1. Understanding Group Types and Scopes
Groups
are containers that can contain user and computer objects within them
as members. When security permissions are set for a group in the access
control list (ACL) on a resource, all members of that group receive
those permissions.
Windows Server 2003 has two group types: security and distribution. Security groups are used to assign permissions for access to network resources. Distribution groups
are used to combine users for e-mail distribution lists. Security
groups can be used as a distribution group, but distribution groups
cannot be used as security groups. Proper planning of group structure
affects maintenance and scalability, especially in the enterprise
environment, in which multiple domains are involved.
Tip
Although
settings for individual security principals—users and computers—can be
set by ACLs, those settings are the exception rather than the rule of
best administrative practices. If you find that you are setting an
inordinate number of exceptions in ACLs for a user within a group, the
user’s membership in that group should be reexamined. |
|
In Windows
Server 2003, four domain functional levels are available: Windows 2000
mixed (default), Windows 2000 native, Windows Server 2003 interim, and
Windows Server 2003.
Windows 2000 mixed For supporting Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers Windows 2000 native For supporting Windows 2000 and Windows Server 2003 domain controllers Windows Server 2003 interim For supporting Windows NT 4 and Windows Server 2003 domain controllers Windows Server 2003 For supporting Windows Server 2003 domain controllers
|
Group Scope
Group scope
defines how permissions are assigned to the group members. Windows
Server 2003 groups, both security and distribution groups, are
classified into one of three group scopes: domain local, global, and
universal.
Note
Although local groups are not considered part of the group scope of Windows Server 2003, they are included for completeness. |
Local Groups
Local groups
(or machine local groups) are used primarily for backward compatibility
with Windows NT 4. There are local users and groups on computers
running Windows Server 2003 that are configured as member servers.
Domain controllers do not use local groups.
Local groups
can include members from any domain within a forest, from trusted
domains in other forests, and from trusted down-level domains.
A local group has only machinewide scope; it can grant resource permissions only on the machine on which it exists.
Domain Local Groups
Domain local groups are used primarily to assign access permissions to global groups for local domain resources. Domain local groups:
Exist in all mixed, interim and native functional level domains and forests.
Are
available domainwide only in Windows 2000 native or Windows Server 2003
domain functional level domains. Domain local groups function as a
local group on the domain controllers while the domain is in mixed
functional level.
Can include members from any domain in the forest, from trusted domains in other forests, and from trusted down-level domains.
Have
domainwide scope in Windows 2000 native and Windows Server 2003 domain
functional level domains, and can be used to grant resource permission
on any Windows Server 2003 computer within, but not beyond, the domain
in which the group exists.
Global Groups
Global groups
are used primarily to provide categorized membership in domain local
groups for individual security principals or for direct permission
assignment (particularly in the case of a mixed or interim domain
functional level domain). Often, global groups are used to collect users
or computers in the same domain and share the same job, role, or
function. Global groups:
Exist in all mixed, interim, and native functional level domains and forests
Can only include members from within their domain
Can be made a member of machine local or domain local group
Can be granted permission in any domain (including trusted domains in other forests and pre–Windows 2003 domains)
Can contain other global groups (Windows 2000 native or Windows Server 2003 domain functional level only)
Universal Groups
Universal groups
are used primarily to grant access to resources in all trusted domains,
but universal groups can only be used as a security principal (security
group type) in a Windows 2000 native or Windows Server 2003 domain
functional level domain.
Universal groups can include members from any domain in the forest.
In
Windows 2000 native or Windows Server 2003 domain functional level,
universal groups can be granted permissions in any domain, including
domains in other forests with which a trust exists.
Tip
Universal
groups can help you represent and consolidate groups that span domains,
and perform common functions across the enterprise. A useful guideline
is to designate widely used groups that seldom change as universal
groups. |
Group Conversion
The scope of a group
is determined at the time of its creation. However, in a Windows 2000
native or Windows Server 2003 domain functional level domain, domain
local and global groups can be converted to universal groups if the
groups are not members of other groups of the same scope. For example, a
global group that is a member of another global group cannot be
converted to a universal group. Table 1 summarizes the use of Windows Server 2003 domain groups as security principals (group type: security).
Table 1. Group Scope and Allowed Objects
| Group Scope | Allowed Objects |
|---|
| Windows 2000 native or Windows Server 2003 functional level domain
|
| Domain Local | Computer accounts, users, global groups, and universal groups from any forest or trusted domain.
Domain local groups from the same domain.
Nested domain local groups in the same domain. |
| Global | Users, computers and global groups from same domain. Nested global (in same domain), domain local, or universal groups. |
| Universal | Universal
groups, global groups, users and computers from any domain in the
forest. Nested global, domain local, or universal groups. |
| Windows 2000 mixed or Windows Server 2003 interim functional level domain |
| Domain Local | Computer accounts, users, global groups from any domain. Cannot be nested. |
| Global | Only users and computers from same domain. Cannot be nested. |
| Universal | Not available. |
Special Identities
There are also some special groups called special identities,
that are managed by the operating system. Special identities cannot be
created or deleted; nor can their membership be modified by
administrators. Special identities do not appear in the Active Directory
Users And Computers snap-in or in any other computer management tool,
but can be assigned permissions in an ACL. Table 2 details some of the special identities in Windows Server 2003.
Table 2. Special Identities and Their Representation
| Identity | Representation |
|---|
| Everyone | Represents
all current network users, including guests and users from other
domains. Whenever a user logs on to the network, that user is
automatically added to the Everyone group. |
| Network | Represents
users currently accessing a given resource over the network (as opposed
to users who access a resource by logging on locally at the computer
where the resource is located). Whenever a user accesses a given
resource over the network, the user is automatically added to the
Network group. |
| Interactive | Represents
all users currently logged on to a particular computer and accessing a
given resource located on that computer (as opposed to users who access
the resource over the network). Whenever a user accesses a given
resource on the computer to which they are logged on, the user is
automatically added to the Interactive group. |
| Anonymous Logon | The Anonymous Logon group refers to any user who is using network resources, but did not go through the authentication process. |
| Authenticated Users | The
Authenticated Users group includes all users who are authenticated into
the network by using a valid user account. When assigning permissions,
you can use the Authenticated Users group in place of the Everyone group
to prevent anonymous access to resources. |
| Creator Owner | The
Creator Owner group refers to the user who created or took ownership of
the resource. For example, if a user created a resource, but the
Administrator took ownership of it, then the Creator Owner would be the
Administrator. |
| Dialup | The Dialup group includes anyone who is connected to the network through a dialup connection. |
Caution
These
groups can be assigned permissions to network resources, although
caution should be used when assigning some of these groups permissions.
Members of these groups are not necessarily users who have been
authenticated to the domain. For instance, if you assign full
permissions to a share for the Everyone group, users connecting from
other domains will have access to the share. |
2. Managing Group Accounts
The
Active Directory Users And Computers MMC is the primary tool you will
use to administer security principals—users, groups, and computers—in
the domain. In the creation of groups, you will configure the scope,
type, and membership for each. You will also use the Active Directory
Users And Computers MMC to modify membership of existing groups.
Creating a Security Group
The tool that you will
use most often in the creation of groups is the Active Directory Users
And Computers MMC, which can be found in the Administrative Tools
folder. From within the Active Directory Users And Computers MMC,
right-click the details pane of the container within which you want to
create the group, and choose New, Group. You then must select the type
and scope of group that you want to create.
The primary type of
group that you will likely create is a security group because this is
the type of group used to set permissions in an ACL. In a mixed or
interim domain functional level domain, you can only set a security
group for the domain local and global scopes. As Figure 1 illustrates, you cannot create a security group that has universal scope in mixed or interim domain functional level domains.
Domain
local, global, and universal groups can, however, be created as a
distribution type in a mixed or interim domain functional level domain.
In a Windows 2000 native and Windows Server 2003 domain functional level
domain, security groups can be created in any scope.
Modifying Group Membership
Adding or deleting members
from a group is also accomplished through Active Directory Users And
Computers. Right-click any group, and choose Properties. Figure 2 illustrates the Properties dialog box of a global security group called Sales.
Table 3 explains the member configuration tabs of the Properties dialog box.
Table 3. Membership Configuration
| Tab | Function |
|---|
| Members | Adding, removing, or listing the security principals that this container holds as members |
| Member Of | Adding, removing, or listing the containers that hold this container as a member |
Finding the Domain Groups to Which a User Belongs
Active Directory allows for flexible and creative group nesting, where
Global groups can nest into other global groups, universal groups, or domain local groups.
Universal groups can be members of other universal groups or domain local groups.
Domain local groups can belong to other domain local groups.
This flexibility
brings with it the potential for complexity, and without the right
tools, it would be difficult to know exactly which groups a user belongs
to, whether directly or indirectly. Fortunately, Windows Server 2003
adds the DSGET command, which solves the problem. From a command prompt,
type:
dsget user UserDN -memberof [-expand]
The -memberof switch
returns the value of the MemberOf attribute, showing the groups to which
the user directly belongs. By adding the -expand switch, those groups
are searched recursively, producing an exhaustive list of all groups to
which the user belongs in the domain.
