Back docs > win2000 > windows 2000 groups
     
   
   


In Windows NT there were(are) 2 type of groups.  Local Groups and Global Groups.  Windows 2000 has expanded the group types, and now gives you more control over users and assigning permissions to resources.  Of course, with this expansion of groups comes more complexity.  Especially since Windows 2000 has 2 categories of domains - Mixed Mode and Native Mode.  Mixed Mode domains are domains that are still using Windows NT BDCs.  A Native Mode domain only uses Windows 2000 domain controllers.  Groups and group scope depend on what type of domain you have - Mixed Mode or Native Mode.  Additionally, Windows 2000 now uses a Directory Service (Active Directory) to store objects and their properties.  When using Windows 2000 groups, one must consider Active Directory issues and how they will affect group scope and usage.  


Group Properties

Here are the key properties of Win2K groups that you should know in order to use them effectively:

 Members of a group will automatically have the rights and permissions that have been granted to     the group.
 User accounts can be members of more than one group.
 Groups can be members of other groups.
 Computer accounts can also be members of groups.


Group Types and Scope






Windows 2000 has 2 Group Types - Security and Distribution.  Security groups are used to assign permissions for access to network resources.  Distribution groups are used to group users together for Email distribution lists.  Security groups can be used as a Distribution Group, but Distribution Groups cannot be used as Security Groups.  Proper planning of group structure affects maintainability in the future, especially in the enterprise environment where multiple domains are involved.  Win2K groups (both security and distribution) are classified into one of three group scopes - Domain Local, Global and Universal.  Below you can see how these groups are used.  Although Local Groups are not considered part of the Win2k group scope, they are included for your information.


Group Scope

Local Groups (or machine local groups) - For backward compatibility with NT, there are local groups. Also called Builtin Local Groups.
They are the only type of local group available in a Windows 2000 mixed-mode domain.
Local groups can have members from anywhere in the forest, from trusted domains in other forests, and from trusted down-level domains.
A local group has only machine-wide scope.  It can be used to grant resource permission only on the machine on which it exists.  However, the local groups on a domain controller are available on every domain controller in that domain.

Domain Local groups – assign access permissions to domain global groups for local domain resources.
Available only in native mode (not mixed-mode) domains if you want to use them as anything other than machine local groups on DCs only.
Can have members from anywhere in the forest, from trusted domains in other forests, and from trusted down-level domains.
They have domain-wide scope, can be used to grant resource permission on any Win2K machine within the domain in which it exists, but not beyond.  Used as a resource group.

Domain Global groups – provide access to resources in other trusted domains.
Exist in both mixed-mode and native-mode domains.
Can have members from within their own domain only.  Can be made a member of machine local or domain local groups or granted permission in any domain (including trusting domains in other forests and down-level domains).
Use global groups to collect users or computers that are in the same domain and share the same job, role or function.
In a Native Mode domain only, Global groups can contain other Global groups.

Universal groups – grant access to resources in all trusted domains.
Only in native-mode domains.  Can have members from any Win2K domain in the forest.  If you scroll up and look at the Add new group image above, you can see "Universal" is grayed out.  That's because this domain is a Mixed-Mode Domain.
Universal groups can be granted permissions in any domain, including in domains in other forests with which a trust exists.  These groups can help you represent and consolidate groups that span domains, and perform common functions across the enterprise.  A useful guideline is to designate widely used groups that seldom change, as universal groups.  Universal groups and their members are listed in the global catalog, and if changes are made, the entire group membership must be replicated to all global catalogs in the domain tree or forest.  
Domain Local and Domain Global groups can be converted to Universal groups.  This can only be done in a Native Mode domain, and only if the groups do not contain groups of the same scope. For example, a Global group that contains another Global group cannot be converted to a Universal group.

Notes:
Groups having global or domain local scope are also listed in the global catalog, but the individual members of the group are not.  Using these groups will reduce the size of the global catalog and replication traffic.
Microsoft advises against using Domain Local groups when filtering Group Policy objects.  See this KB article for more info:
http://support.microsoft.com/default.aspx?scid=kb;[LN];309172


Native Mode Domains

Group Scope Allowable Objects Native Mode Replication
Domain Local Computer accounts, users, global groups and universal groups from any domain.  Domain Local groups from the same domain. Nest in other Domain Local groups in same domain. Group object and its membership are replicated only to DCs within the same domain; not included in GC (Global Catalog) replication to other domains.
Domain Global Only users, computers and global groups from same domain.  Nest in other Global (in same domain), Domain Local, or Universal groups. Group object is replicated to all DCs in the same domain and to all GCs in the forest.  Membership is replicated only to DCs within the domain.
Universal Universal groups, global groups, users and computers from any domain in the forest.  Nest in Global, Domain Local or Universal groups. Group object and its membership are replicated to all GC servers in the forest.


Mixed Mode Domains

Group Scope Allowable Objects Mixed Mode Replication
Domain Local Computer accounts, users, global groups from any domain. Cannot be nested. Same as Native Mode
Domain Global Only users and computers from same domain.  Cannot be nested. Same as Native Mode
Universal Not Available. Not Available.



Built-In Groups - There is another category of groups that you will see if you open Active Directory Users and Computers.  It is called Builtin. The Built-in groups are groups that Windows 2000 creates for you. They have a predetermined set of user rights and group membership, and can be used to assign permissions to network resources.  You can find Built-in groups in the Builtin folder and in the Users folder.



Using Groups

The official Microsoft-sanctioned method for using groups in a domain setting is known
as the A-G-DL-P method.

(A) Take the user Account and place it in a
(G) Global group, then take the global group and place it into a
(DL) Domain Local group, after which you assign
(P) Permissions to the domain local group.

Of course, always following this method is not practical.  You have to use common sense and judgment when assigning groups to permissions.  The above is just an official Microsoft guideline.


Special Identities

There are also some special groups, referred to as Identities, because they are managed by the system and not by administrators.  They are also automatically installed on all Windows 2000 computers.  However, they do not appear in Active Directory Users and Computers, or in the Computer Management Tool.  Here are the special identities:

Everyone: Represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, they are automatically added to the Everyone group.

Network: Represents users currently accessing a given resource over the network (as opposed to users who access a resource by logging on locally at the computer where the resource is located). Whenever a user accesses a given resource over the network, they are automatically added to the Network group.

Interactive: Represents all users currently logged on to a particular computer and accessing a given resource located on that computer (as opposed to users who access the resource over the network). Whenever a user accesses a given resource on the computer to which they are currently logged on, they are automatically added to the Interactive group.

Anonymous Login: The Anonymous Login group refers to any user who is using Windows 2000 resources, but that didn’t go through the authentication process.

Authenticated User: The Authenticated User group includes all users who are authenticated into the network by using a valid user account. When assigning permissions, you can use the Authenticated User group in place of the Everyone group to prevent anonymous access to resources.

Creator Owner: The Creator Owner group refers to the user who created or took ownership of the resource that you’re assigning permissions to. For example, if the User Jack created a resource, but the Administrator took ownership of it, then the Creator Owner would be the Administrator.

Dialup: The Dialup group includes anyone who’s currently connected to the network through a dialup connection.

These groups can be assigned permissions to network resources, although caution should be used when assigning some of these groups to permissions.  Members of these groups are not necessarily users who have been authenticated to the domain.  For instance, if you assign full permissions to a share for the Everyone Group, users connecting from other domains will have access to the share.


Adding Groups/Users to Resource Permissions

Domain Computers and Member Servers can add the following users/groups to the ACLs of their local resources:

In a Mixed Mode Domain

In a Native Mode Domain
Domain Users
Global Groups
Local Groups
Local Users
Domain Users
Domain Local Groups
Global Groups
Universal Groups
Local Groups
Local Users


Domain Controllers can add the following users/groups to the ACLs of their local resources:

In a Mixed Mode Domain

In a Native Mode Domain
Domain Users
Global Groups
Built-In Local Groups
Domain Local Groups
Domain Users
Global Groups
Universal Groups
Built-In Local Groups
Domain Local Groups


    Top

b/johnson:02