Planning Your Group Structure Implementation

Without a clear, organized plan, its easy for the groups to blend together and overlap each other, resulting in chaos.

By Brien M. Posey | Posted Nov 9, 2000
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

In Part 1 ( Implementing Windows 2000 Groups ), I introduced you to the four types of groups that are available in Windows 2000: local groups, domain local groups, global groups, and universal groups. In that article, I explained the purposes and appropriate uses for each type of group. In this article, I will continue the discussion by providing you with some methods for planning how to implement a group structure in your organization.

As you can imagine, it's important to have an organizational plan to follow before you begin implementing groups. Without a clear, organized plan, it's easy for the groups to blend together and overlap each other, resulting in chaos. The methods I'll be discussing in this article are just some ideas that work well. If you have an organizational method that works better for you, feel free to use it as long as it conforms to the purposes and limitations of the various types of groups.

Group Nesting

In Part 1, I briefly touched on the concept of group nesting. As you may recall, group nesting is the practice of placing one group inside another. If used properly, group nesting can be a very effective technique for organizing your network. Not only does group nesting simplify network management, it can also reduce the amount of network traffic that flows between domains. Most of the techniques I'll be using depend greatly on group nesting. Although group nesting is designed to reduce network traffic and management burden, it can quickly get out of hand if applied recklessly--therefore, here are a few tips for effective group nesting:

  • Minimize the number of levels you're nesting together. It's easy to get carried away and nest 10 or 15 groups. However, doing so makes it difficult to track down problems that may occur. The more levels of nesting you use, the better your chances of having some undesired permissions (or denials) applied to users by accident. I recommend using no more than one or two levels of nesting unless absolutely necessary.

  • When setting up nested groups, use the types of groups that are best suited to the job. As I explained in Part 1, each type of group has a targeted purpose. By using the appropriate types of groups, you'll be able to get away with nesting fewer levels. You'll see some examples later.

  • Document everything. It's not so important to document the group memberships of individual users, because these memberships change on a daily basis. However, it's important to document the function of each group. Doing so will help you to spot potentially overlapping permissions. If you're working with large numbers of nested groups, drawing a diagram of what each group controls and which groups are linked is a very effective technique.
Group Functions Reminder

It's important to understand the intended role of each group type. Here's a reminder of the purpose of each type of group:

  • Global groups--In native mode, global groups can contain users and other global groups. These users and groups must belong to the same domain as the global group. In mixed mode, global groups can contain users from within the domain.

  • Domain local groups--In native mode, domain local groups can contain user accounts, universal groups, and global groups from any domain in the organization. They can also contain other domain local groups from the same domain the group resides in. In mixed mode, domain local groups can contain user accounts and global groups from any domain in the organization.

  • Universal groups--Universal groups can contain user accounts and other universal and global groups from any domain in the organization. Universal groups exist only in native mode.

Planning Global Groups and Domain Local Groups

Let's look at some techniques for implementing global groups and domain local groups. I recommend assigning users with similar jobs to global groups. For example, within the IT department, you might have a Programmers group and a Network Support group.

The next step is to create a domain local group for each shared resource or group of shared resources. For example, if you have a C++ library on the network, you might create a domain local group for it called C++. Likewise, if you have a shared printer, you might create a domain local group called Laser Printer.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter