Planning Your Group Structure Implementation
Without a clear, organized plan, its easy for the groups to blend together and overlap each other, resulting in chaos.
In Part 1 ( Implementing Windows 2000 Groups ), I introduced you to the four types of groups that are available in Windows 2000: local groups, domain local groups, global groups, and universal groups. In that article, I explained the purposes and appropriate uses for each type of group. In this article, I will continue the discussion by providing you with some methods for planning how to implement a group structure in your organization.
As you can imagine, it's important to have an organizational plan to follow before you begin implementing groups. Without a clear, organized plan, it's easy for the groups to blend together and overlap each other, resulting in chaos. The methods I'll be discussing in this article are just some ideas that work well. If you have an organizational method that works better for you, feel free to use it as long as it conforms to the purposes and limitations of the various types of groups.
In Part 1, I briefly touched on the concept of group nesting. As you may recall, group nesting is the practice of placing one group inside another. If used properly, group nesting can be a very effective technique for organizing your network. Not only does group nesting simplify network management, it can also reduce the amount of network traffic that flows between domains. Most of the techniques I'll be using depend greatly on group nesting. Although group nesting is designed to reduce network traffic and management burden, it can quickly get out of hand if applied recklessly--therefore, here are a few tips for effective group nesting:
- Minimize the number of levels you're nesting together. It's easy to get carried away and nest 10 or 15 groups. However, doing so makes it difficult to track down problems that may occur. The more levels of nesting you use, the better your chances of having some undesired permissions (or denials) applied to users by accident. I recommend using no more than one or two levels of nesting unless absolutely necessary.
- When setting up nested groups, use the types of groups that are best suited to the job. As I explained in Part 1, each type of group has a targeted purpose. By using the appropriate types of groups, you'll be able to get away with nesting fewer levels. You'll see some examples later.
- Document everything. It's not so important to document the group memberships of individual users, because these memberships change on a daily basis. However, it's important to document the function of each group. Doing so will help you to spot potentially overlapping permissions. If you're working with large numbers of nested groups, drawing a diagram of what each group controls and which groups are linked is a very effective technique.
|Group Functions Reminder|
It's important to understand the intended role of each group type. Here's a reminder of the purpose of each type of group:
Planning Global Groups and Domain Local Groups
Let's look at some techniques for implementing global groups and domain local groups. I recommend assigning users with similar jobs to global groups. For example, within the IT department, you might have a Programmers group and a Network Support group.
The next step is to create a domain local group for each shared resource or group of shared resources. For example, if you have a C++ library on the network, you might create a domain local group for it called C++. Likewise, if you have a shared printer, you might create a domain local group called Laser Printer.