Once you've planned your strategy and tested it using a variety of scenarios, you're ready to begin putting the structure into place.
Use Active Directory Users and Computers to create and delete groups. Groups should be created in the Users container or in an OU that you've created for the purpose of containing groups. To create a group, follow these steps:
Figure 9-1. Creating a new group.
When groups are no longer needed, be sure to delete them from the system promptly. Unnecessary groups are a security risk because it is all too easy to grant permissions unintentionally.
Each group, like each user, has a unique security identifier (SID). The SID is used to identify the group and the permissions assigned to the group. When the group is deleted, the SID is deleted and not used again. If you delete a group and decide later to re-create it, you will have to configure the users and permissions as if for a new group.
To delete a group, merely right-click its name in Active Directory Users and Computers and choose Delete from the shortcut menu. Deleting a group deletes only the group and the permissions associated with the group. It has no effect on the accounts of users who are members of the group.
Once you've created a group, you'll need to add members to it. As mentioned earlier in the chapter, groups can contain users, contacts, other groups, and computers. To add members to a group, follow these steps:
A contact is an account without security permissions and is typically used to represent external users for the purpose of e-mail. You can't log on to the network as a contact.
Figure 9-2. Adding an account to a group.
Over time, you might find that you need to change the scope of a particular group. For example, you might need to change a global group to a universal group so that users from another domain can be part of the group. However, the types of changes that can be made to a group scope are quite limited, and you might need to delete the group and create a new one to get the configuration you need.
To change a group scope, right-click the group name in Active Directory Users and Computers and choose Properties from the shortcut menu. Make the necessary changes in the General tab, and click OK when you're finished. The rules for changing a group scope are as follows:
A local group is a collection of user accounts on a single computer. The user accounts must be local to the computer, and members of local groups can be assigned permissions for resources only on the computer where the local group was created.
Local groups can be created on any Windows 2000 computer except domain controllers. In general, you don't want to use local groups on a computer that's part of a domain or, at least, you want to do so sparingly. Local groups don't appear in Active Directory, so you must administer local groups separately on each individual computer. To create a local group, follow these steps:
Figure 9-3. Viewing local groups in the Computer Management MMC snap-in.