Using Groups to Provide Access Levels | Absolute Beginners Guide to Networking (4th Edition)

If you have a large number of users on your network, assigning different permissions (or rights) to these users can be a gargantuan task. Network operating systems allow you to place users into groups. A group is a logical administrative container that holds a collection of user accounts.

Placing users into groups makes it much easer for you to assign permissions to your users. For example, if you have a shared folder where 20 users need to be able to add and delete files in the folder, you could place all these users in a group and then assign the appropriate permissions to that group. If another subset of your users only needs the Read permission for files in that shared folder, you could create a second group and assign the appropriate permission level.

Groups really become security containers that allow you to provide permission levels by group membership. For example, if a new employee joins your company and needs a certain access level to a resource, all you have to do is make him a member of the appropriate group.

Most network operating systems make it very easy for you to create groups and then assign these groups different permission levels related to network resources. For example, in the Windows network environment where a server is running Windows 2000 Server or Windows Server 2003, the network administrator uses the Active Directory to create new groups; the new groups are created as objects in the Active Directory. Figure 20.7 shows the New Object - Group dialog box accessed via the Active Directory Users and Computers snap-in.

Figure 20.7. New groups can be added to the Windows Active Directory.

graphics/20fig07.jpg

Once the new group has been created, users can be added to the group. Assigning different access levels to the group is handled in the same way permissions or rights are assigned to individual users (as discussed in the previous section).

Keeping track of the permissions you have assigned to a few groups rather than a ton of users makes a great deal of sense. As with all the other aspects of building a network infrastructure, you should probably sit down and plan out how you will use groups in relation to resource access before you start banging away at the particular server utility that allows you to create groups.