Local Domain Local Global and Universal Groups

Unlike group types, which are fairly simple to understand, group scopes can be frustrating to those new to working with Windows Server 2003 and Active Directory. The scope of the group identifies the extent to which the group is applied throughout the domain tree or forest. There are four group scopes:

■ Local groups Local groups can contain user accounts from the local machine, user accounts from the domain the local machine is joined to, or user accounts from any trusted domains of the domain the machine is joined to. Only local groups can manage permissions for local resources (local to a single machine).

■ Domain local groups Domain local groups can include other groups and user/computer accounts from Windows Server 2003,Windows 2000 Server, and Windows NT domains. Permissions for only the domain in which the group is defined can be assigned to domain local groups.

■ Global groups Global groups can include other groups and user/computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups.

■ Universal groups Universal groups can include other groups and user/computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups. Universal groups are only available if your domain functional level is set to Windows 2000 native mode.

Domain and Forest Functionality

Domain and forest functionality is a new feature introduced in Windows Server 2003. By having differing levels of domain and forest functionality available within your Active Directory implementation, you have different features available to your network.

As an example, if all of your network's domain controllers are Windows Server 2003 and the domain functional level is set to Windows Server 2003, all domain features become available. You can make use of the new capability to rename a domain controller only if the domain functional mode is set to

Windows Server 2003. If your entire Active Directory forest is set at the Windows Server 2003 functional level, you also gain the new capability to rename entire domains—something that administrators have been requesting for many years. Three domain functional levels are available:

■ Windows 2000 mixed The default domain functional level; allows for Windows NT 4.0 backup domain controllers (BDCs), Windows 2000 Server domain controllers, and Windows Server 2003 domain controllers.

■ Windows 2000 native The minimum domain functional level at which universal groups become available, along with several other Active Directory features; allows for Windows 2000 Server and Windows Server 2003 domain controllers.

■ Windows Server 2003 The highest domain functional level, providing the most features and functionality; allows for only Windows Server 2003 domain controllers.

Be forewarned, however, once you have raised the domain functional level, domain controllers running earlier operating systems cannot be used in that domain. As an example, should you decide to raise domain functional level to Windows Server 2003, Windows 2000 Server domain controllers cannot be added to that domain.

Nesting Groups

You've seen how groups can have other groups as members. This concept is known as group nesting. Groups can be nested to help consolidate large numbers of user and computer accounts to reduce replication traffic. The type of nesting you can perform is determined by the domain functional level of the domain.

If the domain functional level is set to Windows 2000 native or Windows Server 2003, groups can have the following members:

■ Domain local groups Other domain local groups in the same domain, global groups from any domain, universal groups from any domain, user accounts from any domain, and computer accounts from any domain.

■ Global groups Other global groups in the same domain, user accounts in the same domain, and computer accounts in the same domain.

■ Universal groups Other universal groups from any domain, global groups from any domain, user accounts from any domain, and computer accounts from any domain.

If the domain functional level is set to Windows 2000 mixed, distribution groups can have the same membership as detailed for Windows 2000 native or Windows Server 2003 functional-level security groups.

If the domain functional level is set to Windows 2000 mixed, security groups can have the following members:

■ Domain local groups Other global groups from any domain, user accounts from any domain, and computer accounts from any domain.

■ Global groups User accounts in the same domain and computer accounts in the same domain.

Group nesting is pictured in Figure 4.33. As you can see, nesting makes it easier to change permissions around. For example, if a user moves from a Tier 2 position in Desktop Support to the Windows server team, removing the user from and adding the user to a single group automatically grants membership to the necessary groups. However, nesting groups too deeply can make it difficult to trou-bleshoot problems, because you have to work your way through the entire group hierarchy to find the problem.

Figure 4.33 Utilizing Group Nesting

Figure 4.33 Utilizing Group Nesting

Group Scope Tree Server 2008

Windows Netware Unix

User

Windows Netware Unix

User

Table 4.11 outlines the behavior and usage of the scopes of domain groups as the domain functional level changes.

Table 4.11 Group Scope Behavior versus Domain Functional Level

Domain Status

Behavior

Universal Group

Global Group

Domain Local Group

Windows Server 2003 or Windows 2000 native

Group membership

Windows 2000 mixed Group membership

Windows Server 2003 or Windows 2000 native

Windows Server 2003 or Windows 2000 native

Group nesting Group permissions

Windows Server 2003 Group scope or Windows 2000 native changes

Windows 2000 mixed

Group scope changes

Members can include user accounts, computer accounts, and other universal groups from any domain.

Universal groups cannot be created.

Can be added to other groups.

Can be assigned permissions in any domain.

Can be changed to global groups as long as no group members are other universal groups. Can be converted to domain local groups with no restrictions.

Not allowed.

Members can include user accounts, computer accounts, and other global groups from the same domain.

Members can include user and computer accounts from the same domain.

Can be added to other groups.

Can be assigned permissions in any domain.

Can be changed to universal groups as long as the group is not a member of any other global group.

Not allowed.

Members can include user accounts, computer accounts, global groups, and universal groups from the same domain.

Members can include user accounts, computer accounts, and global groups from any domain.

Can be added to other domain local groups.

Can be assigned permissions only in the same domain.

Can be changed to universal groups as long as no group members are other domain local groups.

Not allowed.

Was this article helpful?

0 0

Responses

  • nancy bennett
    Can you change the scope of a group from global to universal 2003?
    9 years ago

Post a comment