Thursday, 28 July 2011

Windows Groups and Scopes

Hi Frnz

Today I will share with you some knowledge of Windows Groups and Scopes.I have seen many people usually don't have enough idea about Groups and Scopes.

So let’s have details on this.

Group:-A group is a container that contains user and computer objects within the group. The user and computer objects are stored in the group known as group members.. Assigning the security permission for a group on a resource ensures that all members of the group receive the permission.

Types of Groups:

  1. Distribution group
  2. Security group
Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to a collection of users. Distribution groups are not security-enabled, which means that they cannot be listed in Access control list.
Security groups are used to provide access to resources on a network. Security groups are also used to assign user rights in Active Directory and to assign permissions on shared resources on the network. Security groups are listed in ACLs 
Group Scopes:-

Security Group or Distribution Group are differentiate by a scope that identifies the extent to which the group is applied in the domain tree or forest.

There are three group scopes: 

         1. Domain Local
         2. Global Group
         3. Universal Group

1. Domain Local:-Members of  Domain Local Groups can include other groups and accounts from any domain and can be assigned permissions only within a domain.

·     Users can be from any domain.
·     Can have permissions only in the domain in which it is created.

2. Global Group:-Members of Global Groups can include other groups and accounts only from the domain in which the group is defined and can be assigned permissions in any domain in the forest.

·     Users can be from the domain in which we create global group
·     Can have permission on any domain 

 3. Universal Group:-Members of Universal Group can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain in the domain tree or forest.

·     Users can be from any domain
·     Can have permission in any domain

Usage of group with Domain Local Scope

Groups with domain local scope help you define and manage access to resources within a single domain.

Let’s take an example:-

You need to give ten users access to a particular folder A, you could add all ten user accounts in the folder permissions list. If, however, you later want to give the five users access to other folder B, you would again have to specify all five accounts in the permissions list for the new printer.

If you have good idea about the groups, you can simplify this administrative task by creating a group with domain local scope and assigning it permission to access the folder A. Put the ten user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the ten users access to a folder B, assign the group with domain local scope permission to access the folder B. All members of the group with global scope automatically will access to the folder B

Now you all may have question in your mind
that why we used Global Group in the above scenario.
The Answer for that is “
it is a best practice and recommended to use the A-G-Dl-P model when assigning permissions. 
                  A->G->Dl->P    A=Users G=Global Groups Dl=domain local P= permissions. 

What this model means is that you put "user Accounts" in to "Global groups" and then put the global groups into "Domain local" groups and then assign permissions to that Domain local group it is recommended you assign permission on Domain local group, this will be helpful in future. However you can assign permission directly to any Group but the recommended model is A-G-Dl-P

Usage of group with Global Scope

Groups with global scope usually used to manage user and computer accounts that require daily maintenance. Because groups with global scope are not replicated outside of their own domain .Accounts in a group having global scope can be changed frequently without generating replication traffic to the global catalog.The changes that are made on this will remain within the domain where it exists. By doing this you will restrict more traffic to the global catalog server.

Let’s take an example:-

In a network with two domains, (India) and (USA), if there is a group with global scope called GLFinance in the (India) domain, there will also be a group called GLFinance in (USA).

It is strongly recommended that you use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.

Usage of group with Universal Scope

Groups with Universal scope usually used to consolidate groups that are on different domains. To do this, add the accounts to groups with global scope and nest these groups within groups having universal scope. Using this strategy, any membership changes in the groups having global scope do not affect the groups with universal scope.

Let’s take an example:-

In a network with two domains, (India) and (USA), and a group having global scope called GLFinance in each domain, create a group with universal scope called UFinance to have as its members the two GLFinance groups, (India) and (USA). The UFinance group can then be used anywhere in the enterprise. Any changes in the membership of the individual GLFinance groups will not cause replication of the UFinance group.

Tuesday, 26 July 2011

How to change SID in Windows Server 2008 R2

How to change SID on Windows Server 2008 R2
Most of the tech guys usually work on VMware and some other Virtual platforms and usually install the same OS to create multiple copies. You can do this copy by two methods.
1.      By cloning the virtual machine
2.      By Changing the SID of the OS so that it will not conflict.

In previous version of Windows like 2003 we usually use NewSID.exe that is recommended by Microsoft to changing the SID. But if you will use this NewSID.exe with windows server 2008 it will work but if you will use this for Windows Server 2008 R2 then your OS will be crashed and will be rebooted in recovery mode every time you restart.

In this blog i will describe you how to change SID on Windows Server 2008 R2.
The method is to use sysprep. 

First, click on  Start->Run, type sysprep and press OK.

This will open sysprep folder which is located in c:\Windows\System32. Open sysprep application.

This will open System Preparation Tool 3.14 window. As a System Cleanup Action select Enter System Out-of-Box Experience (OOBE).

Important: select Generalize if you want to change SID, it’s not selected by default.

As Shutdown Options select Reboot.

It will take some time for sysprep to finish.

After rebooting you will have to enter some data, like Country or region, Time and currency and Keyboard input.

Also, you will have to accept EULA. After booting, in Server Manager you’ll see that everything is changed, if you had some settings that you had configured earlier that will be changed as you have some new OS.

You can check the SID if you want to check
Also you can use the PsGetSid that is very small utility to check the SID

Monday, 25 July 2011

DNS Query

DNS server recognize two types of name resolution
  1.  Recursive query
  2. Iterative  query

we can define both queries in such a simple way like in iterative query a DNS server says "tell you what i know" and in recursive query DNS server says "i will research the answer and then let you know"