{"id":440,"date":"2012-02-10T20:26:34","date_gmt":"2012-02-10T20:26:34","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=440"},"modified":"2018-09-06T23:25:20","modified_gmt":"2018-09-06T23:25:20","slug":"networking-basics-part-13-creating-groups","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=440","title":{"rendered":"Networking Basics: Part 13 &#8211; Creating Groups"},"content":{"rendered":"<p>This article continues the Networking for Beginners series by introducing the concept of security groups.<\/p>\n<p>In the previous article in this series, I showed you how to use the  Active Directory Users and Computers console to create and manage user  accounts. In this article, I want to continue the discussion by teaching  you about groups.<\/p>\n<p>In a domain environment, user accounts are essential. A user account  gives a user a unique identity on the network. This means that it is  possible to track the user\u2019s online activity. It is also possible to  give a user account a unique set of permissions, assign the user a  unique e-mail address, and meet all of the user\u2019s other individual  needs.<\/p>\n<p>Although custom tailoring a user account to meet a user\u2019s individual  needs sounds like a good idea, it isn\u2019t really practical in a lot of  cases. Setting up and managing user accounts is a time consuming task.  It isn\u2019t a big deal if you\u2019ve only got a couple dozen users in your  organization, but if your organization has thousands of users, then  account management can quickly become an overwhelming burden.<\/p>\n<p>My advice is that even if you manage a very small network, you should  treat the small network as if it were a big network. The reason for  this is that you never know when the network will grow. Using good  management techniques from the very beginning will help you to avoid a  logistical nightmare later on.<\/p>\n<p>I have actually seen the consequences of unexpected, rapid growth in  the real world. About fifteen years ago, I was hired as a network  administrator for an insurance company. At the time, the network was  very small. There were only a couple dozen workstations attached to the  network. The woman who was in charge of the network had no prior IT  experience and was thrown to the wolves, so to speak. Not having an IT  background, and not knowing any better, she had configured the network  so that all of the configuration settings existed on a per user basis.<\/p>\n<p>At the time, this was no big deal. There weren&#8217;t\u00a0many users, and it  was easy to manage the various accounts and permissions. Within a  year\u00a0there were over two hundred PCs on the network. By the time I left  the company a couple of years later, there were well over a thousand  people using a network that was only initially designed to handle a few  dozen.<\/p>\n<p>As you can imagine, the network experienced some severe growing  pains. Some of these growing pains were related to hardware performance,  but most were related to the inability to effectively manage that many  user accounts. Eventually, the network became such a mess that all of  the user accounts had to be deleted and recreated from scratch.<\/p>\n<p>Obviously, rapid unexpected growth can cause problems, but you are  probably wondering why in the world things became so unmanageable that  all of the accounts had to be deleted so that we could \u201cjust start  over\u201d.<\/p>\n<p>As I mentioned before, all of the configuration and security settings  were user based. This meant that if a department manager came to me and  asked me to tell him who had access to a particular network resource, I  would have to look at every account individually to see whether or not  the user had access to the resource. When you only have a couple dozen  users, checking every account to see which users have access to  something is tedious and disruptive (at the time, checking took about 20  minutes). When you\u2019ve got a couple hundred users\u00a0checking every user  account can take most of the day.<\/p>\n<p>Granted, the events that I just described happened well over a decade  ago. As the IT industry goes, these events might as well have occurred  in prehistoric times. After all, the network operating systems that were  in use at the time are now extinct. Even so, the lessons learned back  then are as relevant today as they were then.<\/p>\n<p>All of the problems that I just described could have been prevented  if groups had been used. The basic idea behind groups is that a group  can contain multiple user accounts. Since security settings are assigned  at the group level, you should never manually assign permissions  directly to a user account. Instead, you would assign permission to a  group, and then make the user a member of the group.<\/p>\n<p>I realize that this might sound a little confusing, so I will  demonstrate the technique for you. Suppose that one of your file servers  contains a folder named Data, and that you need to grant a user read  access to the Data folder. Rather than assigning the permission directly  to the user, let\u2019s create a group.<\/p>\n<p>To do so, open the Active Directory Users and Computers console. When  the console opens, right click on the Users container, and select the  New | Group commands from the resulting shortcut menus. Upon doing so,  you will see a screen similar to the one that is shown in Figure A. At a  minimum, you must assign a name to the group. For ease of management,  let\u2019s just call the group Data, since the group is going to be used to  secure the Data folder. For right now, don\u2019t worry about the group scope  or the group type settings. I will teach you about these settings in  the next part of this series.<\/p>\n<p><strong><img decoding=\"async\" src=\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0011192538761727.jpg\" border=\"0\" alt=\"\" hspace=\"0\" align=\"bottom\" \/><br \/>\nFigure A: <\/strong>Enter a name for the group that you are creating<\/p>\n<p>Click OK, and the Data group will be added to the list of users, as  shown in Figure B. Notice that the group\u2019s icon uses two heads,  indicating that it is a group, as opposed to the single headed icon used  for user accounts.<\/p>\n<p><strong><img decoding=\"async\" src=\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0021192539077712.jpg\" border=\"0\" alt=\"\" hspace=\"0\" align=\"bottom\" \/><br \/>\nFigure B: <\/strong>The Data group is added to the list of users<\/p>\n<p>Now, double click on the Data group, and you will see the group\u2019s  properties sheet. Select the properties sheet\u2019s Members tab, and click  the Add button. You are now free to add user accounts to the group. The  accounts that you add are said to be group members. You can see what the  Members tab looks like in Figure C.<\/p>\n<p><strong><img decoding=\"async\" src=\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0041192538789196.jpg\" border=\"0\" alt=\"\" hspace=\"0\" align=\"bottom\" \/><br \/>\nFigure C: <\/strong>The Members tab lists all of the group\u2019s members<\/p>\n<p>Now it\u2019s time to put the group to work. To do so, right click on the  Data folder, and select the Properties command from the resulting  shortcut menu. When you do, you will see the folder\u2019s properties sheet.  Go to the properties sheet\u2019s Security tab, and click the Add button.  When prompted, enter the name of the group that you just created (Data)  and click OK. You are now free to establish a set of permissions for the  group. Whatever permissions you apply to the group, also apply to group  members. As you can see in Figure D, there are some other rights that  are applied to the folder by default. It is best to remove the Users  group from the access control list to prevent any accidental  contradictions of permissions.<\/p>\n<p><strong><img decoding=\"async\" src=\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0051192538789212.jpg\" border=\"0\" alt=\"\" hspace=\"0\" align=\"bottom\" \/><br \/>\nFigure D: <\/strong>The Data group is added to the folder\u2019s access control list<\/p>\n<p>Remember earlier when I mentioned how much work it was to try to  figure out which users had access to a particular resource? Well, when  groups are in use, the process becomes simple. If you need to know which  users have access to the folder, just look to see which groups have  access to the folder, as shown in Figure D. Once you know which groups  can access the folder, determining who has rights to the folder is as  simple as checking the group\u2019s membership list (shown in Figure C). Any  time additional users need access to the folder, just add their names to  the list of group members. Likewise, you can remove permissions to the  folder by deleting a user\u2019s name from the list of group members.<\/p>\n<p>In this article, I have shown you how to create security groups in a  Windows Server 2003 environment. In the next article in the series, I  will continue the discussion by showing you the impact of selecting a  different group type.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article continues the Networking for Beginners series by introducing the concept of security groups. In the previous article in this series, I showed you how to use the Active Directory Users and Computers console to create and manage user accounts. In this article, I want to continue the discussion by teaching you about groups. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-440","post","type-post","status-publish","format-standard","hentry","category-networking-stuff"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=440"}],"version-history":[{"count":3,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/440\/revisions"}],"predecessor-version":[{"id":2661,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/440\/revisions\/2661"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}