Planning a Group Strategy

Looking at your network and the various group types, and then factoring in your specific needs and what you want to accomplish, you might end up feeling as though you're working on a logic puzzle: Claire lives in a blue house, Luisa collects stamps, Sam drives a Toyota, and Ross eats cheese. Which one has red hair?

Nevertheless, as in so many other aspects of network administration, planning is the essential step. The domain mode determines the types of groups available to you. A mixed-mode domain can't support groups with universal scope. Thus, as long as you have Microsoft Windows NT backup domain controllers, you are limited to groups with global and domain local scopes. However, with some thought and the use of nesting, these two types of security groups can suffice for almost all purposes.

Determining Group Names

In planning your groups, you should determine a naming scheme that is appropriate for your organization. Two factors should be considered:

• Group names should be instantly recognizable. If they are, administrators searching Active Directory don't have to guess at their meaning.
• Comparable groups should have similar names. In other words, if you have a group for engineers in each domain, give all of the groups parallel names, such as NorAmer Engineers, SoAmer Engineers, and Asia Engineers.

Using Global and Domain Local Groups

You'll need to develop a strategy for using the different groups. For example, users with common job responsibilities belong in a global group. Thus, you'd add user accounts for all graphic artists to a global group called Graphic Artists. Other users with common needs would be assigned to other global groups. Then you must identify resources to which users need access and create a domain local group for that resource. If, for example, you have several color printers and plotters that are used by specific departments, you could make a domain local group called Printers&Plotters.

Next you should decide which global groups need access to the resources you've identified. Continuing the example, you'd add the global group Graphic Artists to the domain local group Printers&Plotters, along with other global groups that need access to the printers and plotters. Permission to use the resources in Printers&Plotters would be assigned to the Printers&Plotters domain local group.

Keep in mind that global groups can complicate administration in multiple-domain situations. Global groups from different domains have to have their permissions set individually. Also, assigning users to domain local groups and granting permissions to the group does not give members access to resources outside the domain.

Remember that the nesting rules apply only in native mode. In mixed-mode domains, security groups with global scope can contain only individual accounts, not other groups. Security groups with domain local scope can contain global groups and accounts.

Using Universal Groups

When you're able to use universal groups (that is, when your domain is running in native mode), keep the following guidelines in mind:

• Avoid adding individual accounts to universal groups, to keep replication traffic down.
• Add global groups from multiple domains to universal groups to give members access to resources in more than one domain.
• Universal groups can be members of domain local groups and other universal groups, but they can't be members of global groups.