Groups are one of the most important tools an Active Directory (AD) administrator has in his/her toolbox. Groups are objects that can include users, computers, and even other groups as members. Windows Server 200x (2000, 2003, 2008 – at the time of this writing includes support for two types of groups: Distribution and Security. Distribution groups were introduced with AD 2000.
They are used primarily for email distribution lists. Distribution groups cannot be used for securing resources (ACLs cannot be applied to them). However, Security groups can be mail-enabled. It is important to properly plan for the use of groups prior to implementing your Active Directory infrastructure to ensure that it can be managed and scaled well. Groups are classified as one of three group scopes: Domain Local, Global, and Universal.
Domain Local Groups
Domain Local Groups are defined in the local domain and can be used to secure resources ONLY in the local domain. They can contain members from the same domain, forest, and members from trusted domains.
Global Groups are defined in the local domain and can be used to secure resources in the local domain, any domain in the forest, and in any of the trusting domains. They can contain members ONLY from the same domain.
Universal Groups are used to primary grant access to resources in all trusted domains. They can also contain members from any domain in the forest.
To manage resources with the least administrative effort, it is important to follow one or more of these best practices:
A --> G <-- P
A --> G --> DL <-- P
A --> G --> U --> DL <-- P
A – Accounts
G – Global Groups
DL – Domain Local Groups
For example, the concept for
A --> G --> DL <-- P is as follows:
- Add users to global groups.
- Add global groups to domain local groups.
- Apply permissions to domain local groups.
In this example, say that Bob is a member of the Sales team. Bob is added to the “Sales Team” global group. The Sale Team needs access to a file share called Data. A domain local group called “Sales Data” is created and the global group called “Sales Team” is a member. The permission “READ” is applied to the “Sales Data” domain local group.
Now, Bob has retired and Sally is hired. Sally can be given the same access as Bob by simply adding her to the “Sales Team” global group. The more resources and groups that are defined, the more effective this concept becomes.