Groups on Windows server

Groups Description in Windows Server

INTRODUCTION

A group is a collection of user and computer accounts, contacts, and other groups. Groups can be used to:

  • Simplify administration by assigning permissions for a share to a group rather than to individual users. When permissions are assigned to a group, equal access to the resource is granted to all members of that group.
  • Delegate administration by assigning user rights to a group only once using Group Policy.

TYPES OF GROUPS

Windows 2008 includes two types of groups:

  • Security

They are used to assign user rights and permissions.

  • Distribution.

They are used only in email applications. They cannot be used to assign permissions and rights.

SCOPE OF THE GROUPS

The scope of a group determines:

  • The domains from which you can add members to the group
  • The domains in which you can use the group to grant permissions
  • The domains where the group can nest in other groups

The three areas of the groups are:

Domain local

  • Global
  • Universal
  • Domain local

Domain local groups are frequently used to assign permissions to resources. A domain local group has the following characteristics:

  • Open membership

Members can be added from any domain

  • Access to resources in a domain.

A domain local group can be used to assign permissions to access only resources that are located in the same domain where the domain local group was created.

Global They are frequently used to organize users who share similar network access requirements. A global group has the following characteristics:

  • Limited membership

Members can be added only from the domain in which the global group was created.

  • Access to resources in any domain

A global group can be used to assign permissions to access resources that are located in any domain.

Universal

They are used to assign permissions to related resources in various domains. A universal group has the following characteristics:

  • Open membership

Members can be added from any domain

  • Access resources from any domain

A universal group can be used to assign permissions to access resources that are located in any domain.

Possibility of Native mode Windows 2000 and Windows 2003-2008 Server only.

  • Universal security groups are not available in Mixed mode

It is not a good idea to change the membership of a Universal group frequently since the changes are replicated to each global catalog in the forest.

BELONGING TO A GROUP

The scope of the group determines the group's membership. Membership rules define which members a group can contain. Group members include user accounts and other groups. The group membership rules are:

Local domain

  • Mixed Mode - The scope can contain user accounts, computer accounts and global groups from any domain.
  • Native Mode - The scope can contain user accounts, computer accounts, global groups and universal groups from any domain, as well as local groups from the same domain

Global

  • Mixed Mode - The scope can contain user accounts from the same domain and computer accounts.
  • Native Mode - The scope can contain user accounts, computer accounts, and global groups from the same domain.

Universal

  • Mixed Mode - Not available.
  • Native Mode - The scope can contain user accounts and computer accounts from any domain, global groups and universal groups from any domain.

CHANGE THE SCOPE OF A GROUP

You can change the scope of a group only in the domains with Native mode. Changing the scope of a group is not allowed in mixed mode domain. The scope of a group is changed on the General tab of the Properties dialog box for the group.

From global to universal. This conversion is only allowed if the global group to be converted is not a member of another global group.

Grupo de global a universal

From local domain to universal. This conversion is only allowed if the domain local group to be converted does not have another domain local group as a member.

Grupo de global a universal

From universal to global. This conversion is only allowed if the universal group to be converted does not have another universal group as a member.

Grupo de global a universal

NESTING OF GROUPS
Adding groups to other groups (nesting groups) can reduce the number of times permissions need to be assigned. Windows 2008 allows unlimited levels of nesting in Native mode, although it is convenient to minimize nesting levels because the permission tracking becomes more complex the greater the number of nesting. A nesting level is the most effective, since it reduces the number of times permissions need to be assigned and allows permissions to be easily followed.
Effective intergroup nesting in a multi-domain environment will reduce cross-domain network traffic and simplify management in a domain tree.

GROUP STRATEGY
To use groups effectively you need to determine how groups will be used and what types of groups will be used. Microsoft recommends implementing one of the following methods.
We will designate each element with a symbol:

A - (Account) User account
L - (Domain Local Group) Local Group
G - (Global Group) Local group
DL - (Domain Local Group) Domain Local Group
U - (Universal Group) Universal Group
P - Permits

Method A, G, P
This method is to include the user accounts in a global group and then assign the permissions to this global group.

Grupo de global a universal

Advantage
This method is simple when we have a single domain. It is used when the number of users is low and the permission restrictions are few. The absence of group nesting and the use of a single group type simplify administration.

Disadvantages
This method is difficult to manage in a multiple domain architecture. It can also degrade performance because when a user accesses a resource, the server must check the global group memberships since the server does not cache them.

Method A, DL, P
This method is to include the user accounts in a domain local group, and then assign the permissions to this domain local group.

Grupo de global a universal

Advantage
Although this method is not recommended, it is appropriate for a single domain architecture, with few users and that does not have to evolve into a multi-domain forest. Administration is simple due to the use of a single group type and the absence of nesting.

Disadvantages
The main limitation of this method is the lack of architectural evolution. In effect, you cannot assign permissions to the group outside the domain.

Method A, G, DL, P
This method is to include user accounts in a global group, global groups in a domain local group, and then assign permissions to this domain local group.

Grupo de global a universal

Advantage
This method adapts to all domain architectures (single or multiple). It should allow to reduce the administration times, since the permissions are exclusively managed in the domain local groups while the users belong only to the global groups. In addition, this method is applicable regardless of the functional mode of the domain.

Disadvantages
Managing and determining a user's permissions are trickier for administrators. Implementing this method requires a well-studied and well-documented study. It is limited to very large structures that manage a large number of users.

Method A, G, U, DL, P
This method involves including user accounts in a global group, global groups in a universal group, this universal group in a domain local group, and then assigning permissions and privileges to this domain local group

Grupo de global a universal

Advantage
This method adapts to all domain architectures (single or multiple). It should allow to reduce the administration times, since the permissions are exclusively managed in the domain local groups.

Disadvantages
Managing and determining a user's permissions are trickier for administrators. Furthermore, this type of administration is not at all evident regarding its implementation and maintenance. This method requires the use of universal groups, therefore it is reserved for domains or forest in native functional mode of Windows 2000 or Windows 2008. Membership of universal groups is saved in the global DC catalog of each domain. Therefore, when the membership of a universal group is modified, this information has to be replicated in all the DC's in the forest.

Method A, G, L, P
This method is to include user accounts in a global group, global groups in a local group, and then assign permissions to this local group.

Grupo de global a universal

Advantage
With this method, local groups are defined (or predefined) by team and permissions on local resources are assigned to these groups. This method has the advantage of being compatible with Windows NT4 computers.

Disadvantages
With this method it is not possible to define permissions outside the local computer. This means that each local group and its members are managed on each team that shares resources. For this reason, the administration of the groups is decentralized, since they are not integrated in the Active Directory. This method is preferable when the number of users and resource servers is small.

Use of global groups and domain local groups

When planning to use global domain and local groups, consider: o Identify users with common job responsibilities and add user accounts to a global group. o Identify what resources users need to access and create a domain local group for that resource. o Identify all global groups that share the same resource access needs and make them members of the appropriate domain local group. o Assign the necessary permissions to the local domain group.

Use of universal groups
When planning to use universal groups, consider:

Use universal groups for users to access resources located in more than one domain.

Use universal groups only when your membership is static. In a domain tree, domain groups can cause excessive network traffic between domain controllers whenever membership in the universal group is changed, because changes in universal group membership could be replicated in a large number of domain controllers.

Add global groups from multiple domains to a universal group, and then assign permissions to access a resource to the universal group. This allows a universal group to be used in the same way as a domain local group to assign permissions to resources. However, unlike a domain local group, permissions can be assigned to a universal group to give users access to a resource that is located in a different domain than where the group was created.

Guidelines when implementing the group strategy

  • Determine the required scope of the group based on how you want to use the group. For example, use global groups to group user accounts. Assign global groups to domain local groups and universal groups
  • Avoid adding users to universal groups, as adding and removing users from universal groups will increase replica traffic
  • Determine if you have the necessary permissions to create a group in a suitable domain. Members of the Administrators group or the Account Operators group in a domain by default have the necessary permissions to create groups.

Determine the name of the group. You have to make the name intuitive.

Was this answer helpful?

Related Articles

Basic Windows Commands

dir Show a list of files and subdirectories in a directory. cd...

Burn an ISO image to a CD/DVD

The recording of an ISO image can sometimes become a real headache if we do not have the right...

Windows 7 installation

Installation Requirements:Windows 7 / ISO installation DVD1 GHz or faster 32-bit (x86) or 64-bit...

How to configure Windows (host) for DNS requests

Setting the Windows (Host) to Request as DNS The computer's file host is an operating system...

Funciones y características de Windows server 2008

En versiones anteriores de Windows Server, las herramientas tenían el mismo peso que las...