Leveraging Domain Local, Global, and Universal Groups
| The first step in developing an efficient and secure design for managing user permissions to resources is understanding groups in Windows Server 2003. The concept of groups is nothing new to system administrators. As will be emphasized in later sections, it is far easier and more efficient to assign permissions and rights to groups rather than individual users. This section will explore the various types of groups available with Windows Server 2003 Active Directory, how and when to use a particular type over another, and general best practices for designing your group structure. Choosing the Appropriate Group TypeWhen a group is created in Active Directory, there are two decisions that need to be made. One decision concerns the scope of the group, which includes domain local, global, and universal. The other decision involves the group type: either security or distribution. Security GroupsSecurity groups are the primary types of group that administrators are used to managing. Security groups are used to assign permissions to resources for a collection of users. Like user objects in Active Directory, security group objects are each associated with a unique Security ID (SID). The uniqueness of the SID is used by Active Directory to apply security to resources in the domain. Because of this unique SID, you cannot simply delete group A, change the name of group B to A, and expect the renamed group to maintain the security settings of the original group A. Active Directory Permissions You cannot assign Active Directory permissions using a distribution group. Distribution groups are usually only found in environments with Exchange 2000. Distribution GroupsDistribution groups are group objects created so that group members can receive Simple Mail Transfer Protocol (SMTP) mail messages. Any application that can look for addresses in Active Directory (or perform LDAP lookups) can use this type of group object to send mail. Mail-enabled GroupsUnderstanding the difference between security and distribution groups is a fairly familiar concept to most administrators, especially those working with Microsoft networks. With Exchange 2000, though, comes the concept of a mail-enabled group that is a combination of the security and distribution group concepts. A mail-enabled group is essentially a security group that is referenced by an e-mail address and can receive SMTP messages sent to it. This functionality is only possible in an Exchange 2000 (or higher) environment. An Exchange 2000 implementation is directly integrated with Active Directory, and as such actually extends the attributes of AD objects to include e-mail addresses. This tight integration with Active Directory makes Exchange 2000 an attractive mail service option to companies already benefiting from Active Directory deployments. Additionally, it greatly simplifies group management. A system administrator can now create a single group that can act as both a security principle and an e-mail address. Additionally, once the functional level of a domain is in Windows 2000 Native or higher, distribution and security groups are interchangeable. As part of a migration path from an NT environment to Windows Server 2003, legacy distribution groups can be easily converted to security groups, thus allowing for a simpler group structure. To convert a distribution group to a security group (or visa versa), follow these steps:
Windows 2000 Mixed Mode Functional Level In a Windows 2000 mixed mode functional level, the alternate group type selection will be grayed out. After the functional level is elevated, changes to the group properties page will be available. Choosing the Appropriate Group ScopeThere are four scopes to choose from when creating a group in Active Directory. Each scope serves a unique purpose, so it is important to understand the distinctions between them. The group scopes available are
Machine Local GroupsMachine local groups are by and large the default groups built into the operating system. Local groups can be created on a local workstation or server, but for the most part, in networked environments, the only local groups are installed with the operating system. These groups can be used to apply permissions to resources, but only on the local machine. The most commonly used local groups in Windows operating systems are Administrators, Users, and Power Users. Backup Operators is also a commonly used group for granting permissions to back up local resources on a machine. Machine Local Groups Are Not Present on Domain Controllers in Active Directory When a member server is promoted to a domain controller, the original machine local groups and users are removed and replaced with domain groups and users. Any permissions set using local groups would have to be re-created with domain groups. Using machine local groups to assign permissions to resources in a domain environment is not recommended, though they can be useful for assigning particular rights on individual workstations. Domain Local GroupsDomain local groups are the next step up the ladder from machine local groups. Similar to local groups in Windows NT, Domain local groups are local in the sense that they can be used to assign permissions on resources local to the domain. Although the domain local group can assign permissions on resources within its particular domain, it can contain members from anywhere in the Active Directory forest or even outside the forest if the external domains are trusted. Depending on the functional level of the domain, domain local groups can contain any of the following:
Global GroupsSimilar to global groups in Windows NT, Active Directory global groups can contain the following types of objects:
When creating groups in Active Directory, global groups are the default. This group scope is useful for sorting users into easily identifiable groupings and can be used for granting permissions to resources in any domain in the forest.
Universal GroupsIntroduced with Active Directory, and enhanced in Windows Server 2003, universal groups have the widest scope of all the group scopes. Universal groups can contain objects from any trusted domain, and can be used to apply permissions to any resource in the Active Directory forest. Universal Security Groups Universal security groups cannot be created unless the functional level of the domain is set to Windows 2000 Native. When universal groups were introduced in Windows 2000, Microsoft made it possible to consolidate group membership across domain boundaries. Unfortunately, this functionality was limited by the fact that when the group membership of a universal group changed, the entire group membership would have to be replicated to every domain controller in the forest. System administrators would have to make prudent choices when creating and editing universal groups so as not to negatively affect replication traffic. Windows Server 2003 enhances the functionality of universal groups in that replication of group membership is on a member-by-member basis rather than an entire group basis. This new functionality, called incremental universal group membership, drastically improves the replication impact on the network environment. Although using universal groups is a feasible alternative to using global groups in Windows Server 2003 environments, it is still a best practice to reserve this group scope for situations where you need to group objects across domain boundaries.  |
EAN: 2147483647
Pages: 325