Howdy-howdy. Harrybbbb here – the publisher of the above title. I like holding virtual book readings so here comes a passage for ya! Good luck passing that 70-282 exam. BTW – my SBS 2008 book is HERE!
Create and Configure User Groups
Configuring user groups? Now that is a trick question in SBS, the reason being that groups have already been preconfigured for you! Depending on what user template you use, permissions will then be assigned based on the template settings. You can create and configure domain groups by the use of two links on the Server Standard Management console, the Security Group link and the Distribution Group link. There is no need to venture into Active Directory Users and Groups; again, wizards are available to make this an effortless experience.
What should be pointed out here is that the SBS Security and Distribution Groups are located in Active Directory under yourdomainname.com, MyBusiness organizational unit (OU), Distribution OU, and Security OU. It is important that you use the Standard Management console links to create your new Security or Distribution groups, because the newly created accounts will be placed into the proper OU in Active Directory this way. There are three group types:
Local groups are created on local computers only. They can be created with the Local Users and Groups utility.
SBS 2003 has built-in security groups that have already assigned rights to facilitate simplified administration. You can place a user into the Fax Operators group (which has specific fax-related rights assigned), and the user will be able to manage fax queues and cover pages. This is a time-tested network administrative practice of using security groups to manage permissions. A security group is exactly what the name states, a group that has certain rights and permissions assigned to it that dictate how different objects on the domain can be manipulated. Creating a user group and then placing the user accounts into the security group streamlines the administrative burden and simplifies user management. Even in a small business environment where you may only have five user accounts, it is good practice to use security groups instead of assigning user accounts individually to resources. More on this embedded security stuff in a moment under the Group Scopes section. When creating new groups in SBS, you should always use the Server Management Console and use the Distribution Group and Security Group links.
IMPORTANT: Security groups may have an e-mail address (technically an SMTP e-mail address). The members of the security group would receive the e-mail that is sent to said security group (sounds a lot like a distribution group, eh?). So sometimes, a security group can act like a bucket that holds permissions plus assume the behavior of a distribution group.
Chapter 6 Securing Windows Small Business Server 2003
Distribution groups are used as e-mail distribution lists only and do not have security descriptors associated with them. Accounts added to distribution groups can be e-mailed to, but cannot be used to log on to the domain. (Due to missing ACEs, no token will be generated!). You can add a Distribution group with the Add Distribution Group wizard. Distribution groups facilitate communication by making it easy for you to reach all the recipients in a specific group using only one e-mail address—say, for example, everyone in the accounting department could be reached via a distribution group titled ACCOUNTING (Humor Zone: Kindly ignore the fact that this isn’t the type of group you would want to spend a rollicking New Year’s Eve with, as accountants are known for being somber). Distribution groups can include mail-enabled contacts, which are user accounts created to be available in the contacts list and receive e-mail at an external mail account. Mail-enabled users are not domain members, like a vendor with whom your company works. They should be included in all e-mail communications with a particular department or group and should show up in your GAL (Global Address List).
IMPORTANT: You can set up mail-enabled contacts with or without an Exchange mailbox. A mail-enabled contact is usually a member of a distribution group and cannot log on to the domain.
IMPORTANT: You can change a security group to a distribution group or vise versa in a Windows Server 2003 domain set at a functional level or in a Windows Server 2000 domain in native mode. This cannot be done in a Windows Server 2000 domain in mixed mode.
Creating the security or distribution group in SBS:
· Create and configure domain groups by going to Start, Server Management and, in the Server Standard Management console, the Security Group and Distribution Group link.
Creating the security or distribution group in Active Directory (only perform this on Windows Servers, not SBS):
· Create and configure domain groups by going to Start, All Programs, Administrative Tools Active Directory Users and Computers . Right-
click on domain, e.g. DomainName.local name, click New, click Group and enter the information into the New Object – Group windows.
Harry Brelsford, CEO at SMB Nation (www.smbnation.com)
MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)
PS – my Small Business Server 2008 (SBS 2008) book is now here!