 9

■ Without the Active Directory, use local

groups to manage access to resources
■ With the Active Directory implemented,
use domain local, global, and universal
groups to manage resources
 Chapter Summary
Chapter 9

■ Windows 2000 Server objects are

secured through ACLs, user rights,
permissions, inherited rights and
permissions, share permissions, Web
permissions, auditing, and ownership
■ Troubleshoot permissions conflicts by
examining the security assigned to all
groups to which a user account or
group belongs