You need to understand several concepts about user groups in Windows 2000/.NET before you begin to create them. Groups are helpful because they simplify administrative tasks when you have groups of users that must be treated similarly when it comes to rights and permissions. Second, because groups can be limited in scope, they can be useful for security purposes, limiting the computers or domains in which a user can be granted access.
Choosing a Group Based on the Group's Scope
Groups each have a scope, which is basically the area of the domain or global forest that the group covers. By having several types of groups, each with its own particular kind of membership and scope, you can put together combinations that should solve most of your administrative needs for managing users with similar needs. The types of groups, and the scope implied by each, are as listed here:
- Domain local group—These groups are limited to just the domain in which they are created. Users can be placed into these groups for local domain management purposes.
- Global group—These groups are made up of users or groups from a single domain but are used to grant access for the members of the group in other trusted domains. Think of this as a way to "export" users to allow them access to resources in other domains.
- Universal group—This type of group can contain user accounts and global group accounts from any trusted domain that exists in the Active Directory forest. This is similar to a global group but allows members of the group to be granted permission to resources in domains throughout the entire forest.
As described previously, groups can be members of other groups just like users, and this is where things can become a little complicated. For example, a domain local scope group can have the following as members:
- Groups that have global scope—You place the global group into a local group and then manage the local group when granting rights and permissions.
- Groups that have universal scope—Again, you can place universal scope groups into a local group and then use the local group for management purposes.
- Groups with domain local scope—Other domain local scope groups can be placed in a domain local scope group.
- User accounts—You can put individual users into a group with domain local scope.
Note that the domain local group does not have to have just one of the preceding groups (or users) as its members. You can combine any of the preceding and place them into a single domain local scope group, and then use the group to manage the members of these other groups locally in your domain.
A domain local group is a very useful management tool. For example, if you have a particular resource that several users share, place the users in the group and grant the group the necessary access to the resource. The resource can be a folder or a file, or perhaps a printer. If the resource changes in the future (for example, you decide to use a new file server for a particular set of files), you have to
change permissions only on the group to let the group members access the new resource. Otherwise, you'd have to modify the permissions for each individual user, which in a large environment can be an almost impossible task if your network changes frequently.
Unlike domain local groups, global groups can have as members only users or other groups from within a single domain. Yet global groups can be granted access to resources in other trusted domains. This enables you to package a group of users that need similar treatment in other domains when it comes to resource permissions.
Universal groups also can be used to grant permissions in multiple domains—throughout the forest of domain trees. Note that these groups are available only if you have an Active Directory structure that is part of a multidomain forest. They serve no purpose in a single-domain tree because domain local groups and global groups provide the necessary functions in a single-domain tree.
The membership of a universal group should not change on a frequent basis. This is because when a universal scope group's membership changes, the entire list of members is replicated to every global catalog in the forest of trees. Use universal groups for grouping users and other groups that are more stable in membership. Although global groups enable you to create groups of users and other groups that can be granted access in trusted domains, their membership must come from a single domain. To make managing a universal group easier, first place users into global groups in their own domains,and then place these global groups into a universal group. Thus, when the membership of a global group changes, there is no need to replicate the universal group membership to every other global catalog. Only the global group has changed. The universal group has as its member the global group, not the individual users who come and go from the global group.
No comments:
Post a Comment