the various types of security groups that windows allows you to create

8/7/2019 The various types of security groups that Windows allows you to create

http://slidepdf.com/reader/full/the-various-types-of-security-groups-that-windows-allows-you-to-create 1/7

The various types of security groups that Windows allows you to create.

In the previous article, I showed you how to create security groups in Windows Server

2003. When I walked you through the process though, you might have noticed thatWindows allows you to create a few different types of groups, as shown in Figure A. As

you might have guessed, each of these group types has a specific purpose. In this article, I

will explain what each type of group is used for.

Figure A: Windows allows you to create a few different types of groups

If you look at the dialog box shown above, you will notice that the Group Scope area

provides you with the option of creating a domain local, global, or universal group. There

is also a fourth type of group that is not shown here, it is simply called a local group.

Local Groups

Local groups are groups that are specific to individual computer. As you know by now,local computers can contain user accounts that are completely separate from those

accounts that belong to the domain that the computer is connected to. These are known asa local user accounts, and they are only accessible from the computer on which they

reside. Furthermore, local user accounts can only exist on workstations and on member

servers. Domain controllers do not allow for the existence of local user accounts.



With this in mind that should come as no surprise that local groups are simply groups that

are specific to a particular member server or workstation. A local group is often used to

manage local user accounts. For example, the local Administrators group allows you todesignate which users are administrators over the local machine.

Although a local group can only be used to secure resources residing on the localmachine, it doesn't mean that the group's membership must be limited to local

users. While a local group can, and usually does, contain local users, it can also containdomain users. Furthermore, local groups can also contain other groups that reside at the

domain level. For example, you could make a universal group a member of a local group,

and the universal group’s members will basically become members of the local group. Infact, a local group can contain local users, domain users, domain local groups, global

groups, and universal groups.

There are two caveats that you need to be aware of though. First, as you might have

noticed, a local group cannot contain another local group. It would seem that you should

be able to drop one group into another, but you can’t. Someone at Microsoft once told methat the reason for this is to prevent a situation in which two local groups become

members of each other.

The other caveat that you need to be aware of is that local groups can only containdomain users and domain level groups if the machine containing the local group is a

member of the domain. Otherwise, local groups can only contain local users.

Domain Local Groups

Given what you've just learned about local groups, the idea of a domain local group

probably sounds contradictory. The reason why domain local groups exist though, is because domain controllers do not contain a local account database. This means that there

are no such things as local users or local groups on a domain controller. Even so, domaincontrollers have local resources that need to be managed. This is where domain local

groups come into play.

When you install Windows Server 2003 onto a computer, the machine typically begins

life as either a standalone server or as a member server. In either case, local user accountsand local groups are created during the installation process. Now suppose that you

wanted to convert the machine into a domain controller. When you run DCPROMO, the

local groups and local user accounts are converted into domain local groups and domain

user accounts.

It is important to keep in mind that all of the domain controllers within a domain share a

common user account database. This means that if you add a user to a domain local group

on one domain controller, the user will be a member of that domain local group on everydomain controller in the entire domain.



The most important thing to keep in mind about domain local groups is that there are two

different types. As I mentioned, when DCPROMO is run, the local groups are converted

to domain local groups. Any domain local groups that are created by running DCPROMOare placed into the Builtin folder in the Active Directory Users and Computers console,

as shown in Figure B.

Figure B: Domain local groups created by DCPROMO reside in the Builtin container

The reason why this is important to know is because there are some restrictions imposedon these particular domain local groups. These groups cannot be moved or

deleted. Likewise, if you cannot make these groups members of other domain local

groups.

These restrictions do not apply to domain local groups that you create though. Domain

local groups that you create typically began life in the Users container. From there, you

are free to move or delete them to your heart’s content.

I have to be perfectly frank and tell you though that in all the years I have been workingwith Windows Server, I have yet to find a good argument for creating domain local

groups. In fact, domain local groups are basically identical to global groups, except that

they are restricted to an individual domain.

Global Groups



Global groups are by far the most commonly used type of group. In most cases, a global

group simply acts as a collection of Active Directory user accounts. The interesting thing

about global groups is that they can be placed inside of each other. You can make oneglobal group a member of another global group, so long as both global groups exist

within the same domain.

Keep in mind, the global groups can only contain Active Directory resource. You cannot

place a local user account or a local group into a global group. You can however, add aglobal group to a local group. In fact, doing so is the most common way of granting

domain users permissions to resources stored on a local computer. For example, suppose

that you wanted to give the managers in your company administrative rights to their workstations (not that I recommend doing that, this is just an example). To do so, you

could create a global group called Managers, and place each of the manager’s domain

user accounts into it. You could then add the Managers group to the workstation’s localAdministrators group, thus making the managers administrators on those workstations.

Conclusion

In this article, I've explained that Windows supports the use of four different types of

security groups. So far, I have explained the differences between local, domain local, andglobal groups. In the next part of this article series, I will continue the discussion by

discussing universal groups. I will then go on to discuss the concept of group nesting

In that article, I talked a lot about local groups, domain local groups, and global

groups. You could easily manage your entire network using only these types of groups.

Even so, there is one more type of group that Windows Server 2003 supports; universalgroups.

For those of you who found local groups, domain local groups, and global groups to beconfusing or overly restrictive, then universal groups will initially seem like an answer to

prayers. Universal groups are essentially groups that are not subject to the restrictions that

apply to the other types of groups. For example, in the previous article, I mentioned that

you can’t place a local group or a domain local group into another local group. You canhowever, put a universal group into a local group. The rules that apply to other types of

groups simply don’t apply to universal groups.

Of course, this raises the question of why you would ever use any of the other types of groups if they have limitations that universal groups can overcome.

One of the reasons why there are so many different types of groups is because Windows

Server is an evolutionary product. Universal groups were introduced in Windows 2000

Server, along with the Active Directory. Previous versions of Windows Server (namelyWindows NT Server) supported the use of groups, but universal groups had not been

invented yet when these versions were current. When Microsoft released Windows 2000



Server, they chose to continue to support other types of groups as a way of maintaining

backward compatibility with Windows NT. Likewise, Windows Server 2003 also

supports the use of legacy group types for backward compatibility reasons.

The fact that universal groups didn’t exist in the days of Windows NT Server, means that

Windows NT doesn’t support universal groups. This presents a bit of a problem if youhappen to have any Windows NT servers in your forest.

Windows 2000 Server was such a dramatic change from Windows NT Server that anumber of the new features would only work on networks with no Windows NT Server

domain controllers. To get around this problem, Microsoft created the concept of native

mode. I will talk a lot more about native mode in Part 17, but the basic idea is that when

Windows 2000 Server is initially installed, it is operating in something called mixed

mode. Mixed mode is fully backward compatible with Windows NT, but many of

Windows 2000’s features can’t be used until you get rid of the Windows NT domain

controllers and switch to native mode. Although the terminology is a bit different, the

same basic concept also applies to Windows Server 2003.

Universal groups are one of those features that is only available if your domain

controllers are operating in Windows 2000 Server Native Mode or higher. That’s one

reason why you can’t use universal groups in every situation.

Even if all of your servers are running Windows Server 2003, and your forest is fully

native, it is still a bad idea in most cases to use universal groups exclusively.

Earlier in this series, I introduced you to the concept of global catalog servers. As you

may recall, global catalog servers are domain controllers that have been assigned the task

of keeping track of every object in the forest. Typically, each Active Directory sitecontains its own copy of the global catalog, which means that any time a global catalog is

updated, the updated information must be replicated to the other global catalog servers.

When you create a universal group, both the group name and the group’s membership listare written to the global catalog. This means that as you create more and more universal

groups, the global catalog becomes more bloated. As the global catalog becomes larger,

the amount of time that it takes to replicate the global catalog from one global catalogserver to another also increases. If left unchecked, this can lead to network performance

problems.

In case you are wondering, other types of groups don’t place nearly as much of a load onthe global catalog. For example, global groups are listed in the global catalog, but their membership list isn’t. Therefore, Microsoft’s basic rule of thumb is that it is OK to create

universal groups, but you should use them sparingly.

Group Nesting



One last group related concept that I want to discuss is that of nesting. The easiest way

that I can think of to explain nesting is to compare it to Russian matryoshka dolls, like the

ones shown in Figure A. These types of dolls are designed so that they can all be placedinside of one another. The smallest goes into the second smallest, the second smallest

goes into the third smallest, and so on. This idea of placing an object inside of a similar

object is called nesting.

Figure A: Russian matryoshka dolls illustrate the concept of nesting.

There are many different reasons for nesting groups. One of the most common reasons

involves matching up resources with departments. For example, a company might start bycreating a group for each department. They might create a Finance group, a Marketing

group, an IT group, and so on. Next, they would place users into the group that

corresponds to the department that the user works in.

The next step in the process would be to create groups that correspond to the variousresources that you need to grant access to. For example, if you knew that everyone in the

finance department was going to need access to an accounting application, you could

create a group that grants access to the application, and then place the finance group intothat group. You don’t have to nest groups, but doing so sometimes allows you to keep

things a little bit better organized, while saving a little bit of work in the process. For

instance in the previous example, you didn’t have to manually place individual user



accounts into the group for the accounting application. Instead, you just reused a group

that already existed.

Keep in mind that not every group can be nested into every other type of group. The table below shows which types of groups can be nested into other groups.

Group Type Can Be Nested

into Local

Can Be Nested

into Domain

Local

Can Be Nested

into Global

Can Be Nested

into Universal

Local No No No No

Domain Local Yes Yes, if in thesame domain

No No

Global Yes Yes Yes, if in the

same domain

Yes

Universal Yes Yes No Yes

Table 1

Caveats

If Windows is operating in Windows 2000 mixed mode, the following limitations apply:

• Universal groups cannot be created

• Domain local groups can only contain global groups

• Global groups can not contain other groups

Conclusion

In this article, I have explained that it is sometimes advantageous to nest one group

within another group. I then went on to discuss under which situations it is possible to do

this.

the various types of security groups that windows allows you to create

Documents