لطفا منتظر باشید ...
Publisher| GroupsNotes |
Domain Setting
If you make a user a
member
of a group in order to grant the user permissions on network
resources but the user is currently logged on to a computer in the
forest, the new permissions will not take effect until the user next
logs on to the network.You can change both the type and scope of a group after it has been
created, which gives administrators a lot of flexibility.Use simple and meaningful names for your groups to help other
administrators locate them in Active Directory and to minimize the
amount of time you spend documenting your arrangement. For example,
if the parent domain is mtit.com , use Support
for the global group used for customer support people in your domain.
Child domains, such as ny.mtit.com and
sf.mtit.com , could use Support NY and Support SF
for their corresponding global groups in the New York and San
Francisco branch offices.Domain local, global, and universal groups are created by default
within the Users folder of the Active Directory Users and Computers
console, but they can also be created in any OUt you choose or in a
user-defined OU.You must be a member of the Enterprise Admins group to modify the
membership of universal groups.
Workgroup Setting
Do not create local groups on
computers
that belong to a domain since local groups can be used to secure
resources located only on the computer on which you create them.You can't create local groups on a WS2003 domain
controller since a domain controller has no local security database.
Built-in Groups
Members of the Guests built-in
group
can't permanently modify the desktop settings on
their WS2003 computer.If additional services like Internet Information Services or Terminal
Services are installed on a standalone server, additional built-in
user accounts will be created as members of the Guests group.You can't change the scope (domain local, global, or
universal) or the type (security or distribution) of a built-in
group. This provides an easy way to determine whether a given group
is built-in or user-defined.Limit membership in the Domain Admins global group for each domain.
Members of this group have powerful privileges, including the ability
to define domainwide security policies and the ability to take
ownership of any object in the domain. A good strategy is to keep
membership in this group small and to delegate limited administrative
authority over different OUs in the domain to specific groups of
trusted users.Use built-in groups wherever possible to simplify the task of
granting users rights and permissions to use network resources, and
add users only to those groups that give the users just enough rights
and permissions to access the resources they need on the network.In addition to user accounts and other groups, you can also make
computer accounts and contacts into members of groups. Active
Directory provides a great deal of flexibility in how groups can be
used.
See Also
Domain , net group,
net localgroup,
Users
