| < Day Day Up > |
|
The manner in which groups are used in an Active Directory forest depends on the functional level of each domain. At some functional levels, such as Windows 2000 Mixed and Windows Server 2003 Interim, universal groups are not supported. Similarly, the functionality of global groups varies depending on the functional level of the domain. At the Windows Server 2003 functional level, global groups can contain other global groups from the same domain. Whenever possible, permissions should be assigned to groups rather than to individual users. The recommended technique for assigning permissions in forests is to add users in domains to global groups, add those global groups to forest-wide universal groups, and then add universal groups to domain local groups in which permissions should be applied. This makes the management of groups simpler and also reduces global catalog server replication traffic.
| < Day Day Up > |
|