In Windows NT there were(are) 2 type of groups. Local Groups
and Global Groups. Windows 2000 has expanded the group types,
and now gives you more control over users and assigning permissions
to resources. Of course, with this expansion of groups comes
more complexity. Especially since Windows 2000 has 2 categories
of domains - Mixed Mode and Native Mode. Mixed Mode domains
are domains that are still using Windows NT BDCs. A Native
Mode domain only uses Windows 2000 domain controllers. Groups
and group scope depend on what type of domain you have - Mixed Mode
or Native Mode. Additionally, Windows 2000 now uses a Directory
Service (Active Directory) to store objects and their properties.
When using Windows 2000 groups, one must consider Active Directory
issues and how they will affect group scope and usage.
Group Properties
Here are the key properties of Win2K groups that you should know
in order to use them effectively:
Members
of a group will automatically have the rights and permissions that
have been granted to the group.
User
accounts can be members of more than one group.
Groups
can be members of other groups.
Computer
accounts can also be members of groups.
Group Types and Scope
Windows 2000 has 2 Group Types - Security and Distribution. Security
groups are used to assign permissions for access to network resources.
Distribution groups are used to group users together for Email
distribution lists. Security groups can be used as a Distribution
Group, but Distribution Groups cannot be used as Security Groups.
Proper planning of group structure affects maintainability
in the future, especially in the enterprise environment where multiple
domains are involved. Win2K groups (both security and distribution)
are classified into one of three group scopes - Domain Local, Global
and Universal. Below you can see how these groups are used.
Although Local Groups are not considered part of the Win2k
group scope, they are included for your information.
Group Scope
Local Groups (or machine local groups) - For backward compatibility
with NT, there are local groups. Also called Builtin Local Groups.
They are
the only type of local group available in a Windows 2000 mixed-mode
domain.
Local groups
can have members from anywhere in the forest, from trusted domains
in other forests, and from trusted down-level domains.
A local
group has only machine-wide scope. It can be used to grant
resource permission only on the machine on which it exists. However,
the local groups on a domain controller are available on every domain
controller in that domain.
Domain Local groups – assign access permissions to domain
global groups for local domain resources.
Available
only in native mode (not mixed-mode) domains if you want to use
them as anything other than machine local groups on DCs only.
Can have
members from anywhere in the forest, from trusted domains in other
forests, and from trusted down-level domains.
They have
domain-wide scope, can be used to grant resource permission on any
Win2K machine within the domain in which it exists, but not beyond.
Used as a resource group.
Domain Global groups – provide access to resources in
other trusted domains.
Exist in
both mixed-mode and native-mode domains.
Can have
members from within their own domain only. Can be made a member
of machine local or domain local groups or granted permission in
any domain (including trusting domains in other forests and down-level
domains).
Use global
groups to collect users or computers that are in the same domain
and share the same job, role or function.
In a Native
Mode domain only, Global groups can contain other Global groups.
Universal groups – grant access to resources in all
trusted domains.
Only in
native-mode domains. Can have members from any Win2K domain
in the forest. If you scroll up and look at the Add new group
image above, you can see "Universal" is grayed out. That's
because this domain is a Mixed-Mode Domain.
Universal
groups can be granted permissions in any domain, including in domains
in other forests with which a trust exists. These groups can
help you represent and consolidate groups that span domains, and
perform common functions across the enterprise. A useful guideline
is to designate widely used groups that seldom change, as universal
groups. Universal groups and their members are listed in the
global catalog, and if changes are made, the entire group membership
must be replicated to all global catalogs in the domain tree or
forest.
Domain Local
and Domain Global groups can be converted to Universal groups. This
can only be done in a Native Mode domain, and only if the groups
do not contain groups of the same scope. For example, a Global group
that contains another Global group cannot be converted to a Universal
group.
Notes:
Groups having
global or domain local scope are also listed in the global catalog,
but the individual members of the group are not. Using these
groups will reduce the size of the global catalog and replication
traffic.
Microsoft
advises against using Domain Local groups when filtering Group Policy
objects. See this KB article for more info:
http://support.microsoft.com/default.aspx?scid=kb;[LN];309172
Native Mode Domains
Group Scope |
Allowable Objects Native Mode |
Replication |
Domain Local |
Computer accounts, users, global
groups and universal groups from any domain. Domain Local
groups from the same domain. Nest in other Domain Local groups
in same domain. |
Group object and its membership are
replicated only to DCs within the same domain; not included
in GC (Global Catalog) replication to other domains. |
Domain Global |
Only users, computers and global
groups from same domain. Nest in other Global (in same
domain), Domain Local, or Universal groups. |
Group object is replicated to all
DCs in the same domain and to all GCs in the forest. Membership
is replicated only to DCs within the domain. |
Universal |
Universal groups, global groups,
users and computers from any domain in the forest. Nest
in Global, Domain Local or Universal groups. |
Group object and its membership are
replicated to all GC servers in the forest. |
Mixed Mode Domains
Group Scope |
Allowable Objects Mixed Mode |
Replication |
Domain Local |
Computer accounts, users, global
groups from any domain. Cannot be nested. |
Same as Native Mode |
Domain Global |
Only users and computers
from same domain. Cannot be nested. |
Same as Native Mode |
Universal |
Not Available. |
Not Available. |
Built-In Groups - There is another category of groups that
you will see if you open Active Directory Users and Computers. It
is called Builtin. The Built-in groups are groups that Windows 2000
creates for you. They have a predetermined set of user rights and
group membership, and can be used to assign permissions to network
resources. You can find Built-in groups in the Builtin folder
and in the Users folder.
Using Groups
The official Microsoft-sanctioned method for using groups in a domain
setting is known
as the A-G-DL-P method.
(A) Take the user Account and place it in a
(G) Global group, then take the global group and place it into a
(DL) Domain Local group, after which you assign
(P) Permissions to the domain local group.
Of course, always following this method is not practical. You
have to use common sense and judgment when assigning groups to permissions.
The above is just an official Microsoft guideline.
Special Identities
There are also some special groups, referred to as Identities,
because they are managed by the system and not by administrators.
They are also automatically installed on all Windows 2000
computers. However, they do not appear in Active Directory
Users and Computers, or in the Computer Management Tool. Here
are the special identities:
Everyone: Represents all current network users, including
guests and users from other domains. Whenever a user logs on to
the network, they are automatically added to the Everyone group.
Network: Represents users currently accessing a given resource
over the network (as opposed to users who access a resource by logging
on locally at the computer where the resource is located). Whenever
a user accesses a given resource over the network, they are automatically
added to the Network group.
Interactive: Represents all users currently logged on to
a particular computer and accessing a given resource located on
that computer (as opposed to users who access the resource over
the network). Whenever a user accesses a given resource on the computer
to which they are currently logged on, they are automatically added
to the Interactive group.
Anonymous Login: The Anonymous Login group refers to any
user who is using Windows 2000 resources, but that didn’t go
through the authentication process.
Authenticated User: The Authenticated User group includes
all users who are authenticated into the network by using a valid
user account. When assigning permissions, you can use the Authenticated
User group in place of the Everyone group to prevent anonymous access
to resources.
Creator Owner: The Creator Owner group refers to the user
who created or took ownership of the resource that you’re assigning
permissions to. For example, if the User Jack created a resource,
but the Administrator took ownership of it, then the Creator Owner
would be the Administrator.
Dialup: The Dialup group includes anyone who’s currently
connected to the network through a dialup connection.
These groups can be assigned permissions to network resources, although
caution should be used when assigning some of these groups to permissions.
Members of these groups are not necessarily users who have been
authenticated to the domain. For instance, if you assign full
permissions to a share for the Everyone Group, users connecting from
other domains will have access to the share.
Adding Groups/Users to Resource Permissions
Domain Computers and Member Servers can add the following
users/groups to the ACLs of their local resources:
In a Mixed Mode Domain
|
In a Native Mode Domain |
Domain Users
Global Groups
Local Groups
Local Users |
Domain Users
Domain Local Groups
Global Groups
Universal Groups
Local Groups
Local Users |
Domain Controllers can add the following users/groups to the
ACLs of their local resources:
In a Mixed Mode Domain
|
In a Native Mode Domain |
Domain Users
Global Groups
Built-In Local Groups
Domain Local Groups |
Domain Users
Global Groups
Universal Groups
Built-In Local Groups
Domain Local Groups |
|