Chapter 9:
Managing Groups, Folders,
Files, and Object Security
Learning Objectives
Chapter 9
Active Directory Objects That Can Be Members of a Domain Active Directory Objects That a Domain
Local Group Local Group Can Join as a Member
User accounts in the same domain Access control lists for objects in the same
domain, such as permissions to access a folder,
shared folder, or printer
Domain local groups in the same domain Domain local groups in the same domain
Global groups in any domain in a tree or forest (as long as there
are transitive or two-way trust relationships maintained)
Universal groups in any domain in a tree or forest (as long as
there are transitive or two-way trust relationships maintained)
Managing security L o c a lE x e c
through domain local d o m a in
lo c a l g ro u p
and global groups
r e s e a r c h .c o lle g e .e d u
L o c a lE x e c
c o lle g e .e d u d o m a in lo c a l
g ro u p
L o c a lE x e c
G lo b a lE x e c
d o m a in lo c a l
g lo b a l
g ro u p
g ro u p
Implementing Universal Groups
Chapter 9
Managing security
through universal
and global groups
U n iE x e c
a u n iv e rs a l g ro u p w ith a c c e s s to
r e s o u r c e s in a ll th r e e d o m a in s
c o lle g e .e d u r e s e a r c h .c o lle g e .e d u
G lo b a lE x e c
g lo b a l
g ro u p
Creating a Group
Chapter 9
■ To create a group:
◆ Right-clickthe container for the new group
◆ Click New, Group
◆ Enter the name of the group
◆ Select the group scope
◆ Select the group type
◆ Click OK
Entering the Group Parameters
Chapter 9
Administrators Built-in local Built-in Administrator Full access to all domain and
account; Domain local resources
admins;
Enterprise
admins
Backup Operators Built-in local Built-in None Enables members to backup any
folders and files on the computer
DHCP Domain Local Users Domain Admins Enables members to administer
Administrators DHCP services if installed
Domain Users Global Users All user accounts Used to grant access to a
resource to all user accounts in
the domain
Server Operators Built-in local Built-in None Used for common day-to-day
server management tasks
Users Built-in local Built-in Domain Users Used to manage general user
group access, including the ability to be
authenticated as a user and to
communicate interactively
Rights Security
Chapter 9
■ Read-only
■ Hidden
■ Archive
FAT Attributes (continued)
Chapter 9
■ Regular attributes
◆ Read-only
◆ Hidden
◆ Archive
■ Extended attributes
◆ Index
◆ Compress
◆ Encrypt
NTFS Attributes (continued)
Chapter 9
Full Control Can read, add, delete, execute, and modify files plus Folders and files
List Folder Can list (traverse) files in the folder or switch to a Folders only
Modify Can read, add, delete, execute, and modify files; but Folders and files
Read Can view file contents, view folder attributes and Folders and files
files
Read & Execute Implies the capabilities of both List Folder Contents Folders and files
Write Can create files, write data to files, appended data to Folders and files
Figure 9-14
Configuring audit policy as part of the default domain policy
Share Permissions
Chapter 9