Groups Description in Windows Server
A group is a collection of user and computer accounts, contacts, and other groups. Groups can be used to:
- Simplify administration by assigning permissions for a share to a group rather than to individual users. When permissions are assigned to a group, equal access to the resource is granted to all members of that group.
- Delegate administration by assigning user rights to a group only once using Group Policy.
TYPES OF GROUPS
Windows 2008 includes two types of groups:
They are used to assign user rights and permissions.
They are used only in email applications. They cannot be used to assign permissions and rights.
SCOPE OF THE GROUPS
The scope of a group determines:
- The domains from which you can add members to the group
- The domains in which you can use the group to grant permissions
- The domains where the group can nest in other groups
The three areas of the groups are:
- Domain local
Domain local groups are frequently used to assign permissions to resources. A domain local group has the following characteristics:
- Open membership
Members can be added from any domain
- Access to resources in a domain.
A domain local group can be used to assign permissions to access only resources that are located in the same domain where the domain local group was created.
Global They are frequently used to organize users who share similar network access requirements. A global group has the following characteristics:
- Limited membership
Members can be added only from the domain in which the global group was created.
- Access to resources in any domain
A global group can be used to assign permissions to access resources that are located in any domain.
They are used to assign permissions to related resources in various domains. A universal group has the following characteristics:
- Open membership
Members can be added from any domain
- Access resources from any domain
A universal group can be used to assign permissions to access resources that are located in any domain.
Possibility of Native mode Windows 2000 and Windows 2003-2008 Server only.
- Universal security groups are not available in Mixed mode
It is not a good idea to change the membership of a Universal group frequently since the changes are replicated to each global catalog in the forest.
BELONGING TO A GROUP
The scope of the group determines the group's membership. Membership rules define which members a group can contain. Group members include user accounts and other groups. The group membership rules are:
- Mixed Mode - The scope can contain user accounts, computer accounts and global groups from any domain.
- Native Mode - The scope can contain user accounts, computer accounts, global groups and universal groups from any domain, as well as local groups from the same domain
- Mixed Mode - The scope can contain user accounts from the same domain and computer accounts.
- Native Mode - The scope can contain user accounts, computer accounts, and global groups from the same domain.
- Mixed Mode - Not available.
- Native Mode - The scope can contain user accounts and computer accounts from any domain, global groups and universal groups from any domain.
CHANGE THE SCOPE OF A GROUP
You can change the scope of a group only in the domains with Native mode. Changing the scope of a group is not allowed in mixed mode domain. The scope of a group is changed on the General tab of the Properties dialog box for the group.
From global to universal. This conversion is only allowed if the global group to be converted is not a member of another global group.
From local domain to universal. This conversion is only allowed if the domain local group to be converted does not have another domain local group as a member.
From universal to global. This conversion is only allowed if the universal group to be converted does not have another universal group as a member.
NESTING OF GROUPS
Adding groups to other groups (nesting groups) can reduce the number of times permissions need to be assigned. Windows 2008 allows unlimited levels of nesting in Native mode, although it is convenient to minimize nesting levels because the permission tracking becomes more complex the greater the number of nesting. A nesting level is the most effective, since it reduces the number of times permissions need to be assigned and allows permissions to be easily followed.
Effective intergroup nesting in a multi-domain environment will reduce cross-domain network traffic and simplify management in a domain tree.
To use groups effectively you need to determine how groups will be used and what types of groups will be used. Microsoft recommends implementing one of the following methods.
We will designate each element with a symbol:
A - (Account) User account
L - (Domain Local Group) Local Group
G - (Global Group) Local group
DL - (Domain Local Group) Domain Local Group
U - (Universal Group) Universal Group
P - Permits
Method A, G, P
This method is to include the user accounts in a global group and then assign the permissions to this global group.
This method is simple when we have a single domain. It is used when the number of users is low and the permission restrictions are few. The absence of group nesting and the use of a single group type simplify administration.
This method is difficult to manage in a multiple domain architecture. It can also degrade performance because when a user accesses a resource, the server must check the global group memberships since the server does not cache them.
Method A, DL, P
This method is to include the user accounts in a domain local group, and then assign the permissions to this domain local group.
Although this method is not recommended, it is appropriate for a single domain architecture, with few users and that does not have to evolve into a multi-domain forest. Administration is simple due to the use of a single group type and the absence of nesting.
The main limitation of this method is the lack of architectural evolution. In effect, you cannot assign permissions to the group outside the domain.
Method A, G, DL, P
This method is to include user accounts in a global group, global groups in a domain local group, and then assign permissions to this domain local group.
This method adapts to all domain architectures (single or multiple). It should allow to reduce the administration times, since the permissions are exclusively managed in the domain local groups while the users belong only to the global groups. In addition, this method is applicable regardless of the functional mode of the domain.
Managing and determining a user's permissions are trickier for administrators. Implementing this method requires a well-studied and well-documented study. It is limited to very large structures that manage a large number of users.
Method A, G, U, DL, P
This method involves including user accounts in a global group, global groups in a universal group, this universal group in a domain local group, and then assigning permissions and privileges to this domain local group
This method adapts to all domain architectures (single or multiple). It should allow to reduce the administration times, since the permissions are exclusively managed in the domain local groups.
Managing and determining a user's permissions are trickier for administrators. Furthermore, this type of administration is not at all evident regarding its implementation and maintenance. This method requires the use of universal groups, therefore it is reserved for domains or forest in native functional mode of Windows 2000 or Windows 2008. Membership of universal groups is saved in the global DC catalog of each domain. Therefore, when the membership of a universal group is modified, this information has to be replicated in all the DC's in the forest.
Method A, G, L, P
This method is to include user accounts in a global group, global groups in a local group, and then assign permissions to this local group.
With this method, local groups are defined (or predefined) by team and permissions on local resources are assigned to these groups. This method has the advantage of being compatible with Windows NT4 computers.
With this method it is not possible to define permissions outside the local computer. This means that each local group and its members are managed on each team that shares resources. For this reason, the administration of the groups is decentralized, since they are not integrated in the Active Directory. This method is preferable when the number of users and resource servers is small.
Use of global groups and domain local groups
When planning to use global domain and local groups, consider: o Identify users with common job responsibilities and add user accounts to a global group. o Identify what resources users need to access and create a domain local group for that resource. o Identify all global groups that share the same resource access needs and make them members of the appropriate domain local group. o Assign the necessary permissions to the local domain group.
Use of universal groups
When planning to use universal groups, consider:
Use universal groups for users to access resources located in more than one domain.
Use universal groups only when your membership is static. In a domain tree, domain groups can cause excessive network traffic between domain controllers whenever membership in the universal group is changed, because changes in universal group membership could be replicated in a large number of domain controllers.
Add global groups from multiple domains to a universal group, and then assign permissions to access a resource to the universal group. This allows a universal group to be used in the same way as a domain local group to assign permissions to resources. However, unlike a domain local group, permissions can be assigned to a universal group to give users access to a resource that is located in a different domain than where the group was created.
Guidelines when implementing the group strategy
- Determine the required scope of the group based on how you want to use the group. For example, use global groups to group user accounts. Assign global groups to domain local groups and universal groups
- Avoid adding users to universal groups, as adding and removing users from universal groups will increase replica traffic
- Determine if you have the necessary permissions to create a group in a suitable domain. Members of the Administrators group or the Account Operators group in a domain by default have the necessary permissions to create groups.
Determine the name of the group. You have to make the name intuitive.