Group types and Scopes in Windows 2003.
Are you preparing for IT certification? With practice questions, study notes, interactive quizzes, tips and technical articles, uCertify PrepKits ensure that you get a solid grasp of core technical concepts to ace your certification exam in first attempt.
Group types and Scopes in Windows 2003.
Rating:
A group is used as a container that contains user and computer objects within the group. The user and computer objects are stored in the group known as group members. Working with groups instead of individual users helps simplify network maintenance and the administration task. Assigning the security permission for a group on a resource ensures that all members of the group receive the permission.
Windows Server 2003 has two types of groups:
Security groups are used to provide access to resources on a network. Security groups are also used to assign user rights in Active Directory and to assign permissions on shared resources on the network. Security groups are listed in DACLs that define permissions on resources and objects.
User rights are assigned to security groups to determine what members of a security group can do within the scope of a domain or forest. For example, a user who is the member of the Backup Operators group in Active Directory has the ability to backup and restore files and directories located on each domain controller in the domain. User rights can be assigned to a Security group by using a group policy.
Permissions on shared resources determine who can access the shared resource and the level of access, such as Modify, Full Control, etc.
A group can be converted from a Distribution group to a Security group and vice-versa. In order to convert a group type, the domain functional level should be set to Windows 2000 native or higher.
A group scope defines how the permissions are assigned to the group members. A security group or a distribution group is characterized by a scope that determines the extent to which the group is applied within a domain or forest.
There are three types of group scopes:
A universal group helps consolidate groups that span domains and perform common functions across the enterprise. The membership of a universal group should not change frequently, as any changes to these group memberships cause the entire membership of the group to be replicated to every global catalog in the forest.
A global group is used to manage directory objects that require daily maintenance, such as user and computer accounts. A global group can be changed frequently without generating replication traffic to the global catalog because global groups are not replicated outside of their own domain. Members of global groups can include other groups and accounts only from the domain in which the group is defined and can be assigned permissions in any domain in the forest.
A domain local group is used to define and manage access to resources within a single domain. Domain local groups can have groups with global scope and universal scope, accounts, other groups with domain local scope, and a mixture of any of the above as their members. Members of domain local groups can be assigned permissions only within a domain.
Microsoft recommends using global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.
The following group scope conversions are allowed in domains with the domain functional level that is set to Windows 2000 native or Windows Server 2003:
By default, when a new group is to be created, the new group is configured as a security group with global scope regardless of the current domain functional level.
Rating:
Was this information helpful?
Other articles
- What is an EFS recovery agent?
- What is System File Checker utility?
- What is Windows Automatic Updates?
- What is Client Access License (CAL)?
- How to create a GPO?