MODULO III

Configurando Grupos de
Usuarios

Resumen
Configurando Gurpos de Usuarios, brinda una

introduccin a los grupos Locales y Globales en

Windows NT, estrategia de planeamiento para la
implementaci de grupos en el Dominio,
creracin de grupos Locales y Globales, tambin
brinda una descripcin de los grupos
predeterminados y como implementarlos. Al fina
de este modulo, sera posible la planificacin y
creacin de grupos de usuarios.

Introduccin a Grupos de
Usuarios
Grupos son colecciones de cuentas de Usuario
Los miembros del grupo obtienen todos los

permisos y derechos dados al grupo

Grupos Locales se utilizan para dar acceso a

recursos y realizar tareas administrativas

Grupos Globales permiten organizar los

usuarios en el dominio

Grupos Locales vs Grupos Globales

Grupos Locales

Grupos Globales

Permiten asignar permisos y

Organizan usuarios en el dominio

Solo incluyen usuarios del

derechos a sus miembros

Pueden Incluir (de cualquier
Dominio):
Cuentas de Usuarios
Grupos Globales
No pueden incluir otros grupos
locales
En un Nt Server o workstation
solo permiten asignar permisos a
recursos
En un PDC, pueden asignar
permisos a cualquier Domain
Controler en el Dominio

dominio donde se crea

No pueden contener otros grupos
locales o globales
Pueden incluirse en un grupo
Local para dar derechos a sus
miembros
No se asignan a los recursos
Se crean en el PDC para el
Dominio

Ejemplo de Uso de Grupos Locales

y Globales
World Wide Importers
PDC

NT
Server
Inventario

Dominio Paris

BDC
Ordenes por
atender

Ejemplo de Uso de Grupos Locales

y Globales
La oficina de Paris de

la empresa World
Wide Importers tiene
un Dominio con un
PDC, un BDC, y un
servidor NT. El BDC
tiene la base de datos
de Ordenes por
atender, y el servidor
NT tiene la base de
datos de inventario.

En qu computador crearan

grupos Globales para organizar

los usuarios?. Por qu?
En qu computador grupos
locales para brindar acceso a la
base de datos de Ordenes por
atender? Porqu?
En qu computador crearan un
grupo local para dar acceso a
los usuarios a la base de datos
de Inventario? Porqu?

Estrategia para la planificacin

de grupos
Organizar usuarios en base a

sus tareas
Crear Grupos Globales y
agregar a los usuarios
Crear Grupos Locales para
dar permisos de acceso al
recurso
Dar permisos al Grupo Local
Agregar los Grupos Globales
a los Grupos Locales

Creacin de grupos Locales y

Globales

Creacin de Grupos Globales

En el Menu User, dar click en New Global Group.
En la opcin Group Name, indicar el nombre del grupo. El nombre

del Grupo Global:

Puede contener caracteres en mayusculas o minusculasharacters a
excepcin: / \ [ ] : ; | = , + ? < >
Describir la funcin del grupo
El nombre esta limitado a 20 caracteres
En Description , indicar la descripcin del grupo. Es muy util
identificar la funcionalidad del grupo.
En la lista Not Memberst, seleccionar los usuarios que formaran el
grupo.
Dar Click en Add. Los usuarios que selecionen apareceran en la lista
Members
Dar Click en OK para crear al grupo global .

Creacin de Grupos Locales

En el menu User, dar click en New Local Group.
En la opcin Group Name , digitar un nombre unico,y descriptivo del

grupo.
En Description dar la descripcin del grupo, luego dar click en
Add, para agregar a los usuarios.
Seleccionar en Names, los usuarios o grupos globales que deseen
incorporar al grupo local.
Para agregar usuarios o grupos globales de otros dominios, en la
opcin dominio seleccionar el dominio a utilizar.
Dar click en OK para crear el grupo local.

Eliminacin de grupos
La eliminacin de un grupo elimina su nombre,
descripcin, y los derechos y permisos asociados a
el. No elimina las cuentas de usuario que forman el
grupo.
Iniciar User Manager for Domains
Seleccionar el grupo que se desea eliminar
presionar la tecla DELETE . Aparece el siguiente mensaje:

Cada grupo representa un identificador unico el cual es

distinto del nombre del grupo.Una vez que se elimina la
creacin de un grupo con el mismo nombre no restaura los
permisos o derechos a sus miembros.
Dar Click en OK

Lab 3 : Planning and Creating

Local and Global Groups
After completing this lab, you will be able to :
Plan local and global groups.
Create global groups and add accounts to
them.
Create local groups and add accounts to
them.

Lab 3 - Exerc I : Planning Groups in

a Multiple-Domain Network - I
You need to determine :
The global groups for each domain.
The global groups for each resource and the
computer and domain where they should be
created.
Which global groups to add to each group
to give members access to a resource.

Lab 3 - Exerc I : Planning Groups in

a Multiple-Domain Network - II
Use the following criteria to make decisions :
All employee need access to Applications in their own domain.
All employee need access to the printer in the Istanbul domain.
Executives and managers from both domains need access to the

Human Resources (HR) information in the Quebec domain.

Executives, managers and customers service and sales
representatives from both domains need access to the Customer
Files in the Quebec domain.
Accountants from both domains need to Accounts Receivable (AR)
information in the Quebec domain.
Managers from both domains need access to Employee Files in the
Istanbul domain.

HR

AR

BDC
BDC
Member
Member
Server1
Server1

Quebec
PDC
PDC

Applications

Tr
us
t
PDC
PDC

Member
Member
Server2
Server2
Customer
Files

Istanbul
Member
Member
Server1
Server1
Applications

Windows
WindowsNT
NT
Workstation
Workstation
Employee
Files

Lab 3 - Exerc 2 : Creating Global

Groups and Adding Members
To create a global group
Log on to your domain

(Domainx, where x is the number

assigned to your domain)..
In Administrative Tools, start
User Manager for Domains.
On the User menu, click New
Global Group.
In the Group Name box, type a
description for the global group,
such as the type of users the
group contains.

To add members to a global

group
From the New Global Group

dialog box, in the Not

Members box, select one or
more users by pressing the
CTRL key, clicking each
user and then clicking Add.
Add the remaining user
accounts (if any) to the same
group, and then click OK.

Lab 3 - Exerc 3 : Creating Local

Groups and Adding Members
To create a global group
In User Manager windows,
on the User menu click
New Local Group..
In the Group Name box,
type a name for your local
group.
In the Description box,
type a description for the
local group.

To add members to a local

group
In the New Local Group
dialog box, click Add.
Under Names click one or
more global groups and
then click Add.
Click OK.

Lab 3 - Exerc 4 : Adding Accounts

from a Different Domain
To add a global group from a different domain to a
local group
In the User Manager window, double-click the local

group you created for the Account Receivable (AR)

information.
Click Add.
In the List Names From box, click ClassroomX
Double-click the global group Accountants, and then
click OK.
Click OK to close the Local Group Properties dialog
box.

Lab 3 - Exerc 5 : Testing Local and

Global Group Relationships
Add this type To this type
of group
of group

Result

Global

Global

Cannot be done.

Global

Local

Local

Local

Global into local

can be done in a
local domain or
from trusted
domain.
Cannot be done.

Local

Global

Cannot be done.

Implementacin de los grupos

pre-definidos( Built-in)
Built-in Local Groups.- Otorga a los usuarios

derechos para realizar ciertas tareas en el

servidor.
Built-in Global Groups.- Permite a los
administradores controlar el acceso a los
recursos de los servidores.
System Groups.- Son grupos del sistema. La
membresia es automatica y no configurable

Grupos Predefinidos en un servidor

NT
Users.- Desarrollan las tareas para las cuales se
les dio permisos, o tienen acceso a los recursos
que estan autorizados mediante la asignacion de
privilegios sobre el recurso.
Administrators.- Desarrollan todas las tareas
administrativas en el computador. Si el
computador es un domain controller, pueden
administrar todo el dominio NT.

Grupos Predefinidos en un servidor

NT
Guests.-Tienen acceso restringido a los recursos y
realizar tareas limitadas, son usuarios que no pueden
hacer cambios al entorno de Windows NT
Backup Operators.- Usuarios que estan autorizados a
llevar a cabo las operaciones de resguardo y
recuperacin de la data en cinta o backup.
Replicator.-Es un grupo que puede llevar a cabo la
replicacin de directorios.
Nota : Un grupo de usuario Power Users residen en los Nt
Servers o Nt workstation. Ellos pueden crear o modificar cuentas
de usuario y compartir recursos.

Grupos Predefinidos en un servidor

Nt Domain Controler
Grupos Locales .
Account Operators.- Crean, eliminan y modifican

usuarios, grupos globales y grupos locales. No

pueden modificar las propiedades de los
administradores o Server Operators
Server Operators.- Comparten los recursos del
disco y sacan Backup o Restore .
Printer Operators.- Configuran y administran las
impresoras.

Grupos Predefinidos en un servidor

Nt Domain Controler

Grupos Globales

Domain Users.- Grupo de Usuarios Locales.

Cuando se crea una cuenta en el Dominio

automaticamente forma parte de este grupo.
Domain Admins.- grupo de Administradores
Locales. Sus miembros pueden llevar a cabo tareas
administrativas equivalentes a las del
administrador.
Domain Guests.- Grupo Local Guest.

Grupos de Sistema
Residen en todas las computadoras
Su membresia no se puede modificar
Los usuarios se integran automaticamente

dependiendo de la tarea que realizen

Dos grupos principales
Everyone
Creator Owner

Recomendaciones
Usar Domain Users en lugar Everyone
Agregar Domains Admins de otros

dominios al grupo Local Administrators

Asignar derechos explicitamente solo si los
grupos predefinidos no son utiles
Agregar usuarios a los grupos predefinidos
es mas restrictivo

Lab 4 : Implementing Built-in

Groups

After completing this lab, you will be able to :

View built-in groups on domain controllers to

determine the default members.

Determine the inherent rights of built-in groups.
Use the built-in Administrators and Domain Admins
groups to administer user accounts in the domain.
Use the built-in Administrators and Domain groups to
provide centralized administration of user accounts in
remote domain.

Lab 4 - Exerc 1 : Determining Built-in

Groups Membership on a Domain
Controller
To
determine membership of
To determine membership of
the global group Domain
Admins :
Log on as Administrator.
Start User Manager for
Domains.
Under Groups, double-click the
global group Domain Admins.
By default, what built-in user
accounts or groups are
members of Domain Admins?
Click Cancel to return to the
User Manager window.

the local group

Administrators
Under Groups, doubleclick the local group
Administrators. By
default, what built-in user
accounts or global groups
are members of the
Administrators group?

Lab 4 - Exerc 1 : Determining Built-in

Groups Membership - II
To determine the default
membership of other
built-in global groups
Under Groups, doubleclick the global group
Domain Users and
Domain Guests. By
default, what built-in user
accounts are members of
this groups?

To determine the default

membership of other builtin local groups Guests
Under Groups, doubleclick Guests..What user
accounts or groups are
members of the Guests
groups?
.Make the same for the
built-in local group Users

Lab 4 - Exerc 2 : Determining the

Rights of Built-in Groups - I
To determine which groups
have access to the
computer
In the User Manager
window, on the Policies
menu, click User Rights.
The User Rights Policy
dialog box appears. The
listed right is Access this
computer from network.
Which built-in groups have
been granted this right?

To determine which groups

can log on locally
In the Right box, click Log
on locally. Which built-in
groups have been granted
this right?
...The group Everyone does
not have the Log on locally
right by default. This right
was assigned to the group
during classroom setup.

Lab 4 - Exerc 2 : Determining the

Rights of Built-in Groups - II
To determine which groups
can change the system
time.
In the Right box, click
Change the system time..
Which built-in groups have
been granted this right?
To determine which groups
can shut down the system
In the Right box, click Shut
down the system. Which
built-in groups have been
granted this right?

To determine which groups

can back up files and
directories
In the Right box, click Back
up files and directories.
Which built-in groups have
been granted this right?
To determine which groups
can restore files and
directories
In the Right box, click
Restore files and directories.
Which built-in groups have
been granted this right?

Lab 4 - Exerc 2 : Determining the

Rights of Built-in Groups - III
To determine the inherent rights that are only
assigned to the Administrators group.
Select each right to determine which ones are automatically

assigned to only the Administrators group, and then click the

appropiate check boxes.

Access this computer from network

Back up files and directories
Change the system time
Force shutdown from a remote system
Load and unload device drivers
Log on locally
Manage auditing and security log
Restore files and directories
Shut down the system
Take ownership of files or other objects

Lab 4 - Exerc 3 : Implementing Builtin Groups for Local Administration - I

To create and test a user
account
Create a user account
Log on as the new user
Try to create another user
account. Were you
successful? Why or why not?
To add a user to the local
Administrators group
Log on as Administrator.
Add the user you created in
the previous procedure to the
built-in Administrators
group.

To manually synchronize the

directory databases on the
BDC and PDC.
From a command prompt,
type net accounts /sync and
then press ENTER
To test the user account as a
member of the
Administrators group
Log on as the new user.
Try to create another user
account. Were you
successful? Why or why not ?

Lab 4 - Exerc 3 : Implementing Builtin Groups for Local Administration - II

To add a user to the global
group Domain Admins
Log on using the default
Administrator account.
Remove the new user
from the Administrators
group.
Add the new user to the
global group Domain
Admins.

To test the user account as a

member of the Domain
Admins group
Log on as the new user.
Try to create anoyher user
account. Were you
successful? Why or why
not?

Lab 4 - Exerc 4 : Implementing Builtin Groups for Centralized Administration - I

To test administration of
another domain (Complete
this procedure from the
BDC)
Log on to the Classroomx
domain as Administrator.
Start User Manager for
Domains.
On the User menu, click
Select Domain.
In the Domain box, click
domainx.
Try to create auser account.
Were you successful? Why or
why not?

To add the
Classroomx\Domain
Admins to the local
Administrators group
(Complete this procedure
from the BDC)
When the previous
procedure is complete, add
the Domain Admins group
in the Classroomx domain
(Classroomx\Domain
Admins) to the local
Administrators group.

Lab 4 - Exerc 4 : Implementing Built-in

Groups for Centralized Administration - II
To test administration of another domain (Complete
this procedure from the PDC)
When the previous procedure is complete, log on to
the Classroomx domain as Administrator.
Start User Manager for Domains.
On the User menu, click Select Domain.
In the Domain box, type domainx and then click OK.
Try again to create a user account. Were you
successful? Why or why not?

Revision
Cual es el propsito de un grupo Local? De un Grupo

Global?
Diferencia entre un grupo predefinido Local y otro
Global?
Que habilita a un administrador a realizar tareas
administrativas en un servidor NT?
Cual es la estrategia recomendada para usar grupos
globales?
Cual es la diferencia entre el grupo Domains Users y
Everyone?