Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
153 Cards in this Set
- Front
- Back
|
AD DS
IDA |
AD DS - Active Directory Domain Services
IDA - identity and access |
|
|
What AD DS provides?
|
the functionality of an IDA solution for enterprise networks
|
|
|
What is IDA?
|
IDA infrastructure refers to the tools and core technologies used to integrate, people, processes and technology in an organization
|
|
|
Where AD DS stores enterprise-wide IDA information ?
|
in a DB called Active directory data store
It contains all the info on all objects that exist within the AD infrastructure |
|
|
SID
TGT DACL |
SID - security identifier
TGT - ticket granting ticket DACL - discretionary access control list |
|
|
Authentication
|
An entity must first verify its identity to AD infrastructure before being granted the ability to func as part of AD domain
|
|
|
What protocol is used to authenticate identities in AD?
|
Kerberos
|
|
|
explain Kerberos
|
User/pc logs to the domain
Kerberos authenticates its credentials and issues a package of info called TGT Kerberos request is send to a domain controller along with the TGT that ids the user DC issues to the user/pc another package of info - service ticket that ids the authenticated user on the server |
|
|
Access controll
|
The IDA infrastructure is responsible for protecting info and resources by ensuring that access to resources is granted to only the identities that should have access.
|
|
|
What is DACL?
|
Every object within AD has an associated DACL. This list contains info regarding the identities that have been granted access to the object and the level of access granted
|
|
|
Auditing
|
Monitoring activities that occur within the IDA infrastructure is referred to as auditing.
Auditing behavior is controlled by system access control lists (SACLs). |
|
|
SACL
ADAM PKI CA SSO |
SACL - system access control list
ADAM - AD Application Mode PKI - public key infrastructure CA - certificate authority SSO - single sign-on |
|
|
Active Directory itself now includes five technologies, each of which is identified with a keyword that indicates the purpose of the technology
|
Active Directory Domain Services (Identity)
Active Directory Lightweight Directory Services (Applications) Active Directory Certificate Services (Trust) Active Directory Rights Management Services (Integrity) Active Directory Federation Services (Partnership) |
|
|
AD LDS
|
AD LDS - Active Directory Lightweight Directory Services (Applications)
essentially a stand alone version of AD provides support for directory-aware appz |
|
|
AD CS
|
AD CS - Active Directory Certificate Services (Trust)
used to set up a certificate authority for issuing digital certs as part of PKI |
|
|
AD RMS
|
AD RMS - Active Directory Rights Management Services (Integrity)
an information-protection technology that enables you to implement persistent usage policy templates that define allowed//disallowed use online/offline |
|
|
AD FS
|
AD FS - Active Directory Federation Services (Partnership)
enables an organization to extend IDA across multiple platforms including non-Windows project identities and access rights across security boundaries to trusted partner |
|
|
schema in AD
|
a set of rules that defines the classes of objects and attributes that can be contained in AD
The fact that AD has user object that includes pass and username is because the schema defines the user object class, the two attributes and the association between |
|
|
Replication services
|
distribute directory data across a network. This includes both the data store itself as well as data required to implement policies and configuration, including logon scripts
|
|
|
global catalaog
|
contains information about every object in the AD
its like an index that can be used to locate objects in the AD |
|
|
AD DS
|
AD DS - Active Directory Domain Services
provides a central repository for identity management within an organization Provides Authentication, Authorization, Auditing services, Info management Info sharing Searching |
|
|
Domain
|
at least 1 domain is required to create an AD
an administrative unit within which certain capabilities and characteristics are shared defines the boundaries of administrative policies |
|
|
KDC
GPO |
KDC - kerberos key distribution center
GPO - group policy objects |
|
|
Forest
|
a collection of AD domains
first domain installed in AD is called forest root domain A forest contains a single definition of network configuration and a single instance of the directory schema |
|
|
Tree
|
DNS namespace of domains in a forest creates trees within the forest.
If a domain is a subdomain of another domain the tow domains are considered a tree (tree.com and free.tree.com vs blue.com and red.com) |
|
|
functional level
|
functionality available in AD domain or forest depends on its functional level which enables advanced domain-wide/forest-wide feature
|
|
|
List functional level (6)
|
Win 2000 native
Win 2000 mixed Win Server 2003 Win Server 2003 interim Windows Server 2008 Windows Server 2008 R2 |
|
|
OU
|
Organization units
provides a container for objects but also a scope with which to manage the objects |
|
|
Connection between GPO and OU?
|
OU can have GPO linked to them that also a scope with which to manage the objects
|
|
|
Sites in AD
|
an AD site is an object that represents a portion of the enterprise within which consistent, high-bandwidth network connectivity is expected
Create boundaries of replication and service usage |
|
|
requirements about IP for DC
|
DC require a static IP address and subnet mask value
|
|
|
You want to use a new server running Windows Server 2008 R2 as a domain
controller in your Active Directory domain. Which command do you use to launch configuration of the domain controller? |
Dcpromo.exe
|
|
|
change pc name (win core)
|
netdom renamecomputer %computername% /newname: SERVER02.
|
|
|
set the IPv4 address (win core)
|
netsh interface ipv4 set address name="Local Area Connection" source=static address=10.0.0.12 mask=255.255.255.0 gateway=10.0.0.1 1
netsh interface ipv4 set dnsserver name="Local Area Connection" source=static address=10.0.0.11 primary |
|
|
join a domain (win core)
|
netdom join %computername% /domain:contoso.com.
|
|
|
display roles installed (win core)
|
oclist | more
|
|
|
MMC
RSAT |
MMC - Microsoft Management Console
RSAT - Remote Server Administration Tools |
|
|
Preconfigured MMC consoles
Custom MMC consoles |
Preconfigured - installed automatically when you add a role or feature, to support administration of that role or feature. They function in user mode, so you cannot modify them or save them.
Custom - users can create custom consoles to provide exactly the tools and functionality require |
|
|
Active Directory Users And Computers snap-in
|
Manage most common day-to-day resources, including users, groups, computers, printers, and shared folders. This is likely the most heavily used snap-in for an Active Directory administrator
|
|
|
Active Directory Sites And Services snap-in
|
Manage replication, network topology, and related services.
|
|
|
Active Directory Domains And Trusts snap-in
|
Configure and maintain trust relationships and the domain and forest functional levels
|
|
|
Active Directory Schema snap-in
|
Examine and modify the definition of Active Directory attributes and object classes. This schema is the “blueprint” for Active Directory. It is rarely viewed and even more rarely changed. Therefore, the Active Directory Schema snap-in is not installed by default
|
|
|
Active Directory Schema snap-in does not appear in the Add/Remove Snap-ins dialog box until after you have registered the snap-in. How you do that?
|
1. Open Command Prompt with the Run As Administrator option.
2. Type regsvr32.exe schmmgmt.dll and press ENTER. |
|
|
By default, new consoles are
saved in what mode |
author
enables adding and removing snap-ins, viewing all portions of the console tree and saving customizations |
|
|
Types of user modes that can be used when saving a user console
|
User Mode - Full Access
User Mode - Limited Access, multiple window User Mode - Limited Access, single windows |
|
|
User Mode – Full Access allows
|
You want users of the console to be able to navigate between and use all snap-ins. Users cannot add or remove snap-ins or change the properties of snap-ins or the console.
|
|
|
User Mode – Limited Access, multiple window allows
|
You want users to navigate to and use only the snap-ins that you have made visible in the console tree, and you want to preconfigure multiple windows that focus on specific snap-ins. Users cannot open new windows
|
|
|
User Mode – Limited Access, single window
|
You want users to navigate to and use only the snap-ins that you have made visible in the console tree within a single window.
|
|
|
file extension for consoles
default location where they are saved |
.msc
%userprofile%\AppData\Roaming\Microsoft\Windows\StartMenu |
|
|
OUs
|
OUs - Organizational units
administrative containers within Active Directory that are used to collect objects that share common requirements for administration, configuration, or visibility. |
|
|
CN
UPN |
CN - common name
UPN - user principle name |
|
|
UPN def
|
UPN - user principle name
UPN) suffix that will be appended to the user logon name following the @ symbol. |
|
|
Global group
|
Global group is used to identify users based on criteria such as job function, location,and so on
|
|
|
Domain Local group
|
Domain Local group is used to collect users and groups who share similar resource access needs, such as all users who need to be able to modify a project report.
|
|
|
Universal group
|
Universal group is used to collect users and groups from multiple domains.
|
|
|
dsa.msc
|
opens the Active Directory Users And Computers console
|
|
|
DN
CN DC |
DN - Distinguished name
CN - common name DC - domain component. |
|
|
DN def
|
are a kind of path to an object in Active Directory. Each object in Active Directory has a completely unique DN. The user James Fine has the DN CN=James Fine,OU=User Accounts,DC=contoso,DC=com.
|
|
|
CN def
|
CN means common name.
en you create a user, the Full Name box is used to create the CN of the user object |
|
|
RDN def
|
RDN - relative distinguished name
The portion of the DN prior to the first OU or container In CN=James Fine,OU=User Accounts,DC=contoso,DC=com Its CN=James Fine |
|
|
dsquery user
|
look for a user, whereas DSQuery
computer, DSQuery group, and DSQuery ou would query for their respective object types. -limit switch to specify how many results you want returned. Use -limit 0 to return all objects |
|
|
if you want to locate the user named Tony Krijnen, you would enter
|
dsquery user -name “Tony Krijnen”.
|
|
|
inheritable permissions
|
inheritable permissions are inherited by the child object.
Not every permission is inheritable |
|
|
Explicit permissions
|
Explicit permissions always override permissions that are inherited from parent objects.
|
|
|
DSACLs (Dsacls.exe)
|
a command-line tool that reports on directory
service objects. If you type the command followed by the distinguished name of an object, you see a report of the object’s permissions. dsacls.exe "ou=User Accounts,dc=contoso,dc=com" |
|
|
How do you remove or reset permissions that have been delegated
|
1)Open the Advanced Security Settings and Permission Entry dialog boxes to remove permissions.
2)You can click Restore Defaults to you can reset permissions 3)DSACLs /s reset permissions to the schema-defined defaults |
|
|
dsacls /s
dsacls /t |
/s
reset permissions to the schema defined defaults /t make the change for the entire "tree" |
|
|
reset permissions on the User Accounts OU and all of its child OUs and objects, you would enter
|
dsacls "ou=User Accounts,dc=contoso,dc=com" /s /t
|
|
|
what if you belong to two groups 1 that allows a certain permission and 2nd that denies the same permission
|
The deny permission prevents you from
|
|
|
summarizes the attributes that are copied from the template, grouped by the tabs in the Properties dialog box.
|
*General tab* No properties are copied from the General tab.
*Address tab* P.O. box, city, state or province, ZIP or postal code, and country or region are copied. Note that the street address itself is not copied. *Account tab* Logon hours, logon workstations, account options, and account expiration are copied. *Profile tab* Profile path, logon script, home drive, and home folder path are copied. *Organization tab* Department, company, and manager are copied. *Member Of tab* Group membership and primary group are copied. |
|
|
CSVDE
LDIFDE |
CSVDE - Comma-Separated Values Data Exchange
LDIFDE - LDAP Data Interchange Format Data Exchange |
|
|
Cmd that creates an object in the directory
Cmd that returns specified attributes of an object |
DSAdd
DSGet |
|
|
Cmd that modifies specified attributes of an object
Cmd that moves an object to a new container or OU |
DSMod
DSMove |
|
|
Cmd that removes an object, all objects in the subtree beneath a container object, or both
Cmd that performs a query based on parameters provided at the command line and returns a list of matching objects. |
DSRm
DSQuery |
|
|
command adds a user account for Mike
Fitzmaurice command removes the Mike Fitzmaurice |
dsadd user "cn=Mike Fitzmaurice,ou=User Accounts,dc=contoso,dc=com"
dsrm "cn=Mike Fitzmaurice,ou=User Accounts,dc=contoso,dc=com" |
|
|
DS commands that read or manipulate attributes of objects include
|
Dsquery.exe
Dsget.exe Dsmod.exe |
|
|
command retrieves the home folder path for Mike Fitzmaurice
|
dsget user "cn=Mike Fitzmaurice,ou=User Accounts,dc=contoso,dc=com" -hmdir
|
|
|
command shows the basic parameters required to create a user account
|
dsadd user "User DN" -samid "pre-Windows 2000 logon name" -pwd {Password | *}
-mustchpwd yes dsadd user "cn=Amy Strande,ou=User Accounts,dc=contoso,dc=com" -samid Amy.Strande -fn Amy -ln Strande -display "Strande, Amy" -pwd Pa$$w0rd -desc "Vice President, IT" |
|
|
CSVDE def
|
CSVDE is a command-line tool that imports or exports Active Directory objects from or to a comma-delimited text file
csvde -f filename |
|
|
CSVDE option
-d RootDN -p SearchScope |
-d RootDN
Specifies the distinguished name of the container from which the export will begin. The default is the domain itself -p SearchScope Specifies the scope of the search relative to the container specified by -d. SearchScope can be either base (this object only), onelevel (objects within this container), or subtree (this container and all subcontainers). The default is subtree. |
|
|
CSVDE option
-r Filter n -l ListOfAttributes |
-r Filter
Filters the objects returned within the scope configured by -d and -p. Filter is a Lightweight Directory Access Protocol (LDAP) query syntax -l ListOfAttributes Specifies the attributes that will be exported. Use the LDAP name for each attribute, separated by a comma, as in -l DN,objectClass,sAMAccountName,sn, givenName,userPrincipalName. |
|
|
output of a CSVDE export lists the selected, exported LDAP attribute names on the first line. Each object follows, one per line
|
DN,objectClass,sn,givenName,sAMAccountName,userPrincipalName
"CN=David Jones,OU=User Accounts,DC=contoso,DC=com",user,Jones,David,david.jones, david.jones@contoso.com "CN=Lisa Andrews,OU=User Accounts,DC=contoso,DC=com",user,Andrews,Lisa,lisa.andrews, lisa.andrews@contoso.com |
|
|
Importing Users with CSVDE
|
The basic syntax of the CSVDE command for import is:
csvde -i -f Filename [-k] ‑i parameter specifies import mode ‑f parameter identifies the file name to import from or export to ‑k parameter is useful during import operations because it instructs CSVDE to ignore errors, |
|
|
Ldifde.exe
|
to import or export Active Directory objects, including users.
LDIFDE command implements these batch operations by using LDIF files. |
|
|
LDIF
|
LDIF - LDAP Data Interchange Format
|
|
|
LDIF file format consists of a block of lines that, together, constitute a single operation.
Each line consists of an attribute name followed by a colon and the value of the attribute. Multiple operations in a single file are separated by a blank line. |
dn: CN=Bonnie Kearney,OU=User Accounts,DC=contoso,DC=com
changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Bonnie Kearney sn: Kearney title: Operations description: Operations (London) givenName: Bonnie displayName: Kearney, Bonnie company: Contoso, Ltd. sAMAccountName: bonnie.kearney userPrincipalName: bonnie.kearney@contoso.com mail: bonnie.kearney@contoso.com |
|
|
switches for the LDIFDE command
-i -f filename |
-i Turn on Import mode. Without this parameter, LDIFDE exports information
-f filename The file from which to import, or to which to export |
|
|
LDIFDE Parameters
-i -f filename -s servername -c FromDN toDN |
-i
Import mode -f filename Import or export file name -s servername The domain controller to bind to for the query -c FromDN ToDN Convert occurrences of FromDN to ToDN. This is useful when importing objects from another domain, for example. |
|
|
LDIFDE Parameters
-v -j -h -? |
-v
Turn on verbose mode. -j path Log file location. -h Enable Simple Authentication And Security Layer (SASL) encryption. -? Help. |
|
|
LDIFDE Parameters
-d RootDN -r Filter -p SearchScope |
-d RootDN
The root of the LDAP search. The default is the root of the domain. -r Filter LDAP search filter. The default is (objectClass=*), meaning all objects. -p SearchScope The scope, or depth, of the search. Can be subtree (the container and all child containers), base (the immediate child objects of the container only), or onelevel (the container and its immediate child containers). |
|
|
LDIFDE Parameters
-l list -o list -k |
l list
Comma-separated list of attributes to include in export for resulting objects. Useful if you want to export a limited number of attributes. -o list List of attributes (comma-separated) to omit from export for resulting objects. Useful if you want to export all but a few attributes. -k Ignore errors and continue processing if Constraint Violation or Object Already Exists errors appear. |
|
|
Only _________ is capable of modifying existing objects or removing objects.
You can specify a user's password with DSAdd and you can import user;s password with ____________, but no with _______________. If you create users within a domain with a policy requiring passwords, the accounts will be disabled until you reset their passwords and enable the accounts |
Only __LDIFDE___ is capable of modifying existing objects or removing objects. You can specify
a user’s password with DSAdd, and you can import a user’s password with ___LDIFDE___, but not with ___CSVDE____. If you create users within a domain with a policy requiring passwords, the accounts will be disabled until you reset their passwords and enable the accounts. |
|
|
ADWS - Active Directory Web Services
|
Active Directory Web Services
provides XML Web Services–based protocols to interact with Active Directory. The Active Directory module for Windows PowerShell communicates with these services to perform administrative tasks |
|
|
GUID
SID |
GUID - Globally Unique Identifier
SID - security identifier |
|
|
ADAC
|
ADAC - Active Directory Administrative Center
ADAC is a graphical interface on top of Windows PS. When you perform a task with ADAC, you are running one or more Windows PowerShell cmdlets or scripts behind the scenes available only on Windows Server 2008 R2 and on Windows 7 |
|
|
Linked attributes (def)
|
a pair of attributes
back link and forward link The system calculates the value of the back link based on the values set on the forward link |
|
|
constructed attribute (Def)
|
an attribute that is the result of a calculation performed by Active Directory
Exmp. tokenGroups - list of SID of all the groups that the user belongs |
|
|
When you have multiselected the user objects what properties are available in the General tab
|
Description
Office Tel Number Fax Web Page |
|
|
When you have multiselected the user objects what properties are available in the Account tab
|
UPN Suffix
Logon Hours Computer Restriction all Account Options Account Expires |
|
|
When you have multiselected the user objects what properties are available in the Address tab
|
Street
P.O Box City State/Province Zip/Postal Code Country/Region |
|
|
When you have multiselected the user objects what properties are available in the Profile tab
|
Profile Path
Logon Script Home Folder |
|
|
When you have multiselected the user objects what properties are available in the Organization tab
|
Title
Department Company Manager |
|
|
DSMod ps cmd
Example: command changes the office attribute of Tony Krijnen |
DSMod modifies the attributes of one or more existing objects
dsmod user "cn=Tony Krijnen,ou=User Accounts,dc=contoso,dc=com" -office "Amsterdam" |
|
|
cmd to change the office attribute of Linda Mitchell and Scott Mitchell’s accounts to Sydney
|
dsquery user -name "* Mitchell" | dsmod user -office "Sydney"
|
|
|
DSQuery User command
Example: search for all users with last name Mitchel |
searches Active Directory for users
dsquery user -name "* Mitchell" |
|
|
assume you want to assign all users a home folder on SERVER01 what cmd will you use
|
dsquery user "ou=User Accounts,dc=contoso,dc=com" |
dsmod user -hmdir "\\server01\users\$username$\documents" -hmdrv "U:" |
|
|
The username token for the DS commands is
|
The username token for the DS commands is $username$, not %username%.
|
|
|
DSGet command
|
DSGet command gets and outputs selected attributes of one or more objects. Its syntax,
like that of DSMod, is: dsget user UserDN. . . parameters |
|
|
cmd to display the pre–Windows 2000 logon name of Jeff Ford in the User Accounts OU
|
dsget user "cn=Jeff Ford,ou=User Accounts,dc=contoso,dc=com" -samid
|
|
|
display the email addresses of all users whose description attribute indicates that they
are in the Sydney office |
dsquery user -desc "*Sydney*" | dsget user -email
|
|
|
A user’s User Logon Name (Pre–Windows 2000) is
|
sAMAccountName attribute. It’s also sometimes called the samid.
It must be unique for the entire domain. |
|
|
What is the User Logon Name
|
the userPrincipalName attribute, abbreviated as UPN. The UPN consists of a logon name and a UPN suffix which is, by default, the DNS name of the domain in which you create the object.
|
|
|
GAL
|
GAL - global address list
|
|
|
DSMod command to reset a user’s password and, optionally, force the user to change that password at the next logon
|
dsmod user UserDN -pwd NewPassword -mustchpwd yes
|
|
|
User Logon Name (Pre–Windows 2000) = ?
|
User Logon Name (Pre–Windows 2000) = sAMAccountName attribute = samid
Unique in the entire Domain |
|
|
User Logon Name is ?
|
userPrincipalName attribute, abbreviated as UPN
UPN must be unique for the entire forest |
|
|
CN must be unique in
DN must be unique in |
CN must be unique in the OU (CN = common name)
DN must be unique in the forest |
|
|
Connection between CN and DN
|
CN is the first element of the DN
|
|
|
DSMod command to reset a user’s password and, optionally, force the user to change that password at the next logon
|
dsmod user UserDN -pwd NewPassword -mustchpwd yes
|
|
|
use the DSMod command to disable an account in AD
|
dsmod user UserDN -disabled yes
enable dsmod user UserDN -disabled no |
|
|
delete objects from Active Directory by using the DSRm command
|
dsrm UserDN
|
|
|
tombstone lifetime
|
is 180 days by default
Active Directory maintains a subset of the account’s properties—most notably its SID—for a period of time called the tombstone lifetime |
|
|
move a user with a command-line tool, use DSMove.
|
dsmove UserDN -newparent TargetOUDN
|
|
|
After you delete a user account, you can re-create an account with the same name, will the new account belong to the same groups or have the same resource access
|
No
You will need to rebuild those memberships and permissions for the new account |
|
|
Active Directory Migration Tool is used to
|
The Active Directory Migration Tool is used to migrate accounts between domains.
|
|
|
What is a security group
|
A scurty principal with a security identifier (SID) and a member attribute that identifies members
|
|
|
To effectively manage even a slightly complex enterprise, you need groups that perform
two distinct purposes: |
Groups that define roles
These groups, referred to as role groups, contain users, computers, and other role groups based on common business characteristics such as location and job type. Groups that define management rules These groups, referred to as rule groups, define how an enterprise resource is managed. |
|
|
role-based management
|
You define roles of users based on business characteristics and you define management rules
You use two types of groups Groups that define roles Groups that define management rules |
|
|
Best practice for naming convention of role groups
|
Simple, unique name, such as Sales or Consultants
|
|
|
Best practice for naming convention of management groups
|
Management groups. For example, ACL_Sales Folders_Read
Prefix - identifies the management purpose of group, such as ACL for managing access permissions Resource identifier - this is the unique identifier for what is being managed Suffix - for resource access groups, this is the type of access the group manages Delimiter - this should be a consistently used marker separating prefix, identifier and suffix such as _ |
|
|
Distribution groups
|
used primarily by email applications
These groups are not security enabled—they do not have SIDs |
|
|
Security groups
|
are security principals with SIDs
These groups can therefore be used in permission entries in ACLs to control security for resource access. Security groups can also be used as distribution groups by email applications. |
|
|
List the group scopes
|
local
domain global universal |
|
|
Groups scopes are identified by the following characteristics
|
Replication
Where is the group defined and to what systems is the group replicated? Membership What type of security principal can the group contain as members? Availability Where can the group be used? |
|
|
if Domain A trusts Domain B domain b is
|
trusted
its users and global groups can be member of domain local groups in Domain A Domain B's users and global groups can be assigned permissions to resources in Domain A |
|
|
Local groups (def)
|
defined and available on single computer
created in the security account manager (SAM) DB of a domain member |
|
|
Local groups (characteristics)
|
Replication - defined only in the local SAM DB of a domain member. The group and its membership are not replicated to any other system
Membership: -any security principals from the domain -Users, PC and global groups from any domain in the forest or any trusted domain -Universal groups defined in any domain in the forest Availability - local group has only pc-wide scope, cannot be member of any other group |
|
|
Domain local group (def)
|
Domain local groups are primarily used to manage permissions to resources
|
|
|
Domain local group (char)
|
Replication - defined in the domain naming context. The group object and its membership are replicated to every domain controller in the domain
Membership: -Any security principal from the domain -Users, PC and global groups from and domain in the forest or any trusted domain -Universal groups defined in the forest Availability - can be added to ACLs on any resource on any domain member. Can be member of other domain local groups or even computer local groups |
|
|
Global groups (def)
|
Global groups are used primarily to define collections of domain objects based on business roles
|
|
|
Global groups (char)
|
Replication - defined in the domain naming context. The group object including the membership (member attribute) is replicated to all domain controllers in the domain
Membership - can include users, computers and other global groups in the SAME DOMAIN ONLY Availability - available for use by all domain members as well as by other domain in the forest and all trusting external domains Can be a member of any domain local group or universal group. Can be member of any domain local group in trusting domain. Can be added to ACLs in the domain, forest or trusting domain |
|
|
Universal groups (char)
|
Replication
A universal group is defined in a single domain in the forest but is replicated to the global catalog. Objects in the global catalog are readily accessible across the forest Membership A universal group can include as members users, global groups, and other universal groups from any domain in the forest Availability A universal group can be a member of a universal group or domain local group anywhere in the forest Additionally, a universal group can be used to manage resources—for example, to assign permissions—anywhere in the forest. |
|
|
Local group scope members from the same domain
|
Local group scope members from the same domain
User, Computers, Global Groups, Universal Groups, Domain Local Groups, Local Users Defined on the Same computer as the local group |
|
|
Local group scope members from another domain in the same forest
|
Local group scope members from another domain in the same forest
Users Computers Global groups Universal groups |
|
|
Local group scope members from a trusted external domain
|
Users
Computers Global groups |
|
|
Domain local group scope members from the same domain
|
Users
Computers Global groups Universal groups Domain local groups |
|
|
Domain local group scope members from another domain in the same forest
|
Users
Computers Global groups Universal groups |
|
|
Domain local group scope members from a trusted external domain
|
Users
Computers Global groups |
|
|
Universal group scope members from the same domain
|
Users
Computers Global groups Universal groups |
|
|
Universal group scope members from another domain in the same forest
|
Users
Computers Global groups Universal groups |
|
|
Universal group scope members from a trusted external domain
|
N/A
|
|
|
Global group scope members from the same domain
|
Users
Computers Global groups |
|
|
Global group scope members from another domain in the same forest
Global group scope members from a trusted external domain |
N/A
N/A |
