Lab 6-5 Creating a Group
Object
What is a group? There
are two kinds of groups:
8
Security
Groups—A group defined by a Security Identifier (SID) that can be listed in a
Discretionary Access Control List (DACL). A DACL is a list of users, groups, etc. that can be assigned
permissions to resources on a network. A security group is used to control
access to resources.
8
Distribution
Groups—These groups are used solely for email
distribution. They do not have an SID associated with them. They also cannot be
listed in a DACL. They are used only in email
applications such as Exchange Server.
Groups also have
scopes. A scope refers to a logical boundary within which a group can be
assigned permissions to a specific resource on the domain or forest. Security
and distribution groups in AD are assigned one of three scopes; global, domain
local, or universal.
8
Global groups can be
assigned to any resource within the forest. The limitation of a global group is
that it can only contain members from the domain in which is resides. For
example, if you have a domain named sales, you cannot put Joe Blow from the
domain named Chicken into the global group you create in the sales domain.
However, you can put anyone from the Sales domain into that group. That group
can be assigned access (permissions) to resources to anything in any domain in
the forest.
8
Domain Local groups
are created on a domain controller and can only be assigned access to resources
within the domain. So for example if you create a Domain Local Group named Egg
within the Chicken.com domain, you can only assign permissions to that group
for things within chicken.com. It can’t go outside of that domain. Unlike a
global group, though, you can put users and groups from other domains into a
domain local group. Think of it this way…domain local groups are used to assign
permissions to resources within a domain to users/groups within the domain and
from other domains in the forest.
8
A universal group
can be assigned permissions to any resource on any domain within a forest. IT’s similar to a global group, but there are differences.
First, a universal group can contain user objects from any domain in the forest
(global groups can only have users from its own domain). Second of all,
universal groups are only available when a domain is configured in Windows 2000
Native mode. That means if any of your domain controllers are Windows NT
Servers, you can’t use Universal groups.
8
There are also local
groups, but those only work on standalone workstations to assign permissions
locally and can only contain local members. You really don’t use them once
you’re on a domain.
By
default when you install Windows Server 2003 your network will be in Windows
2000 Mixed Mode, allowing it to communicate with Windows 2000 Servers, Windows
2003 Servers, and Windows NT Primary Domain Controllers and Windows NT Backup
Domain Controllers. If you no longer have any NT in your network, changing from
mixed mode to Windows 2000 Server Native Mode will enable all of the security
features of Windows 2000. Once you are completely a Windows Server 2003
network…no 2000, no NT, you can move to Windows Server 2003 Functional level to
unlock all security features in Windows 2003. Why not just move up sooner? If
you’re using an older server on your network and move to a mode that is not
supported by that server, that server will be unable to communicate effectively
on the network.
|
Group Type |
General Use |
Windows 2000 Mixed
Mode Membership Options |
Windows 2000 Native
Mode or Windows Server 2003 Membership Options |
|
Local |
Assign permissions to
resource on a local workstation or standalone computer |
User accounts from any
domain, global groups from any domain |
User accounts from any
domain, global groups from any domain |
|
Domain local |
Assigned to resources
within local domain |
User accounts from any
domain, global groups from any domain |
User accounts, global
and universal groups from any domain; other domain local groups from the same
domain |
|
Global |
Used to organize
individual objects such as user accounts into administrative units |
User accounts only
from the domain in which the group is created |
User accounts and
other global groups from the same domain in which the group is created |
|
Universal |
Used to organize
various objects into administrative units |
N/A |
User accounts, global
and universal groups from any domain. |