Wednesday, January 6, 2010

Understanding Group Types and Scopes

Groups are containers that can contain user and computer objects within them as members. When security permissions are set for a group in the access control list (ACL) on a resource, all members of that group receive those permissions.


Windows Server 2003 has two group types: Security and distribution. Security groups are used to assign permissions for access to network resources. Distribution groups are used to combine users for e-mail distribution lists. Security groups can be used as a distribution group, but distribution groups cannot be used as security groups. Proper planning of group structure affects maintenance and scalability, especially in the enterprise environment, in which multiple domains are involved.

Group Scope

Group scope defines how permissions are assigned to the group members. Windows Server 2003 groups, both security and distribution groups, are classified into one of three group scopes: domain local, global, and universal.

Local Groups

Local groups (or machine local groups) are used primarily for backward compatibility with Windows NT 4. There are local users and groups on computers running Windows Server 2003 that are configured as member servers. Domain controllers do not use local groups.

* Local groups can include members from any domain within a forest, from trusted domains in other forests, and from trusted down-level domains.

* A local group has only machinewide scope; it can grant resource permissions only on the machine on which it exists.

Domain Local Groups

Domain local groups are used primarily to assign access permissions to global groups for local domain resources. Domain local groups:

* Exist in all mixed, interim and native functional level domains and forests.

* Are available domainwide only in Windows 2000 native or Windows Server 2003 domain functional level domains. Domain local groups function as a local group on the domain controllers while the domain is in mixed functional level.

* Can include members from any domain in the forest, from trusted domains in other forests, and from trusted down-level domains.

* Have domainwide scope in Windows 2000 native and Windows Server 2003 domain functional level domains, and can be used to grant resource permission on any Windows Server 2003 computer within, but not beyond, the domain in which the group exists.

Global Groups

Global groups are used primarily to provide categorized membership in domain local groups for individual security principals or for direct permission assignment (particularly in the case of a mixed or interim domain functional level domain). Often, global groups are used to collect users or computers in the same domain and share the same job, role, or function. Global groups:

* Exist in all mixed, interim, and native functional level domains and forests

* Can only include members from within their domain

* Can be made a member of machine local or domain local group

* Can be granted permission in any domain (including trusted domains in other forests and pre–Windows 2003 domains)

* Can contain other global groups (Windows 2000 native or Windows Server 2003 domain functional level only)

Universal Groups

Universal groups are used primarily to grant access to resources in all trusted domains, but universal groups can only be used as a security principal (security group type) in a Windows 2000 native or Windows Server 2003 domain functional level domain.

* Universal groups can include members from any domain in the forest.

* In Windows 2000 native or Windows Server 2003 domain functional level, universal groups can be granted permissions in any domain, including domains in other forests with which a trust exists.



Group Conversion

The scope of a group is determined at the time of its creation. However, in a Windows 2000 native or Windows Server 2003 domain functional level domain, domain local and global groups can be converted to universal groups if the groups are not members of other groups of the same scope. For example, a global group that is a member of another global group cannot be converted to a universal group. The use of Windows Server 2003 domain groups as security principals (group type: security) are below summarizes.

Group Scope and Allowed Objects

Windows 2000 native or Windows Server 2003 functional level domain

Domain Local: Computer accounts, users, global groups, and universal groups from any forest or trusted domain. Domain local groups from the same domain. Nested domain local groups in the same domain.

Global: Users, computers and global groups from same domain. Nested global (in same domain), domain local, or universal groups.

Universal: Universal groups, global groups, users and computers from any domain in the forest. Nested global, domain local, or universal groups.


Windows 2000 mixed or Windows Server 2003 interim functional level domain

Domain Local: Computer accounts, users, global groups from any domain. Cannot be nested.

Global: Only users and computers from same domain. Cannot be nested.

Universal: Not available.


Special Identities

There are also some special groups called special identities, that are managed by the operating system. Special identities cannot be created or deleted; nor can their membership be modified by administrators. Special identities do not appear in the Active Directory Users And Computers snap-in or in any other computer management tool, but can be assigned permissions in an ACL. Details of some of the special identities in Windows Server 2003 are given below.

Special Identities and Their Representation

Everyone: Represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, that user is automatically added to the Everyone group.

Network: Represents users currently accessing a given resource over the network (as opposed to users who access a resource by logging on locally at the computer where the resource is located). Whenever a user accesses a given resource over the network, the user is automatically added to the Network group.

Interactive: Represents all users currently logged on to a particular computer and accessing a given resource located on that computer (as opposed to users who access the resource over the network). Whenever a user accesses a given resource on the computer to which they are logged on, the user is automatically added to the Interactive group.

Anonymous Logon: The Anonymous Logon group refers to any user who is using network resources, but did not go through the authentication process.

Authenticated Users: The Authenticated Users group includes all users who are authenticated into the network by using a valid user account. When assigning permissions, you can use the Authenticated Users group in place of the Everyone group to prevent anonymous access to resources.

Creator Owner: The Creator Owner group refers to the user who created or took ownership of the resource. For example, if a user created a resource, but the Administrator took ownership of it, then the Creator Owner would be the Administrator.

Dialup: The Dialup group includes anyone who is connected to the network through a dialup connection.

No comments:

Post a Comment