إضغط لتفاصيل الإعلانات



Results 1 to 3 of 3
Share
  1. #1
    Join Date
    Nov 2007
    Location
    Arab world!
    Posts
    6,169
    Blog Entries
    4
    Rep Power
    10

    Default security and distribution groups?, Local- Global- Universal Groups?

    In Microsoft Active Directory, what are security and distribution groups?

    In Microsoft Active Directory, when you create a new group, you must select a group type. The two group types, security and distribution, are described below:
    • Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists.
    • Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings.

    -----------------------------------------------------------------------------------------------------------------

    Groups

    Distribution Groups -- Used for email. Useful for programs such as MS Exchange.

    Security Groups - Used to secure file/folders, printers, etc.

    Local - Stored on the local SAM ( Local Computers )
    Domain Local - Stored on Domain Controllers.
    Global Groups - Gives you a greater group scope.
    Universal - Gives you an even broader group scope.

    Windows 2000 Mixed can contain:

    Domain Local -- At the same time they can contain Accounts ( Any user/computer account ), and global groups. Access to the same domain.
    Global groups - They can contain Accounts ( user/computer accounts ). Access to Any domain
    Universal - N/A not applicable at this DFL. Access to any domain

    Windows 2000 Native or Windows 2003 DFL can contain:

    Domain Local - Accounts ( users/computers ), Domain local Groups ( same domain ) , global groups, and universal groups.

    Global Groups - Accounts ( users/computers from the same domain ), Global groups ( same domain )

    Universal Groups - Accounts ( users/computers ), Global Groups, and Universal Groups.


    Group Conversion

    Domain Local - You can convert it to Universal ( A Domain Local group must already contain a Domain Local group in order for the conversion to take place )
    Global Group - You can convert it to Universal ( A Global group must already contain a Global group in order for the conversion to take place )
    Universal Group - You can convert it to either Domain Local, or Global Group.

    Group Nesting

    Same Domain

    Start By adding Users to Global Groups. At the same global groups can be nested within Domain Local Groups, and Univerisal groups.

    Global Groups can also be nested within Global Groups in the same domain.

    Cross-Domain Group nesting

    Global Groups can be nested within Domain Local groups, or within another Universal Group in the other domain.

    Global Groups cannot be nested across domains. You cannot take a Global Group from proprofs.local, and nest it within another global group in proprofs.com.

    You cannot take a user/computer account from one domain, and nest it within a global group in another domain.

    Global Groups can be used to grant access to files/folders ( NTFS Permissions) in the same domain, and in a different domain as well.

    Domain Local groups can accept anything, except for Domain Local groups from another domain. It accepts user accounts from the same domain, and a different domain as well. A global/universal group from the same domain/different domain can also be nested within a Domain Local group.

    Resources - Domain Local Groups can only access resources on the domain on which it resides. For example a domain Local group Named HelpDesk on the proprofs.local domain can only access resources on that domain, and not on proprofs.com

    Universal Groups - Accept user/computer accounts from the same domain, and a different domain as well. A global group can also be nested within a Universal Group ( from the same/different domain(s) )

    Note: You cannot take a Domain Local Group, and nest it within a Universal Group ( from the same/different domain(s) )

    A Universal Group can be nested within another Universal Group in the same domain, and in different domains as well. They can also be nested within Domain Local Groups in the same domain, and in different domains as well. Universal Groups can never be a member of Universal Groups.

    Resources - It can be used to access resources ( NTFS Permissions ) on the same domain, and in different domains as well.

    One benefit of Universal Groups is that they list its members on the Global Catalog. Whenever a change was made to a Universal Group, it updates the membership of all its members in the Global Catalog, causing a lot of unnecessary traffic between GCs ( windows 2000 )

    Windows 2003 solves the aforementioned problem by updating the membership of only the affected member. In other words, it does not replicate all the accounts in the Universal group, only the one you made changes to. ( Note: This new feature is only available if the Domain Functional Level ( DFL ) is on Windows 2003 )


    ================================================== ===


    Good Luck!


  2. Facebook Comments - تعليقـك على الفيس بوك يسعدنا ويطور مجهوداتنـا


  3. Forum Ads:

  4. Forum Ads:

    اضفط هنا لمعرفة تفاصيل الإعلانات بالموقع


  5. Forum Ads:

    -->

  6. #2
    Join Date
    Nov 2007
    Location
    Arab world!
    Posts
    6,169
    Blog Entries
    4
    Rep Power
    10

    Default

    In that article, I talked a lot about local groups, domain local groups, and global groups. You could easily manage your entire network using only these types of groups. Even so, there is one more type of group that Windows Server 2003 supports; universal groups.

    For those of you who found local groups, domain local groups, and global groups to be confusing or overly restrictive, then universal groups will initially seem like an answer to prayers. Universal groups are essentially groups that are not subject to the restrictions that apply to the other types of groups. For example, in the previous article, I mentioned that you can’t place a local group or a domain local group into another local group. You can however, put a universal group into a local group. The rules that apply to other types of groups simply don’t apply to universal groups.

    Of course, this raises the question of why you would ever use any of the other types of groups if they have limitations that universal groups can overcome.
    One of the reasons why there are so many different types of groups is because Windows Server is an evolutionary product. Universal groups were introduced in Windows 2000 Server, along with the Active Directory. Previous versions of Windows Server (namely Windows NT Server) supported the use of groups, but universal groups had not been invented yet when these versions were current. When Microsoft released Windows 2000 Server, they chose to continue to support other types of groups as a way of maintaining backward compatibility with Windows NT. Likewise, Windows Server 2003 also supports the use of legacy group types for backward compatibility reasons.

    The fact that universal groups didn’t exist in the days of Windows NT Server, means that Windows NT doesn’t support universal groups. This presents a bit of a problem if you happen to have any Windows NT servers in your forest.

    Windows 2000 Server was such a dramatic change from Windows NT Server that a number of the new features would only work on networks with no Windows NT Server domain controllers. To get around this problem, Microsoft created the concept of native mode. but the basic idea is that when Windows 2000 Server is initially installed, it is operating in something called mixed mode. Mixed mode is fully backward compatible with Windows NT, but many of Windows 2000’s features can’t be used until you get rid of the Windows NT domain controllers and switch to native mode. Although the terminology is a bit different, the same basic concept also applies to Windows Server 2003.

    Universal groups are one of those features that is only available if your domain controllers are operating in Windows 2000 Server Native Mode or higher. That’s one reason why you can’t use universal groups in every situation.

    Even if all of your servers are running Windows Server 2003, and your forest is fully native, it is still a bad idea in most cases to use universal groups exclusively.
    Earlier in this series, I introduced you to the concept of global catalog servers. As you may recall, global catalog servers are domain controllers that have been assigned the task of keeping track of every object in the forest. Typically, each Active Directory site contains its own copy of the global catalog, which means that any time a global catalog is updated, the updated information must be replicated to the other global catalog servers.

    When you create a universal group, both the group name and the group’s membership list are written to the global catalog. This means that as you create more and more universal groups, the global catalog becomes more bloated. As the global catalog becomes larger, the amount of time that it takes to replicate the global catalog from one global catalog server to another also increases. If left unchecked, this can lead to network performance problems.

    In case you are wondering, other types of groups don’t place nearly as much of a load on the global catalog. For example, global groups are listed in the global catalog, but their membership list isn’t. Therefore, Microsoft’s basic rule of thumb is that it is OK to create universal groups, but you should use them sparingly.

    Group Nesting

    One last group related concept that I want to discuss is that of nesting. The easiest way that I can think of to explain nesting is to compare it to Russian matryoshka dolls, like the ones shown in Figure A. These types of dolls are designed so that they can all be placed inside of one another. The smallest goes into the second smallest, the second smallest goes into the third smallest, and so on. This idea of placing an object inside of a similar object is called nesting.



    Figure A:
    Russian matryoshka dolls illustrate the concept of nesting.

    There are many different reasons for nesting groups. One of the most common reasons involves matching up resources with departments. For example, a company might start by creating a group for each department. They might create a Finance group, a Marketing group, an IT group, and so on. Next, they would place users into the group that corresponds to the department that the user works in.

    The next step in the process would be to create groups that correspond to the various resources that you need to grant access to. For example, if you knew that everyone in the finance department was going to need access to an accounting application, you could create a group that grants access to the application, and then place the finance group into that group. You don’t have to nest groups, but doing so sometimes allows you to keep things a little bit better organized, while saving a little bit of work in the process. For instance in the previous example, you didn’t have to manually place individual user accounts into the group for the accounting application. Instead, you just reused a group that already existed.

    Keep in mind that not every group can be nested into every other type of group. The table below shows which types of groups can be nested into other groups.



    Group Type

    Local
    Can Be Nested into Local No
    Can Be Nested into Domain Local No
    Can Be Nested into Global No
    Can Be Nested into Universal No


    Group Type
    Domain Local
    Can Be Nested into Local Yes
    Can Be Nested into Domain Local Yes, if in the same domain
    Can Be Nested into Global No
    Can Be Nested into Universal No


    Group Type
    Global
    Can Be Nested into Local Yes
    Can Be Nested into Domain Local Yes
    Can Be Nested into Global Yes, if in the same domain
    Can Be Nested into Universal Yes



    Group Type
    Universal
    Can Be Nested into Local Yes
    Can Be Nested into Domain Local Yes
    Can Be Nested into Global No
    Can Be Nested into Universal Yes

    Table 1


    Caveats
    If Windows is operating in Windows 2000 mixed mode, the following limitations apply:

    • Universal groups cannot be created
    • Domain local groups can only contain global groups
    • Global groups can not contain other groups
    Last edited by Mohamed Fouad; 15-04-2010 at 01:50 PM.

  7. #3
    Join Date
    Jan 2008
    Location
    Egypt
    Posts
    3,946
    Blog Entries
    1
    Rep Power
    16

  8. Forum Ads:

Similar Threads

  1. cannot discover domain users and groups
    By sabrawy in forum Microsoft
    Replies: 1
    Last Post: 14-10-2012, 06:01 PM
  2. Replies: 0
    Last Post: 26-12-2010, 06:31 PM
  3. Distribution Groups - Automatic Replies from the Group
    By Mohamed Fouad in forum Microsoft
    Replies: 2
    Last Post: 14-07-2010, 09:45 AM
  4. Replies: 6
    Last Post: 30-04-2010, 08:02 PM
  5. Did you try a social GROUPS in the forum!
    By Mohamed Fouad in forum Engineers discussions
    Replies: 4
    Last Post: 12-09-2008, 06:13 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

أقسام المنتدى

الروابط النصية

تابع جروبنا على الفيس بوك

صفحة Egypt Engineers على الفيس بوك

تابعنا على linkedin

جروبنا على الياهو جروب