Understanding Groups

By definition, groups in Microsoft Windows 2000 are Active Directory directory service or local computer objects that can contain users, contacts, computers, or other groups. In general, though, a group is usually a collection of user accounts. The point of groups is to simplify administration by allowing the network administrator to assign rights and permissions by group rather than to individual users.

Windows 2000 allows two group types: security and distribution. Security groups are essentially the only groups used by Windows 2000 because they're the only groups through which permissions can be assigned. Each security group is also assigned a group scope, which defines how permissions are assigned to the group's members. Programs that can search Active Directory can use security groups for nonsecurity purposes, such as sending e-mail to a group of users. Distribution groups are not security enabled, and no permissions can be assigned to distribution groups.

Later in the chapter, you'll find sections on user rights and how they are defined and assigned to groups. Chapter 10 includes discussion on permissions and how they are assigned.

Assigning Group Scopes

When a group is created, it is assigned a group scope that defines how permissions will be assigned. The three possible group scopes—global, domain local, and universal—are defined in the following sections.

Global Scope

A group with a global scope is truly global in the sense that permissions can be granted for resources located in any domain. However, members can come only from the domain in which the group is created, and in that sense it is not global. Global groups are best used for directory objects that require frequent maintenance, such as user and computer accounts. Global groups can be members of universal and domain local groups in any domain, and they can have the following members:

• Other global groups in the same domain
• Individual accounts from the same domain

Domain Local Scope

A domain local group is the inverse of a global group in that members can come from any domain but the permissions can be only for resources in the domain in which the group is created. The members of a domain local group have a common need to access certain resources in a particular domain. Domain local groups can have one or more of the following members:

• Other domain local groups in the same domain
• Global groups from any domain
• Universal groups from any domain
• Individual accounts from any domain

NOTE

---

The nesting rules apply fully only in native mode—that is, when all of the controllers in the domain are Windows 2000 Servers. In mixed-mode domains, security groups with global scope can contain only individual accounts, not other groups. Security groups with domain local scope can contain both global groups and accounts. For more on native vs. mixed mode, see Chapter 7.

Universal Scope

A universal security group can have members from any domain and can be assigned permissions to resources in any domain. Although the universal scope sounds like an ideal solution in a multiple-domain enterprise, it's available only in domains that are running in native mode. Universal groups can have the following members:

• Other universal groups
• Global groups
• Individual accounts

Even in native mode, universal groups must be used with discretion because of the negative impact they can have on network performance, as described in the Real World sidebar, "How Groups Affect Network Performance."

REAL WORLD  How Groups Affect Network Performance

---

The importance of planning groups becomes even more apparent when you consider the negative effect that your group organization can have on network performance. When a user logs on to the network, the domain controller determines the user's group memberships and assigns a security token to the user. The token includes the security IDs of all of the groups that the user belongs to, in addition to the user account ID. The more security groups the user belongs to, the longer it will take to assemble the token and the longer it will take the user to log on.

In addition, the security token, once assembled, is sent to every computer the user accesses. The target computer compares all of the security IDs in the token against the permissions for all of the shared resources available at that computer. A large number of users added to a large number of shared resources (including individual folders) can take up a lot of bandwidth and processing time. One solution is to limit membership in security groups. Use distribution groups for categories of users that don't require specific permissions or rights.

Groups with universal scope will have a performance impact of their own because all such groups, along with their members, are listed in the Global Catalog. When there's a change to the membership in a group with universal scope, this fact must be relayed to every Global Catalog server in the domain tree, adding to the replication traffic on the network. Groups with global or domain local scope are also listed in the Global Catalog, but their individual members are not, so the solution is to limit the membership of universal groups primarily to global groups.

Planning a Group Strategy

Looking at your network and the various group types, and then factoring in your specific needs and what you want to accomplish, you might end up feeling as though you're working on a logic puzzle: Mac lives in a blue house, Luisa collects stamps, Sam drives a Toyota, and Ross eats cheese. Which one has red hair?

Nevertheless, as in so many other aspects of network administration, planning is the essential step. The domain mode determines the types of groups available to you. A mixed-mode domain can't support groups with universal scope. Thus, as long as you have Microsoft Windows NT backup domain controllers, you are limited to groups with global and domain local scopes. However, with some thought and the use of nesting, these two types of security groups can suffice for almost all purposes.

Determining Group Names

In planning your groups, you should determine a naming scheme that is appropriate for your organization. Two factors should be considered:

• Group names should be instantly recognizable. If they are, administrators searching Active Directory don't have to guess at their meaning.
• Comparable groups should have similar names. In other words, if you have a group for engineers in each domain, give all of the groups parallel names, such as NorAmer Engineers, SoAmer Engineers, and Asia Engineers.

Using Global and Domain Local Groups

You'll need to develop a strategy for using the different groups. For example, users with common job responsibilities belong in a global group. Thus, you'd add user accounts for all graphic artists to a global group called Graphic Artists. Other users with common needs would be assigned to other global groups. Then you must identify resources to which users need access and create a domain local group for that resource. If, for example, you have several color printers and plotters that are used by specific departments, you could make a domain local group called Printers&Plotters.

Next you should decide which global groups need access to the resources you've identified. Continuing the example, you'd add the global group Graphic Artists to the domain local group Printers&Plotters, along with other global groups who need access to the printers and plotters. Permission to use the resources in Printers&Plotters would be assigned to the Printers&Plotters domain local group.

Keep in mind that global groups can complicate administration in multiple-domain situations. Global groups from different domains have to have their permissions set individually. Also, assigning users to domain local groups and granting permissions to the group will not give members access to resources outside the domain.

NOTE

---

Remember that the nesting rules apply only in native mode. In mixed-mode domains, security groups with global scope can contain only individual accounts, not other groups. Security groups with domain local scope can contain global groups and accounts.

Using Universal Groups

When you're able to use universal groups (that is, when your domain is running in native mode), keep the following guidelines in mind:

• Avoid adding individual accounts to universal groups, to keep replication traffic down.
• Add global groups from multiple domains to universal groups to give members access to resources in more than one domain.
• Universal groups can be members of domain local groups and other universal groups, but they can't be members of global groups.

Implementing the Group Strategy

Once you've planned your strategy and tested it using a variety of scenarios, you're ready to begin putting the structure into place.

Creating Groups

Use Active Directory Users and Computers to create and delete groups. Groups should be created in the Users container or in an organizational unit (OU) that you've created for the purpose of containing groups. To create a group, follow these steps:

1. Open Active Directory Users and Computers from the Administrative Tools menu.
2. Expand the domain in which the group will be created.
3. Right-click the Users container, point to New, and choose Group from the shortcut menu to open the dialog box shown in Figure 9-1.
4. Fill in the required information:

• The group name must be unique in the domain.
• The group name as it will be seen by pre–Windows 2000 operating systems will be filled in automatically. (In native mode, this field will be Downlevel Name Of New Group but will still be filled in automatically based on the name you provide as the group name.)
• For Group Scope, click Domain Local, Global, or Universal.
• For Group Type, click Security or Distribution.

5. Click OK when you're finished. The new group will appear in the Users container. You might have to wait a few minutes for the group to be replicated to the Global Catalog before adding members.

Figure 9-1. Creating a new group.

Deleting Groups

When groups are no longer needed, be sure to delete them from the system promptly. Unnecessary groups are a security risk because it is all too easy to grant permissions unintentionally.

Each group, like each user, has a unique security identifier (SID). The SID is used to identify the group and the permissions assigned to the group. When the group is deleted, the SID is deleted and not used again. If you delete a group and decide later to re-create it, you will have to configure the users and permissions as if for a new group.

To delete a group, merely right-click its name in Active Directory Users and Computers and choose Delete from the shortcut menu. Deleting a group deletes only the group and the permissions associated with the group. It has no effect on the accounts of users who are members of the group.

Adding Users to a Group

Once you've created a group, you'll need to add members to it. As was mentioned earlier in the chapter, groups can contain users, contacts, other groups, and computers. To add members to a group, follow these steps:

1. Open Active Directory Users and Computers from the Administrative Tools menu.
2. In the console tree, click the container that includes the group to which you will be adding members.
3. Right-click the group and choose Properties from the shortcut menu.
4. Click the Members tab, and then click the Add button to open the Select Users, Contacts, Or Computers dialog box (Figure 9-2).
5. Highlight the accounts you want to add. (You can use the Shift and Ctrl keys to select multiple accounts.)
6. Click the Add button. This returns you to the group's Properties window with the users added. Click OK.

Figure 9-2. Adding an account to a group.

NOTE

---

A contact is an account without security permissions and is typically used to represent external users for the purpose of e-mail. You can't log on to the network as a contact.

Changing the Group Scope

Over time, you might find that you need to change the scope of a particular group. For example, you might need to change a global group to a universal group so that users from another domain can be part of the group. However, the types of changes that can be made to a group scope are quite limited, and you may need to delete the group and create a new one to get the configuration you need.

To change a group scope, right-click the group name in Active Directory Users and Computers and choose Properties from the shortcut menu. Make the necessary changes on the General tab, and click OK when you're finished. The rules for changing a group scope are as follows:

• In mixed mode, a security group cannot have universal scope.
• A global group can be changed to a universal group if the global group is not already a member of another global group.
• A domain local group can be changed to a universal group if the domain local group does not already contain another domain local group.
• A universal group cannot be changed.

Creating Local Groups

A local group is a collection of user accounts on a single computer. The user accounts must be local to the computer, and members of local groups can be assigned permissions for resources only on the computer where the local group was created.

Local groups can be created on any Windows 2000 computer except domain controllers. In general, you don't want to use local groups on a computer that's part of a domain or, at least, you want to do so sparingly. Local groups don't appear in Active Directory, so you must administer local groups separately on each individual computer. To create a local group, follow these steps:

1. Right-click the My Computer icon on the desktop and choose Manage from the shortcut menu.
2. In the console tree, expand System Tools and then Local Users And Groups, as shown in Figure 9-3.
3. Right-click the Groups folder and select New Group from the shortcut menu.
4. In the New Group dialog box, enter the group name. You can include a description if you like.
5. Click the Add button to add members to the group. (You can add members now or later.)
6. Click Create when you're finished, and the new group is added to the list of groups in the details pane.

Figure 9-3. Creating a local group.