لطفا منتظر باشید ...
Lesson 1: Introduction to Groups
In this lesson you will learn what groups are and how groups are used to simplify administration tasks. You will also learn the group types and the group scopes you can create in Windows 2000 and how these group types and scopes are used, along with the rules for group membership. Finally, you will learn the purpose of using local groups.
After this lesson, you will be able to
Explain the purpose of groups
Explain the purpose of security and distribution group types
Explain the purpose of domain local, global, and universal group scopes
Explain the purpose of local groups
Estimated lesson time: 15 minutes
Groups and Permissions
A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than having to assign permissions and rights to each individual user account (see Figure 8.1).
Permissions control what users can do with a resource, such as a folder, file, or printer. When you assign permissions, you give users the capability to gain access to a resource and define the type of access that they have. For example, if several users need to read the same file, you would add their user accounts to a group. Then, you would give the group permission to read the file. Rights allow users to perform system tasks, such as changing the time on a computer, backing up or restoring files, or logging on locally.
Figure 8.1 Groups simplify administration
NOTE
For detailed information about Permissions, see Chapter 9, "Securing Network Resources." For detailed information about rights, see Chapter 13, "Administering a Security Configuration."
In addition to user accounts, you can add other groups, contacts, and computers to groups. You add groups to other groups to create a consolidated group and
reduce the number of times that you need to assign permissions. You add computers to groups to simplify giving a system task on one computer access to a
resource on another computer.
Group Types
Sometimes you create groups for security-related purposes, such as assigning permissions. Other times you use them for nonsecurity purposes, such as sending e-mail messages. To facilitate this, Windows 2000 includes two group types: security and distribution. The group type determines how you use the group. Both types of groups are stored in the database component of Active Directory, which allows you to use them anywhere in your network.
Security Groups
Windows 2000 uses only security groups, which you use to assign permissions to gain access to resources. Programs that are designed to search Active Directory can also use security groups for nonsecurity-related purposes, such as retrieving user information for use in a Web application. A security group also has all the capabilities of a distribution group. Because Windows 2000 uses only security groups, this chapter focuses on security groups.
Distribution Groups
Applications use distribution groups as lists for nonsecurity-related functions. Use distribution groups when the only function of the group is nonsecurity-related, such as sending e-mail messages to a group of users at the same time. You cannot use distribution groups to assign permissions.
NOTE
Only programs that are designed to work with Active Directory can use distribution groups. For example, future versions of Microsoft Exchange server will be able to use distribution groups as distribution lists for sending e-mail messages.
Group Scopes
When you create a group you must select a group type and a group scope. Group scopes allow you to use groups in different ways to assign permissions. The scope of a group determines where in the network you are able to use the group to assign permissions to the group. The three group scopes are global, domain local, and universal, as shown in Figure 8.2.
Figure 8.2 Group scopes
Global Groups
Global security groups are most often used to organize users who share similar network access requirements. A global group has the following characteristics:
Limited membership. You can add members only from the domain in which you create the global group.
Access to resources in any domain. You can use a global group to assign permissions to gain access to resources that are located in any domain in the domain tree or forest.
Domain Local Groups
Domain local security groups are most often used to assign permissions to
resources. A domain local group has the following characteristics:
Open membership. You can add members from any domain.
Access to resources in one domain. You can use a domain local group to assign permissions to gain access to resources that are located only in the same domain where you create the domain local group.
Universal Groups
Universal security groups are most often used to assign permissions to related resources in multiple domains. A universal security group has the following
characteristics:
Open membership. You can add members from any domain.
Access to resources in any domain. You can use a universal group to assign permissions to gain access to resources that are located in any domain.
Only available in native mode. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 is only available in native mode.
Group Nesting
Adding groups to other groups, or nesting, creates a consolidated group and can reduce network traffic between domains and simplify administration in a domain tree. For example, you could add the managers in each region to a group that is specific to the group that represents managers in their region. Then, you could add all of the regional manager groups to a worldwide managers group. When all managers need access to resources, you assign permissions only to the worldwide managers group.
Guidelines for group nesting include the following:
Minimize levels of nesting. Tracking permissions and troubleshooting becomes more complex with multiple levels of nesting. One level of nesting is the most effective to use.
Document group membership to keep track of permissions assignments. Providing documentation of group membership can eliminate the redundant assignment of user accounts to groups and reduce the likelihood of accidental group assignments.
To efficiently use nesting it is important to understand the membership rules of groups.
Rules for Group Membership
The group scope determines the membership of a group. Membership rules determine the members that a group can contain. Group members can be user accounts and other groups. To assign the correct members to groups and to use nesting, it is important to understand group membership rules.
Table 8.1 describes group membership rules, including what each group scope can contain in native and mixed mode.
Table 8.1 Group Scope Membership Rules
| Group Scope | In Native Mode, Scope Can Contain | In Mixed Mode, Scope Can Contain |
|---|---|---|
| Global | User accounts and global groups from the same domain | Users from the same domain |
| Domain local | User accounts, universal groups, and global groups from any domain; domain local groups from the same domain | User accounts and global groups from any domain |
| Universal | User accounts, other universal groups, and global groups from any domain | Not applicable; universal groups cannot be created in mixed mode |
Local Groups
A local group is a collection of user accounts on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Windows 2000 creates local groups in the local security database.
CAUTION Because Active Directory groups with a "domain local" scope are sometimes referred to as "local groups," it is important to distinguish between a local group and a group with a domain local scope.
Using Local Groups
The following are guidelines for using local groups:
You can use local groups only on the computer where you create the local groups. Local group permissions provide access to only the resources on the computer where you created the local group.
You can use local groups on computers running Windows 2000 Professional and member servers running Windows 2000 Server. Local groups cannot be created on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory.
Use local groups to limit the ability of local users and groups to gain access to network resources without creating domain groups, such as in an Internet Information Server environment.
Membership rules for local groups include the following:
Local groups can contain local user accounts from the computer where you create the local group.
Local groups cannot be members of any other group.
Lesson Summary
In this lesson you learned that a group is a collection of user accounts. Groups can also contain other groups. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than having to assign permissions to each individual user account.
You also learned that when you create a group, you must choose a group type and a group scope. Windows 2000 includes two group types, security groups and distribution groups, but uses only security groups. Applications designed to work with Active Directory can use distribution groups as lists for nonsecurity-related functions, such as e-mail. Windows 2000 includes three group scopes: global, domain local, and universal.
You learned that there are rules for group membership. These rules determine
the members that a global security group, a domain local security group, and a universal security group can contain.
Finally, you learned how local groups are used to assign permissions to resources residing on the computer on which the local group is created.
