Understanding Groups

Previous page
Table of content
Next page

By definition, groups in Microsoft Windows 2000 are Active Directory service or local computer objects that can contain users, contacts, computers, or other groups. In general, though, a group is usually a collection of user accounts. The point of groups is to simplify administration by allowing the network administrator to assign rights and permissions by group rather than to individual users.

Windows 2000 allows two group types: security and distribution. Security groups are essentially the only groups used by Windows 2000 because they're the only groups through which permissions can be assigned. Each security group is also assigned a group scope, which defines how permissions are assigned to the group's members. Programs that can search Active Directory can use security groups for nonsecurity purposes, such as sending e-mail to a group of users. Distribution groups are not security enabled and can be used only with e-mail applications to send e-mail to sets of users.

Later in the chapter, you'll find sections on user rights and how they are defined and assigned to groups. Chapter 10 includes discussion of permissions and how they are assigned.

Assigning Group Scopes

When a group is created, it is assigned a group scope that defines how permissions will be assigned. The three possible group scopes—global, domain local, and universal—are defined in the following sections.

Global Scope

A group with a global scope is truly global in the sense that permissions can be granted for resources located in any domain. However, members can come only from the domain in which the group is created, and in that sense it is not global. Global groups are best used for directory objects that require frequent maintenance, such as user and computer accounts. Global groups can be members of universal and domain local groups in any domain, and they can have the following members:

  • Other global groups in the same domain
  • Individual accounts from the same domain

Domain Local Scope

A domain local group is the inverse of a global group in that members can come from any domain but the permissions can be only for resources in the domain in which the group is created. The members of a domain local group have a common need to access certain resources in a particular domain. Domain local groups can have one or more of the following members:

  • Other domain local groups in the same domain
  • Global groups from any domain
  • Universal groups from any domain
  • Individual accounts from any domain

The nesting rules (that is, the storage of groups within other groups) apply fully only in native mode—that is, when all of the controllers in the domain are Windows 2000 servers. In mixed-mode domains, security groups with global scope can contain only individual accounts, not other groups. Security groups with domain local scope can contain both global groups and accounts. For more on native vs. mixed mode, see Chapter 7.

Universal Scope

A universal security group can have members from any domain and can be assigned permissions to resources in any domain. Although the universal scope sounds like an ideal solution in a multiple-domain enterprise, it's available only in domains that are running in native mode. Universal groups can have the following members:

  • Other universal groups
  • Global groups
  • Individual accounts

Even in native mode, universal groups must be used with discretion because of the negative impact they can have on network performance, as described in the Real World sidebar, "How Groups Affect Network Performance."

Real World

How Groups Affect Network Performance

The importance of planning groups becomes even more apparent when you consider the negative effect that your group organization can have on network performance. When a user logs on to the network, the domain controller determines the user's group memberships and assigns a security token to the user. The token includes the security identifiers of all of the groups to which the user belongs, in addition to the user account ID. The more security groups the user belongs to, the longer it takes to assemble the token and the longer it takes the user to log on.

In addition, the security token, once assembled, is sent to every computer the user accesses. The target computer compares all of the security identifiers in the token against the permissions for all of the shared resources available at that computer. A large number of users added to a large number of shared resources (including individual folders) can take up a lot of bandwidth and processing time. One solution is to limit membership in security groups. Use distribution groups for categories of users that don't require specific permissions or rights.

Groups with universal scope will have a performance impact of their own because all such groups, along with their members, are listed in the Global Catalog. When there's a change to the membership in a group with universal scope, this fact must be relayed to every Global Catalog server in the domain tree, adding to the replication traffic on the network. Groups with global or domain local scope are also listed in the Global Catalog, but their individual members are not, so the solution is to limit the membership of universal groups primarily to global groups.


Previous page
Table of content
Next page
Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320
Authors: Charlie Russel, Sharon Crawford, Jason Gerend
BUY ON AMAZON
CISSP Exam Cram 2
An Introduction to Design Patterns in C++ with Qt 4
Microsoft WSH and VBScript Programming for the Absolute Beginner
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy