This is the main reason it is recommended to place users only into global groups and assign permissions to resources using local groups that have global groups as members. After you use this strategy and use global groups over and over, saving administration time, the reasoning will be validated.
Also with Exchange and Exchange effectively requiring universal groups as distribution lists, the default group in an enterprise tends to be the de facto group in place of global groups in the past. You would need to add these domains whenever a resource or administrative task needs to grant or deny groups from each domain access to a resource in the forest. Then you would need to configure only a single entry to allow all the administrators access forestwide for a particular resource or user right.
Universal security groups are preferred because they can have members from each domain, but if the group strategy necessitates their use, domain local and domain global groups could still handle most situations. There are many different domain functional levels, with each level adding more functionality.
The reason for all the different levels is to provide backward compatibility to support domain controllers running on different platforms. This allows a phased migration of the domain controllers.
The four domain functional levels are as follows:. Universal security groups can be leveraged, along with universal and global security group nesting. It provides all the features of the Windows Native domain level, plus additional security and functionality features, such as domain rename, logon time stamp updates, and selective authentication.
This level supports all the features of the Windows Server functional level plus additional features such as AES and AES encryption support for Kerberos, last interactive logon information to provide visibility into true logon activity by the user, fine-grained password policies to allow policies to be set on a per-group and per-user basis, and uses DFSR for Active Directory replication.
This essentially inserts the type of logon method into the Kerberos token and allows applications to determine authorization or access based on the logon method. For example, an application could only allow logon type 2 interactive and not type 3 network to ensure that the user was actually at a workstation.
The most important note is that all of the domain functional levels supported by Windows Server R2 allow universal security groups. Now that you understand what kinds of groups you can create and what they can be used for, you are ready to create a group.
To do so, follow these steps:. After you create a group, you can add members to it. The domain level that the domain is running in determines whether this group can have other groups as members. To add members to an existing group, follow these steps:.
After a group is created, it needs to be managed by an administrator, users, or a combination of both, depending on the dynamics of the group. To delegate control of a group to a particular user, follow these steps:. When it comes to creating groups, understanding the characteristics and limitations of each different type and scope is only half the battle. Other points to consider for group creation are how the group will be used and who will need to be a member of the group.
A group is commonly used for three separate functions, including delegating administrative rights, distributing email, and securing network resources such as file shares and printer devices. To help clarify group usage, the following examples show how the different groups can be used in different administrative scenarios.
User Administration in a Single Domain If a group is needed to simplify the process of granting rights to reset user passwords in a single domain, either a domain local or global security group would suffice. Launch Server Manager on a domain controller. Expand the Active Directory Domain Services folder. Expand the Active Directory Users and Computers snap-in. Expand the domain folder in this example, the companyabc. Launch Server Manager on a domain controller.
Expand the Active Directory Domain Services folder. Expand the Active Directory Users and Computers snap-in. Expand the domain folder in this example, the companyabc. Select a container—for example, the Users container. Right-click it and select New, Group. Enter the group name and select the appropriate group type and scope, as shown in Figure 1.
Figure 1. Creating a group. Click OK to finish creating the group. Select the Users container that was used in the previous section.
In the right pane, right-click the group that was created earlier, and select Properties. Enter a description for the group on the General tab and then click the Members tab.
Click Add to add members to the group. In the Select Users, Contacts, Computers, or Groups window, type in the name of each group member separated by a semicolon and click OK to add these users to the group. At the bottom of the page, click the Advanced button. Click Add.
In the Select User, Computer, or Group window, type in the name of the account for which you want to grant permissions, and click OK.
When the Permissions Entry for Group window appears, select the Properties tab. Then click OK. Figure 2. Granting permissions to modify group membership. Windows Server. When it comes to creating groups, understanding the characteristics and limitations of each different type and scope is only half the battle. Other points to consider for group creation are how the group will be used and who will need to be a member of the group. A group is commonly used for three separate functions, including delegating administrative rights, distributing email, and securing network resources such as file shares and printer devices.
To help clarify group usage, the following examples show how the different groups can be used in different administrative scenarios. User Administration in a Single Domain If a group is needed to simplify the process of granting rights to reset user passwords in a single domain, either a domain local or global security group would suffice. Domain Functional Level and Groups There are many different domain functional levels, with each level adding more functionality.
The four domain functional levels are as follows: Windows Native— This domain level allows only Windows , Windows Server , Windows Server , and Windows Server R2 domain controllers in the domain.
Creating AD Groups Now that you understand what kinds of groups you can create and what they can be used for, you are ready to create a group.
0コメント