Implementing Windows 2000 Groups - Page 2
Domain Local Groups
Domain local groups function similarly to local groups, except that their use is more widespread. Domain local groups can be used to protect resources anywhere within the domain. A domain local group can contain users from any domain, but it's limited to regulating resources in the same domain in which the group exists.
Global groups function the opposite of domain local groups. Global groups can accept members only from the local domain. However, they can regulate resources located in any domain.
If you've got a big network, then you'll probably be using universal groups quite extensively. As you might have guessed, universal groups have very few restrictions. A universal group can contain members from any domain in the organization. It can also regulate resources that exist within any domain in the network. The only limitation to universal groups is that they exist only in the Active Directory's native mode. If you have any Windows NT domain controllers on your network, you can't use universal groups.
As I mentioned earlier, groups can contain other groups. This concept is known as group nesting. Group nesting is most effective on large networks but can be used on any size network.
To get an idea of why group nesting is such an effective technique, consider a company that's geographically spread out. Now, suppose that each of the branches needs its upper management to have access to certain files. The obvious solution is to create a management group and grant the group access to the necessary files. However, you can also create another manager group at the corporate headquarters and assign all the management groups created at the other offices as members of the group. Now, it's easy for the main office to make files available or to quickly send messages to all the managers in the entire organization.
This technique is effective because ultimately, the individual offices still maintain control of who is a member of the management group. If a new employee needs access, he or she can be assigned the access from a local level rather than having to wait for days or weeks for someone at the corporate headquarters to verify the information and assign the permissions. Likewise, if someone is fired at the local level, access can be revoked immediately.
Now that you're familiar with the various types of Windows 2000 groups and their uses and limitations, it's time to get started with designing a group-based security infrastructure. In Part 2 of this series (
Conclusionprevious ), I'll discuss group nesting in more detail, focusing on what types of groups can and can't be nested together. I'll also discuss some recommended practices you can use to implement effective group security. I'll conclude the series with a discussion of Windows 2000's built-in security groups and how to use them effectively. //
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.