WD Lesson - 32

Understanding Groups

• A group is a collection of user accounts. Groups simplify administration by allowing us to assign permissions and rights to a group of users at once.
•  Users can be members of more than one group. Permissions control what users can do with a resource, such as a folder, file, or printer.

 

Group Types

• Active Directory provides two types of groups:

1. Security
2. Distribution

These types determine how you use the group.

• Both types of groups are stored in the database component of Active Directory, which allows us to use them anywhere in your network.

1. Security Groups

• Windows Server 2003 uses only security groups, which we use to assign permissions to gain access to resources. A security group has all the capabilities of a distribution group.
•  Programs that are designed to search Active Directory can also use security groups for non security purposes, such as retrieving user information for use in a Web application.

2. Distribution Groups

• Applications use distribution groups as lists for non security-related functions. So we should use distribution groups when the only function of the group is non security related, such as sending e-mail messages to a group of users at the same time.
• We cannot use distribution groups to assign permissions. Only programs that are designed to work with Active Directory can use distribution groups.

Group Scopes

• When we create a group, we must select a group type and a group scope. Group scopes allow us to use groups in different ways to assign permissions.
• The scope of a group determines where in the network we are able to use the group to assign permissions to the group.

The three group scopes are:

• global
• domain local
• universal           as shown in the fig. below:

Group	Users Membership	Resources Access
Global Domain local Universal	local any any	any local any

Planning Global and Local Groups

Global and domain local groups are listed in the global catalog, but their members are not. The following strategy can be followed for planning global and local groups:

1. Assign users with common job responsibilities to global groups.
2. Create a domain local group for resources to be shared.
3. Global groups that need access to the resources to the domain local group.
4. Assign resource permissions to the domain local group.

Planning Universal Groups

Use universal groups to grant or deny access to resources that are located in more than one domain. We can follow the following strategy for planning universal groups:

■ Add global groups, not users, to universal groups The global groups are the members of the universal group. Keep the number of group members in universal groups as low as possible.

■ Change the membership of universal groups as infrequently as possible By requiring all members of universal groups to be global groups and making individual membership changes in the global groups.