Lesson 3: Managing Groups

Active Directory directory services provide support for different types of groups, as well as offering options for the scope of a group—that is, whether or not the group spans multiple domains or is limited to a single domain.

Active Directory directory services allow for flexibility by providing two distinct types of groups: security groups and distribution groups.

Windows 2000 uses only security groups, which you use to assign or deny rights and permissions to groups of users and computers so that they can gain access to resources. Programs that are designed to search Active Directory directory services can also use security groups for nonsecurity-related purposes, such as sending email messages to a number of users at the same time. A security group also has all the capabilities of a distribution group. Since Windows 2000 uses only security groups, this chapter will focus on security groups.

Applications, such as Microsoft Exchange, use distribution groups as lists for nonsecurity-related functions. Distribution groups cannot be used for security purposes; you cannot use distribution groups to assign permissions. Use distribution groups when the only function of the group is nonsecurity related, such as sending e-mail messages to a group of users at the same time.

If you have no plans to use a particular group for security purposes, you should create a distribution group rather than a security group. During the logon process, Windows 2000 creates an access token that contains the list of security groups to which the user belongs. Using distribution groups rather than security groups improves logon performance by reducing the size of the access token.

Security and distribution groups have a scope attribute. The scope of a group determines who can be a member of the group and where you can use that group in the network. There are three group scopes that are available: universal, global, and domain local.

Universal groups can contain user accounts, global groups, and other universal groups from any Windows 2000 domain in the forest. The domain must be operating in native mode to create security groups with universal scope.

You can grant permissions to universal groups for all domains in the forest, regardless of the location of the universal group.

Global groups, in a native mode domain, can contain user accounts and global groups from the domain in which the group exists. In a mixed mode domain, they can contain only user accounts from the domain in which the group exists.

You can grant permissions to global groups for all domains in the forest, regardless of the location of the global group. The membership of a global group is limited to its domain, but the group can be assigned permissions throughout the forest.

Domain local groups, in a native mode domain, can contain user accounts, global groups, and universal groups from any domain in the forest, as well as domain local groups from the same domain. In a mixed mode domain, they can contain user accounts and global groups from any domain.

You can grant permissions to domain local groups only for objects within the domain in which the domain local group exists. The membership of a domain local group can be forestwide, but the group can only be assigned permissions within its own domain.

A list of universal group memberships is maintained in the global catalog. Global and domain local groups are listed in the global catalog, but their membership is not. Each change to the membership of a universal group is replicated to all global catalog servers. By minimizing the use of universal groups, you will help reduce the size of the global catalog and thereby reduce the amount of traffic on your network caused by replication of the global catalog.

Consider limiting membership in universal groups to other groups, as opposed to user accounts. This allows you to adjust the user accounts that are members of the universal group by adjusting the membership of the groups that are members of the universal group. Since this does not directly affect the membership of the universal group, no replication traffic is generated.

Limiting the use of universal groups can also help you to reduce the size of access tokens when resources are in different domains. If you use global and domain local groups, the access tokens contain the global and domain local groups that are applicable to the domain in which the resource exists. If you use universal groups, the access token contains a list of all of the universal groups the user belongs to, even if those universal groups are not used in that domain.

Limit the use of universal groups to groups that are widely used in your enterprise and are relatively static as far as membership changes.

Creating groups eases administrative overhead by combining accounts that require similar access to network resources into a single object to which you can assign rights and permissions.

The recommended strategy for using both global and domain local groups is to put user accounts (A) into global groups (G) and then to put global groups into domain local groups (DL) and assign resource permissions (P) to the domain local groups. This strategy (AGDLP) provides for the most flexibility and reduces the complexity of assigning access permissions to network resources.

For example, suppose your network has several global groups that all require the same access permissions to network resources in a particular domain. If you put all of these global groups into a single domain local group, you can then assign the appropriate permissions for each resource to that single domain local group, and the user accounts in the global groups would have the appropriate permissions. If the permission requirements for the resources ever change, you can simply adjust the domain local group's membership. If, on the other hand, you assigned permissions directly to the global groups, you would need to manually adjust the individual permissions on all of the network resources.

To create a group, open the Active Directory Users and Computers tool, right-click the appropriate container or OU, point to New, and then click Group. Figure 5.4 shows the New Object - Group dialog box, and Table 5.3 describes the options that you must provide in the New Object - Group dialog box.

Figure 5.4 The New Object - Group dialog box

Table 5.3 New Object - Group Dialog Box Options

Option	Description
Group Name	The name of the new group. The name must be unique within the container in which you create the group.
Group Name (Pre-Windows 2000)	The name the group is referred to from client computers running versions of Windows earlier than Windows 2000. This name must be unique within the domain.
Group Scope	The group scope. Choose Domain Local, Global, or Universal.
Group Type	The type of group. Choose Security or Distribution.

After you create a group, you add members. Members of groups can include user accounts, other groups, and computers.

To add members to a group, use the Active Directory Users and Computers tool. In the Active Directory Users And Computers window, right-click the group to which you want to add a member, click Properties, and then click the Members tab. On the Members tab, click Add.

In the Look In list, select a domain from which to display user accounts and groups, or select Entire Directory to view user accounts and groups from anywhere in Active Directory directory services. From this list, select the user account or group that you want to add, and then click Add. If you are adding more than one user account or group, you can continue to select the account or group and click Add. Once you have finished adding user accounts or groups to selected groups, click OK.

In addition to changing the membership of a group and the permissions granted to that group, you can modify a group by changing the type and scope. You can also delete groups when they are no longer needed.

You can change a group's type from security to distribution or from distribution to security at any time when the domain is in native mode. You cannot change a group's type when the domain is in mixed mode. You change the type of the group on the General tab of the Properties dialog box for the group.

As your network changes, you might need to change a group's scope. For example, you might want to change an existing domain local group to a universal group when you need to assign permissions to allow users to gain access to resources in other domains. You change the scope of a group on the General tab of the Properties dialog box for the group.

Here are some important points to remember about changing group scope:

• You can only change the scope of a group when the domain is in native mode; you cannot change group scope in mixed mode.
• You can change a global group to a universal group, but only if the global group that you are converting is not a member of another global group.
• You can change a domain local group to a universal group, but only if the domain local group that you are converting does not contain another domain local group.
• You cannot change a universal group to any other group scope because all other groups have more restrictive membership and scope than universal groups.

When you delete a group, you delete only the group and remove the permissions and rights that are associated with it. Deleting a group does not delete the user accounts that are members of the group.

Each group that you create has a unique, nonreusable identifier, called the security identifier (SID). Windows 2000 uses the SID to identify the group and the permissions that are assigned to it. When you delete a group, Windows 2000 does not use the SID for that group again, even if you create a new group with the same name. Therefore, you cannot restore access to resources by recreating the group.

To delete a group, open the Active Directory Users and Computers tool, right-click the group, and then click Delete.

In this practice, you will create and add members to a global group, a domain local group, and a universal group.

In this exercise, you will create a global group and add members.

1. Log on as Administrator.
2. Open the Active Directory Users and Computers tool.
3. In the console tree, expand domain.com.
4. In the console tree, click Administration.
5. Right-click Administration, point to New, and then click Group.

The New Object - Group dialog box appears.

6. Type Managers in the Group Name box.
7. Verify that the Group Scope option is set to Global, and that the Group Type option is set to Security, and then click OK.

Windows 2000 creates the group and displays it in the details pane.

1. Double-click Managers.

The Managers Properties dialog box displays the properties of the group.

2. To view the members of the group, click the Members tab.

This list is currently empty.

3. To add a member to the group, click Add.
4. In the Select Users, Contacts, Computers, Or Groups dialog box, in the Look In box, verify that your domain is selected.
5. In the list, click User One, and then click Add.
6. In the list, click User Two, and then click Add.
7. Click OK.

User One and User Two are now members of the Managers global group.

8. Click OK to close the Managers Properties dialog box.

Leave the Active Directory Users And Computers window open.

In this exercise, you will create a domain local group and add members. You will use the group to assign permissions to gain access to an inventory database. Because you use the group to assign permissions, you will make it a domain local group. You will then add members to the group.

1. Right-click Administration, point to New, and then click Group.

The New Object - Group dialog box appears.

2. Type Inventory in the Group Name box.
3. For the Group Scope option, click Domain Local, and for the Group Type option, confirm that Security is selected.
4. Click OK.

Windows 2000 creates the domain local group and displays it in the details pane.

Leave the Active Directory Users And Computers window open.

1. Right-click Inventory, and click Properties.

The Inventory Properties dialog box displays the properties of the group.

2. To add a member to the group, click the Members tab, and then click Add.
3. In the Select Users, Contacts, Computers, Or Groups dialog box, in the Look In box, select Entire Directory.

The Select Users, Contacts, Computers, Or Groups dialog box displays user accounts and groups from all domains and shows the location of each user account or group as domain/Users. In your case there is only one domain.

4. Click the Name column heading.

The Select Users, Contacts, Computers, or Groups dialog box displays all entries in the list alphabetically by name.

5. Click Managers.
6. Click Add, and then click OK.

The Managers group is now a member of the Inventory domain local group.

7. Click OK to close the Inventory Properties dialog box.

Leave the Active Directory Users And Computers window open.

In this exercise, you will create a universal group. You will then test what members you can add to this group.

1. Right-click Administration, point to New, and then click Group.

The New Object - Group dialog box appears.

2. Type Universal1 in the Group Name box.
3. For the Group Scope option, click Universal, and for the Group Type option, ensure that Security is selected.
4. Click OK.

Windows 2000 creates the universal group and displays it in the details pane.

5. Repeat steps 1-4 to create a universal group named Universal2.

1. Right-click Universal1, and then click Properties.

The Universal1 Properties dialog box appears.

2. Click the Members tab, and then click Add.
3. In the Select Users, Contacts, Computers, Or Groups dialog box, in the Look In box, select your domain.
4. In the list, click Managers, and then click Add.
5. Click OK.
6. Click OK to close the Universal1 Properties dialog box.

Were you able to successfully add the Managers global group to the universal group? Why or why not?

7. Attempt to repeat steps 1 through 5 to add the Inventory domain local group to the universal group.

Was the Inventory domain local group available for you to add to the universal group? Why or why not?

8. Close the Select Users, Contacts, Computers or Groups dialog box and close the Universal1 Properties dialog box.

Answer

In this exercise, you will delete a universal group.

1. Right-click Universal2, and then click Delete.
2. When prompted, click Yes to delete the group named Universal2.
3. Close the Active Directory Users And Computers window.

Active Directory directory services provide two types of groups: security groups and distribution groups. You use security groups to assign or deny rights and permissions to groups of users and computers so that they can gain access to resources. A security group has all the capabilities of a distribution group. Applications, such as Microsoft Exchange, use distribution groups as lists for nonsecurity-related functions. You use distribution groups when the only function of the group is nonsecurity related, such as sending e-mail messages to a group of users at the same time.

Security and distribution groups have a scope attribute. The scope of a group determines who can be a member of the group and where you can use that group in the network. There are three group scopes that are available: universal, global, and domain local.

After you plan your groups, you use the Active Directory Users And Computers tool to create a group, add members to a group, change the type or scope of a group, or delete a group. In Active Directory directory services, you can also easily move objects within your domain structure and locate resources throughout the network, regardless of the physical location of the object.