Hello there – I am the publisher of the 70-282 exam cram and I like to hold virtual book readings. So here is a passage on group strategies. BTW – my SBS 2008 book is now HERE!
There is one acronym that you should remember —AGDLP— that is the user and group management strategy model recommended for single domains. Let me explain this more in detail:
Chapter 6 Securing Windows Small Business Server 2003
· Put user accounts (A) into global groups (G).
· Put global groups (G) into domain local groups (DL).
· Grant permissions (P) to the domain local group (DL).
All right, I know this looks somewhat confusing at first, so let me elaborate. Say you have a client site with 40 users, 10 users work in a call-center processing orders over the phone, five users are in charge of creating marketing material, and the other 25 users are down in the warehouse packing and shipping orders. All users must have access to the order/processing application and be able to print reports. There are several printers in the business: two high-speed color laser printers, two black-and-white laser printers, and the rest are older inkjet printers.
The owners want only the marketing team to use the high-speed color printers. The call-center is to use the black-and-white laser printers and the shop floor to use the older printers.
In this case, you should create three separate security groups, and call them Marketing, CallCenter, and ShopDudes.
1. On the high-speed color laser printer, select Properties, then Security . Add the Marketing security group and assign Print and Manage Printers and Manage Documents permission.
2. Remove the Everyone group from the group names dialog box.
3. Follow the same procedure for the black-and-white laser printer, adding the CallCenter group and removing the Everyone group.
4. Follow the same procedure for the older printers on the shop floor, adding the ShopDudes group and removing the Everyone group.
5. For the order/processing application, create an OrderProcessingGroup, then add all three Marketing, CallCenter, and ShopDudes groups into this group. Configure the NTFS permission on the folder where the application is housed for access by the OrderProcessingGroup.
Now you have ensured that everyone can print only to the printers they should
have access to and all users have access permission to the order/processing
application. You may think creating the security groups is a lot of work. However,
you just organized the permission structure in a way where you have only to place people in one group and they will automatically get all appropriate permissions assigned. Then when someone switches departments, leaves the company, or comes on board, you just have to add their user account to the appropriate security group, instead of assigning the user account to each individual resource, which will make life as an administrator just that much easier.
IMPORTANT: Having a simple acronym such as “AGDLP” committed to memory will help you recall a complex study topic during the heat of the battle when taking the 70-282 exam. It’s a time-tested trick for passing exams.
No wizard exists in SBS to place one security group into another. Therefore the following steps apply to SBS and Windows Server 2000/2003 domains.
• To nest one group into another, go to Start, All Programs, Administrative Tools Active Directory Users and Computers. Expand DomainName. local and select the group you want to place into another group or place another group into. Click Properties and click either the Members or Members Of tab (depending on the action you want to take), click Add and in the Select Users, Contacts, Computers, or Groups, enter the name of the group (or browse to it) and click OK.
Harry Brelsford, CEO at SMB Nation (www.smbnation.com)
MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)
PS – my Small Business Server 2008 (SBS 2008) book is now here!