In an Active Directory environment, there are two basic group characteristics: type and scope. The group type identifies the purpose of the group. There are two group types for Active Directory-based groups in Windows Server 2003:
Group scope refers to how the group can be used. Three group scopes can be specified for a group that resides within the Active Directory database:
Security and Distribution Groups
Two types of groups can be created in Windows Server 2003:
■ Distribution groups Distribution groups are used for distributing messages to group members. Distribution groups are used with e-mail applications, such as Microsoft Exchange. They allow a user to send e-mail to an address that is associated with the group and have it distributed to all members whose accounts are mailbox enabled. Distribution groups are not security enabled, and therefore cannot be used to assign permissions to Windows resources. The exam will not focus on distribution groups.
■ Security groups Security groups can also be used to for the distribution of email. Their main purpose, however, is to allow administrators to assign permissions and user rights to group members. Permissions can be assigned to Active Directory, file system, Registry, and printer objects. User rights include actions such as Backup files and directories and Restore files and directories, both of which are assigned to the Backup Operators group by default.
In Active Directory, security groups provide two major benefits:
■ They allow you to simplify and reduce administrative requirements by assigning permissions and rights for a resource to the group rather than to each individual user that requires access. All users that are members of the group will receive the configured permissions and rights.This is much more efficient than explicitly assigning permissions and rights to users on an individual basis. In addition, this provides you with the capability to move users in and out of groups as their job and task requirements dictate, while leaving the groups' permissions or rights unchanged.
■ Security groups allow you to quickly and efficiently delegate administrative responsibilities for performing specific tasks in Active Directory. As an example, if you have a group of six help desk workers that you want to allow to reset user passwords, you can place the six users in a group and delegate the ability to the group. Again, you are able to move users in and out of the group as their job and task requirements dictate, while leaving the group's rights unchanged. This makes it very easy to simply add in other users when they require the same rights.
Permissions determine which users, groups, or computers can access specified resources and what they can do (read, write, execute, etc.) to that resource. By assigning these permissions to a group, instead of individual users, you can ensure that all members of the group receive the required permissions, unless they conflict with permissions that are assigned to the user explicitly or through another group.
Rights are a separate concept. Although they can relate to resources, more often rights relate to actions a user can perform involving the operating system. The right to log on locally (at the server console) or across the network are good examples. The ability to reboot a computer is also a right that must be granted to a user.
Local, Domain Local, Global, and Universal Groups
Unlike group types, which are fairly simple to understand, group scopes can be confusing to those new to working with Windows Server 2003 and Active Directory. The scope of the group identifies the extent to which the group can be applied throughout the domain or forest. Even this is not as simple as it sounds.The objects that can be members of a group, as well as the groups available, vary depending on the functional level of the domain.
Test Day Tip
Domain and forest functionality is a new feature introduced in Windows Server 2003. By having different levels of domain and forest functionality available within your Active Directory implementation, you can make different features available to your network.
If all of your network's domain controllers are Windows Server 2003 and the domain functional level is set to Windows Server 2003, then all domain features (such as the ability to rename a domain controller) become available. If your entire Active Directory forest is also set at the Windows Server 2003 functional level, then you also gain additional functionality (such as the ability to rename entire domains). In a non-upgrade environment, there are three domain functional levels available:
■ Windows 2000 mixed This is the default domain functional level. Windows NT 4.0 BDCs, Windows 2000 domain controllers, and Windows Server 2003 domain controllers are permitted at this functional level.
■ Windows 2000 native This is the minimum domain functional level for using universal security groups. It also enables some additional group nesting capability. This level allows for Windows 2000 and Windows Server 2003 domain controllers.
■ Windows Server 2003 This is the highest domain functional level. It provides the most features, and allows only Windows Server 2003 domain controllers.
Once you have raised the domain functional level, domain controllers running earlier operating systems cannot be used in that domain. As an example, if you raise the domain functional level to Windows Server 2003, Windows 2000 domain controllers cannot be added to the domain.
According to Microsoft, domain local groups (DLGs) are used when assigning permissions or user rights. While we've loosely mentioned this in regard to all groups, it is this specific group scope that Microsoft wants you to use when modifying the access control list (ACL) of an object such as a file, or assigning a user right. Other groups will be added to a DLG to have their members receive the group's assigned permissions or rights.
In a Windows 2000 mixed functional level domain, domain local groups can consist of users, computers, and global groups from the domain the DLG exists in, and any trusted domain.When the functional level of the domain is raised to Windows 2000 native or Windows Server 2003, a DLG can also contain other domain local groups from its local domain, as well as universal groups. Despite the fact that this group type can contain users and computers directly, it is important to remember that Microsoft recommends that you use it to contain other groups, which themselves contain users or computers. Specific scenarios regarding this usage are presented later in the chapter.
Microsoft specifies global groups (GGs) as the primary container for user and computer objects. Their models often call for grouping users according to role, function, responsibility, or department into global groups. For example, all members of the benefits team might be members of both an HR global group and a Benefits global group. Although a GG can be directly added to an ACL or assigned a user right, GGs are typically added to other groups, such as DLGs, in order to be granted access to resources.
In a Windows 2000 mixed functional level domain, a GG can contain users and computers from the same domain in which it exists.When the functional level of the domain is raised to Windows 2000 native or Windows Server 2003, a GG can also contain other GGs from its local domain.
Unlike global and domain local groups, universal groups (UGs) are not stored at the domain partition level of Active Directory.They reside in the Global Catalog (GC). Because of this, adding or removing objects from a universal group triggers forest-wide replication. Microsoft recommends that other groups, and not individual user and computer accounts, be the primary members of a UG. Such members are much less likely to change.
For example, if you add a user to a UG, it triggers forest-wide replication. When you later remove that user, it again triggers forest-wide replication. However, if you add a user to a GG, which is a member of the UG, no forest-wide replication is triggered. GGs have their membership maintained at the domain level, so only domain level replication is triggered. Likewise, removing the user from the GG triggers domain level replication, not forest-wide replication.
Universal security groups do not exist in a Windows 2000 mixed functional level domain.When the functional level of the domain is raised to Windows 2000 native or Windows Server 2003, universal security groups can contain domain users, computer accounts, and global groups from any trusted domain, as well as other universal groups. Table 3.2 provides a summary of the group membership that is allowed for each domain functional level.
Table 3.2 Group Scope Behavior versus Domain Functional Level
Domain Local Group
Windows Server 2GG3 or Windows 2GGG native
Members can include domain user accounts, computer accounts, and global groups from any trusted domain; as well as other universal groups.
Windows 2000 mixed Universal security groups cannot be created.
Members can include user accounts, computer accounts, and other global groups from the domain in which the global group exists.
Members can include user and computer accounts from the domain in which the global group exists.
Members can include user accounts, computer accounts, and global groups from the domain the DLG exists in or any trusted domain; universal groups; as well as other domain local groups from the domain in which the DLG exists.
Members can include user accounts, computer accounts, and global groups from the domain the DLG exists in or any trusted domain.
As if the concept of group scopes wasn't confusing enough, when a domain is operating at the Windows 2000 native or Windows Server 2003 functional levels, an administrator can change an existing group's scope. Universal groups can be converted to global or domain local groups, and global and domain local groups can be converted to universal groups. However, global groups cannot be converted directly to domain local groups (and vice versa).
The rules governing this are much easier than they first appear. Simply put, you cannot convert from one group type to another if the current membership of the group that is being converted is not compatible with the membership allowed for the target scope. For example, a universal security group cannot have a domain local group as a member. Therefore, if you are trying to convert a DLG into a UG, the DLG cannot have any other domain local groups as members.Table 3.3 outlines the possibilities and restrictions of changing the scope of a group.
Table 3.3 Changing the Scope of a Group
Domain Status Universal Group Global Group
Domain Local Group
Windows Server 2003 or Windows 2000 native
Can be changed to a global group as long as no group members are other universal groups, or user, computer, or global group accounts from any domain other than the one in which the global group will exist.
Can be converted to a domain local group with no restrictions.
Can be changed to a universal group as long as the group is not a member of any other global group.
You've seen how groups can have other groups as members. This concept is known as group nesting. Groups can be nested to help reduce management overhead. The type of nesting you can perform is determined by the domain's functional level. If the domain functional level is set to Windows 2000 native or Windows Server 2003, the following groups have additional nesting capability:
■ Domain local groups These groups can have other domain local groups from the same domain as well as universal groups nested in their group membership.
■ Global groups These groups can have other global groups from the same domain nested in their membership.
■ Universal groups These groups can have global groups from any trusted domain and other universal groups nested in their membership.
The nesting occurs in addition to the basic security group memberships that are permitted at the Windows 2000 mixed functional level.
Group nesting is pictured in Figure 3.18. If a user moves from a tier 2 position in desktop support to the Windows server team, removing the user from one group and adding the user to another group automatically adjusts the permissions and rights the user is receiving from several groups. In the first example, the user is a member of the Tier2 global group, which is itself a member of the Desktop Support global group. This group is in turn nested in the IT global group. Thus, any per-
Continued missions or rights granted to the IT, Desktop Support, and Tier2 groups will be given to the user.
When the user's account is moved, the user becomes a member of the Windows global group. The move will cause the user to lose all of the permissions and rights that were granted from the Tier2 and Desktop Support global groups. The Windows group is a member of the Software global group, which is nested in the Server Support global group. Finally, Server Support is a member of the IT global group. The user's new group membership will bring all of the permissions and rights granted to the IT, Server Support, Software, and Windows global groups.
Was this article helpful?