Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
World Cup news
 
 
Windows Server

Examining Windows Server 2008 R2 Active Directory Groups

3/5/2011 3:38:01 PM
An Active Directory group is made up of a collection of objects (users and computers and other groups used to simplify resource access and for emailing purposes). Groups can be used for granting administrative rights, granting access to network resources, or distributing email. There are many flavors of groups, and depending on which mode the domain is running in, certain group functionality might not be available.

Group Types

Windows Server 2008 R2 Active Directory supports two distinct types of groups: distribution and security. Both have their own particular uses and advantages if they are used properly and their characteristics are understood.

Distribution Groups

Distribution groups allow for the grouping of contacts, users, or groups primarily for emailing purposes. These types of groups cannot be used for granting or denying access to domain-based resources. Discretionary access control lists (DACLs), which are used to grant or deny access to resources or define user rights, are made up of access control entries (ACEs). Distribution groups are not security enabled and cannot be used within a DACL. In some cases, this might simplify security management when outside vendors need to be located in address books but will never need access to resources in the domain or forest.

Security Groups

Security groups are security enabled and can be used for assigning user rights and resource permissions or for applying computer and Active Directory-based group policies. Using a security group instead of individual users simplifies administration. Groups can be created for particular resources or tasks, and when changes are made to the list of users who require access, only the group membership must be modified to reflect the changes throughout each resource that uses this group.

To perform administrative tasks, security groups can be defined for different levels of responsibility. For example, a level 1 server administrator might have the right to reset user passwords and manage workstations, whereas a level 2 administrator might have those permissions plus the right to add or remove objects from a particular organizational unit or domain. The level of granularity granted is immense, so creating a functional security group structure can be one way to simplify administration across the enterprise. This is sometimes referred to as role-based access control or RBAC.

Security groups can also be used for emailing purposes, so they can serve a dual purpose.

Group Scopes in Active Directory

To complicate the group issue somewhat more, after the type of group is determined, the scope of the group must also be chosen. The scope, simply put, defines the boundaries of who can be a member of the group and where the group can be used. Because only security groups can be used to delegate control or grant resource access, security group types are implied .

Domain Local Groups

Domain local groups can be used to assign permissions to perform domain-based administrative tasks and to access resources hosted on domain controllers. These groups can contain members from any domain in the forest and can also contain other groups as members. Domain local groups can be assigned permissions only in the domain in which they are hosted.

Global Groups

Global groups are somewhat more functional than domain local groups. These groups can contain members only from the domain in which they are hosted, but they can be assigned permissions to resources or delegated control to perform administrative tasks or manage services across multiple domains when the proper domain trusts are in place.

Universal Groups

Universal groups can contain users, groups, contacts, or computers from any domain in the forest. This simplifies the need to have single-domain groups that have members in multiple forests. Universal group memberships in large, multidomain environments should be kept low or should not be changed frequently because group membership is replicated across domains and populated in the global catalog. As a best practice in these environments, create a universal group to span domains but have only a global group from each domain as a member. This practice reduces cross-domain replication.

Note

Universal security groups can be created only in domains running in Windows 2000 Native, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain functional level. If this level cannot be reached, use global groups from each domain when setting permissions on resources that need to be accessed from users in many domains.

Top Search -----------------
- Windows Server 2008 R2 : Work with RAID Volumes - Understand RAID Levels & Implement RAID
- Windows Server 2008 R2 Administration : Managing Printers with the Print Management Console
- Configuring Email Settings in Windows Small Business Server 2011
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Implement Permissions
- Monitoring Exchange Server 2010 : Monitoring Mail Flow
- Windows Server 2008 R2 :Task Scheduler
- Windows Server 2008 R2 : File Server Resource Manager
- Windows Server 2008 R2 : Installing DFS
- Exchange Server 2010 : Managing Anti-Spam and Antivirus Countermeasures
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Share Folders
Other -----------------
- Windows Server 2008 R2 Administration : Configuring Sites (part 2) - Establishing Site Links & Delegating Control at the Site Level
- Windows Server 2008 R2 Administration : Configuring Sites (part 1) - Creating a Site
- Windows Server 2008 R2 Administration : Examining Active Directory Site Administration
- Windows Server 2008 R2 Administration : Defining the Administrative Model
- Migrating to Windows Server 2008 R2 : Lab-Testing Existing Applications
- Migrating to Windows Server 2008 R2 : Verifying Compatibility with Vendors
- Migrating to Windows Server 2008 R2 : Researching Products and Applications
- Migrating to Windows Server 2008 R2 : Preparing for Compatibility Testing
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Multiple Domain Consolidation Migration (part 5) - Migrating Other Domain Functionality
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Multiple Domain Consolidation Migration (part 4) - Migrating Computer Accounts
 
 
Most view of day
- Nginx HTTP Server : Basic Nginx Configuration - Base module directives
- Working in the Background : PROVIDING POWER MANAGEMENT (part 2) - Detecting a Change in Monitor State
- Microsoft Exchange Server 2010 : Managing Connectivity with Hub Transport Servers - Send and Receive Connectors (part 2)
- Windows Phone 8 : Configuring Basic Device Settings - Screen Brightness (part 2) - Manually Adjusting the Screen Brightness
- SQL Server 2008 R2 : Overview of Resource Governor, Resource Governor Components
- What's new and improved in SharePoint 2013 : Creating badges, Using Visual Designer for workflows within SharePoint Designer
- SQL Server 2012 : Running SQL Server in A Virtual Environment - ARCHITECTING SUCCESSFUL VIRTUAL DATABASE SERVERS
Top 10
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 3) - Translating Text with the Mini Translator
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 2) - Translating a Word or Phrase with the Research Pane
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 1) - Setting Options for the Research Task Pane, Searching with the Research Task Pane
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 2) - Ending a Linked Notes Session, Viewing Linked Notes
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 1) - Beginning a Linked Notes Session
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 3) - Moving Side Notes to Your Existing Notes
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 2) - Reviewing Side Notes
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 1) - Creating Side Notes
- Games and Windows 7 : Installing and Playing Third-Party Games
- Games and Windows 7 : Using the Games Explorer (part 4) - Managing Your Game Controllers and Other Game-Related Hardware
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Cars Review