GroupsNotes

Previous page
Table of content
Next page

GroupsNotes

Domain Setting

If you make a user a member of a group in order to grant the user permissions on network resources but the user is currently logged on to a computer in the forest, the new permissions will not take effect until the user next logs on to the network.

You can change both the type and scope of a group after it has been created, which gives administrators a lot of flexibility.

Use simple and meaningful names for your groups to help other administrators locate them in Active Directory and to minimize the amount of time you spend documenting your arrangement. For example, if the parent domain is mtit.com , use Support for the global group used for customer support people in your domain. Child domains, such as ny.mtit.com and sf.mtit.com , could use Support NY and Support SF for their corresponding global groups in the New York and San Francisco branch offices.

Domain local, global, and universal groups are created by default within the Users folder of the Active Directory Users and Computers console, but they can also be created in any OUt you choose or in a user-defined OU.

You must be a member of the Enterprise Admins group to modify the membership of universal groups.

Workgroup Setting

Do not create local groups on computers that belong to a domain since local groups can be used to secure resources located only on the computer on which you create them.

You can't create local groups on a WS2003 domain controller since a domain controller has no local security database.

Built-in Groups

Members of the Guests built-in group can't permanently modify the desktop settings on their WS2003 computer.

If additional services like Internet Information Services or Terminal Services are installed on a standalone server, additional built-in user accounts will be created as members of the Guests group.

You can't change the scope (domain local, global, or universal) or the type (security or distribution) of a built-in group. This provides an easy way to determine whether a given group is built-in or user-defined.

Limit membership in the Domain Admins global group for each domain. Members of this group have powerful privileges, including the ability to define domainwide security policies and the ability to take ownership of any object in the domain. A good strategy is to keep membership in this group small and to delegate limited administrative authority over different OUs in the domain to specific groups of trusted users.

Use built-in groups wherever possible to simplify the task of granting users rights and permissions to use network resources, and add users only to those groups that give the users just enough rights and permissions to access the resources they need on the network.

In addition to user accounts and other groups, you can also make computer accounts and contacts into members of groups. Active Directory provides a great deal of flexibility in how groups can be used.

See Also

Domain , net group , net localgroup , Users


Previous page
Table of content
Next page
Windows Server 2003 in a Nutshell
Windows Server 2003 in a Nutshell
ISBN: 0596004044
EAN: 2147483647
Year: 2003
Pages: 415
Authors: Mitch Tulloch
BUY ON AMAZON
CISSP Exam Cram 2
Building Web Applications with UML (2nd Edition)
Systematic Software Testing (Artech House Computer Library)
SQL Hacks
MySQL Cookbook
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy