Entering the Group Properties: Note that the radio buttons are on the scope and type for the group, and that you can change both scope and type. There are some limitations, however. If the scope of the group is Universal, then you will be able to immediately change to any of the three scopes. On the other hand, if the scope you wish to change is either Domain Local or Global, then you will at first only be able to change to Universal. In addition to changing the scope, you can also change the type. If you change from Security to Distribution, however, a dialog box will appear, Now that we have looked at the scopes in Active Directory Users and Computers, let's take a look at how they can be used, and especially how it is recommended that they be used.
Let's start by looking at the Universal group scope, in terms of when and how it can be used. To do this, you need to remember that an Active Directory domain can be in one of three functional modes; Mixed, Windows 2000 Native or Windows Server 2003 Native. It is important to keep in mind , as well, that the only difference between the modes is whether there are legacy domain controllers. The operating system running on computers in a domain that are not domain controllers is of no importance when determining whether a domain can operate in native mode. Universal scope security type groups are only available when an Active Directory domain is in native mode, though Universal scope distribution groups are available in either mode. Universal groups are very flexible, because a universal group can contain members from any domain in the forest, and can be used in any domain in the forest. There is an important thing to remember about universal groups,
however-information on the membership of a Universal group is stored on every domain controller in the forest, and any change to the direct membership of a Universal group will be replicated to every domain controller in the forest. I emphasize direct, because one recommended practice with regard to Universal groups is that their membership is only global groups, and not individual user accounts. So, while a user or computer account can be a member of a Universal group, it should not be a direct member.Universal groups are most useful in a multi-domain forest, because it is there that you will most likely have business units in each domain that need common access to enterprise resources. In a single
domain model, it is less likely that the need for Universal scope security groups will present itself-though distribution groups are another matter entirely. You can use the Properties tab to find a user's direct group membership. As you can see in Figure 1.9, there are four tabs that you can access in the properties for a group. You can find the direct members of a group on the Members tab, and you can find the groups that a group or account is a direct member of on the Member of tab. Note that these are strictly the direct membership, however. If a user is a member of a global group that is a member of a domain local group, the Members and Member of tabs still only show the direct membership.
Manage group membership: Before we dig into Global and Domain Local groups, let's review the recommended practice for granting resource access permissions. There are many ways to express the acronym we use (yes, yet another one of those acronyms!) to remember what goes where. Since this article is discussing Universal groups, I will use the longest of the bunch, AGGUDLP. This acronym stands for:
• Accounts are members of
• Global groups, which in native mode can be members of other
• Global groups, which in native mode can be members of
• Universal groups, which are in turn members of
• Domain Local groups, which are the group scope that is granted resource access
• Permissions.
Now, if you don't have nested Global groups or use Universal groups, you can trim out some of those letters-but only the second G and the U!
The workhorse of Active Directory groups is the Global group. Global groups are limited in that they can only contain members from the domain where they were created, but they can be used in any trusting
domain-whether in the forest or not. If the domain is in native mode, global groups can be a member of other global groups (but still in the domain!). User and computer accounts should only be direct members of global groups. All of the direct and indirect members of a group inherit permissions granted to a group. When naming global groups, as with any group, you want to use a name that will still make sense six months or three years from now. Note, too, that while resource access permissions should only be granted to Domain Local groups, you can use Global groups for other purposes such as delegation of authority and GPO filtering.Now we come to the Domain Local group, which I like to call the Permission group-since it is the group that we use for granting resource access permissions. Domain Local groups have essentially the opposite restriction of Global groups. They can have members from any trusted domain, but can only be used in the domain where they were created. When naming Domain Local groups, I recommend that you use a
combination of the resource that the Domain Local group will be used for, and the permission being granted. One significant advantage to using Domain Local groups over local groups that only exist on a non-domain controller is that you use the same interface-Active Directory Users and Computers-to manage them as you use for Global and Universal groups.
Modify groups by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in Modifying a Group using the Active Directory Users and Computer console is a simple task and can be done by clicking on Start, selecting Administrative Tools, then Active Directory Users and Computers,choosing the Domain or OU which contains the Group you wish to modify and finally right-clicking the Group and selecting Properties. An example of modifying group information.
The General tab allows you to enter and select information for groups such as Group Name, Description and E-mail information. It also will allow you to enter the Group Scope and Type as well as notes pertaining to the group. Click the Add button to add additional members to this group then select Apply. This screen allows you to enter the name of the manager for this group, office information and can also allow you to permit the manager of the group to update the membership list of the group.
Jada Brock-Soldavini is author of book InsideScoop to Windows Server 2003 Certification Examination 70-290 Managing and Maintaining a Microsoft Windows ServerTM 2003 Environment. Jada works for the State of Georgia as a Network Services Administrator. She has co-authored or contributed to other numerous works pertaining to Microsoft Windows technologies. In her spare time she enjoys cooking, writing and reading anything that pertains to Network and Security technology. To buy my book, please visit www.totalrecallpress.com.
- Article Word Count: 1099
- |
- Total Views: 511
- |
- permalink