the various types of security groups that windows allows you to create
TRANSCRIPT
![Page 1: The various types of security groups that Windows allows you to create](https://reader036.vdocument.in/reader036/viewer/2022082800/577d2ec71a28ab4e1eaff5a7/html5/thumbnails/1.jpg)
8/7/2019 The various types of security groups that Windows allows you to create
http://slidepdf.com/reader/full/the-various-types-of-security-groups-that-windows-allows-you-to-create 1/7
The various types of security groups that Windows allows you to create.
In the previous article, I showed you how to create security groups in Windows Server
2003. When I walked you through the process though, you might have noticed thatWindows allows you to create a few different types of groups, as shown in Figure A. As
you might have guessed, each of these group types has a specific purpose. In this article, I
will explain what each type of group is used for.
Figure A: Windows allows you to create a few different types of groups
If you look at the dialog box shown above, you will notice that the Group Scope area
provides you with the option of creating a domain local, global, or universal group. There
is also a fourth type of group that is not shown here, it is simply called a local group.
Local Groups
Local groups are groups that are specific to individual computer. As you know by now,local computers can contain user accounts that are completely separate from those
accounts that belong to the domain that the computer is connected to. These are known asa local user accounts, and they are only accessible from the computer on which they
reside. Furthermore, local user accounts can only exist on workstations and on member
servers. Domain controllers do not allow for the existence of local user accounts.
![Page 2: The various types of security groups that Windows allows you to create](https://reader036.vdocument.in/reader036/viewer/2022082800/577d2ec71a28ab4e1eaff5a7/html5/thumbnails/2.jpg)
8/7/2019 The various types of security groups that Windows allows you to create
http://slidepdf.com/reader/full/the-various-types-of-security-groups-that-windows-allows-you-to-create 2/7
With this in mind that should come as no surprise that local groups are simply groups that
are specific to a particular member server or workstation. A local group is often used to
manage local user accounts. For example, the local Administrators group allows you todesignate which users are administrators over the local machine.
Although a local group can only be used to secure resources residing on the localmachine, it doesn't mean that the group's membership must be limited to local
users. While a local group can, and usually does, contain local users, it can also containdomain users. Furthermore, local groups can also contain other groups that reside at the
domain level. For example, you could make a universal group a member of a local group,
and the universal group’s members will basically become members of the local group. Infact, a local group can contain local users, domain users, domain local groups, global
groups, and universal groups.
There are two caveats that you need to be aware of though. First, as you might have
noticed, a local group cannot contain another local group. It would seem that you should
be able to drop one group into another, but you can’t. Someone at Microsoft once told methat the reason for this is to prevent a situation in which two local groups become
members of each other.
The other caveat that you need to be aware of is that local groups can only containdomain users and domain level groups if the machine containing the local group is a
member of the domain. Otherwise, local groups can only contain local users.
Domain Local Groups
Given what you've just learned about local groups, the idea of a domain local group
probably sounds contradictory. The reason why domain local groups exist though, is because domain controllers do not contain a local account database. This means that there
are no such things as local users or local groups on a domain controller. Even so, domaincontrollers have local resources that need to be managed. This is where domain local
groups come into play.
When you install Windows Server 2003 onto a computer, the machine typically begins
life as either a standalone server or as a member server. In either case, local user accountsand local groups are created during the installation process. Now suppose that you
wanted to convert the machine into a domain controller. When you run DCPROMO, the
local groups and local user accounts are converted into domain local groups and domain
user accounts.
It is important to keep in mind that all of the domain controllers within a domain share a
common user account database. This means that if you add a user to a domain local group
on one domain controller, the user will be a member of that domain local group on everydomain controller in the entire domain.
![Page 3: The various types of security groups that Windows allows you to create](https://reader036.vdocument.in/reader036/viewer/2022082800/577d2ec71a28ab4e1eaff5a7/html5/thumbnails/3.jpg)
8/7/2019 The various types of security groups that Windows allows you to create
http://slidepdf.com/reader/full/the-various-types-of-security-groups-that-windows-allows-you-to-create 3/7
The most important thing to keep in mind about domain local groups is that there are two
different types. As I mentioned, when DCPROMO is run, the local groups are converted
to domain local groups. Any domain local groups that are created by running DCPROMOare placed into the Builtin folder in the Active Directory Users and Computers console,
as shown in Figure B.
Figure B: Domain local groups created by DCPROMO reside in the Builtin container
The reason why this is important to know is because there are some restrictions imposedon these particular domain local groups. These groups cannot be moved or
deleted. Likewise, if you cannot make these groups members of other domain local
groups.
These restrictions do not apply to domain local groups that you create though. Domain
local groups that you create typically began life in the Users container. From there, you
are free to move or delete them to your heart’s content.
I have to be perfectly frank and tell you though that in all the years I have been workingwith Windows Server, I have yet to find a good argument for creating domain local
groups. In fact, domain local groups are basically identical to global groups, except that
they are restricted to an individual domain.
Global Groups
![Page 4: The various types of security groups that Windows allows you to create](https://reader036.vdocument.in/reader036/viewer/2022082800/577d2ec71a28ab4e1eaff5a7/html5/thumbnails/4.jpg)
8/7/2019 The various types of security groups that Windows allows you to create
http://slidepdf.com/reader/full/the-various-types-of-security-groups-that-windows-allows-you-to-create 4/7
Global groups are by far the most commonly used type of group. In most cases, a global
group simply acts as a collection of Active Directory user accounts. The interesting thing
about global groups is that they can be placed inside of each other. You can make oneglobal group a member of another global group, so long as both global groups exist
within the same domain.
Keep in mind, the global groups can only contain Active Directory resource. You cannot
place a local user account or a local group into a global group. You can however, add aglobal group to a local group. In fact, doing so is the most common way of granting
domain users permissions to resources stored on a local computer. For example, suppose
that you wanted to give the managers in your company administrative rights to their workstations (not that I recommend doing that, this is just an example). To do so, you
could create a global group called Managers, and place each of the manager’s domain
user accounts into it. You could then add the Managers group to the workstation’s localAdministrators group, thus making the managers administrators on those workstations.
Conclusion
In this article, I've explained that Windows supports the use of four different types of
security groups. So far, I have explained the differences between local, domain local, andglobal groups. In the next part of this article series, I will continue the discussion by
discussing universal groups. I will then go on to discuss the concept of group nesting
In that article, I talked a lot about local groups, domain local groups, and global
groups. You could easily manage your entire network using only these types of groups.
Even so, there is one more type of group that Windows Server 2003 supports; universalgroups.
For those of you who found local groups, domain local groups, and global groups to beconfusing or overly restrictive, then universal groups will initially seem like an answer to
prayers. Universal groups are essentially groups that are not subject to the restrictions that
apply to the other types of groups. For example, in the previous article, I mentioned that
you can’t place a local group or a domain local group into another local group. You canhowever, put a universal group into a local group. The rules that apply to other types of
groups simply don’t apply to universal groups.
Of course, this raises the question of why you would ever use any of the other types of groups if they have limitations that universal groups can overcome.
One of the reasons why there are so many different types of groups is because Windows
Server is an evolutionary product. Universal groups were introduced in Windows 2000
Server, along with the Active Directory. Previous versions of Windows Server (namelyWindows NT Server) supported the use of groups, but universal groups had not been
invented yet when these versions were current. When Microsoft released Windows 2000
![Page 5: The various types of security groups that Windows allows you to create](https://reader036.vdocument.in/reader036/viewer/2022082800/577d2ec71a28ab4e1eaff5a7/html5/thumbnails/5.jpg)
8/7/2019 The various types of security groups that Windows allows you to create
http://slidepdf.com/reader/full/the-various-types-of-security-groups-that-windows-allows-you-to-create 5/7
Server, they chose to continue to support other types of groups as a way of maintaining
backward compatibility with Windows NT. Likewise, Windows Server 2003 also
supports the use of legacy group types for backward compatibility reasons.
The fact that universal groups didn’t exist in the days of Windows NT Server, means that
Windows NT doesn’t support universal groups. This presents a bit of a problem if youhappen to have any Windows NT servers in your forest.
Windows 2000 Server was such a dramatic change from Windows NT Server that anumber of the new features would only work on networks with no Windows NT Server
domain controllers. To get around this problem, Microsoft created the concept of native
mode. I will talk a lot more about native mode in Part 17, but the basic idea is that when
Windows 2000 Server is initially installed, it is operating in something called mixed
mode. Mixed mode is fully backward compatible with Windows NT, but many of
Windows 2000’s features can’t be used until you get rid of the Windows NT domain
controllers and switch to native mode. Although the terminology is a bit different, the
same basic concept also applies to Windows Server 2003.
Universal groups are one of those features that is only available if your domain
controllers are operating in Windows 2000 Server Native Mode or higher. That’s one
reason why you can’t use universal groups in every situation.
Even if all of your servers are running Windows Server 2003, and your forest is fully
native, it is still a bad idea in most cases to use universal groups exclusively.
Earlier in this series, I introduced you to the concept of global catalog servers. As you
may recall, global catalog servers are domain controllers that have been assigned the task
of keeping track of every object in the forest. Typically, each Active Directory sitecontains its own copy of the global catalog, which means that any time a global catalog is
updated, the updated information must be replicated to the other global catalog servers.
When you create a universal group, both the group name and the group’s membership listare written to the global catalog. This means that as you create more and more universal
groups, the global catalog becomes more bloated. As the global catalog becomes larger,
the amount of time that it takes to replicate the global catalog from one global catalogserver to another also increases. If left unchecked, this can lead to network performance
problems.
In case you are wondering, other types of groups don’t place nearly as much of a load onthe global catalog. For example, global groups are listed in the global catalog, but their membership list isn’t. Therefore, Microsoft’s basic rule of thumb is that it is OK to create
universal groups, but you should use them sparingly.
Group Nesting
![Page 6: The various types of security groups that Windows allows you to create](https://reader036.vdocument.in/reader036/viewer/2022082800/577d2ec71a28ab4e1eaff5a7/html5/thumbnails/6.jpg)
8/7/2019 The various types of security groups that Windows allows you to create
http://slidepdf.com/reader/full/the-various-types-of-security-groups-that-windows-allows-you-to-create 6/7
One last group related concept that I want to discuss is that of nesting. The easiest way
that I can think of to explain nesting is to compare it to Russian matryoshka dolls, like the
ones shown in Figure A. These types of dolls are designed so that they can all be placedinside of one another. The smallest goes into the second smallest, the second smallest
goes into the third smallest, and so on. This idea of placing an object inside of a similar
object is called nesting.
Figure A: Russian matryoshka dolls illustrate the concept of nesting.
There are many different reasons for nesting groups. One of the most common reasons
involves matching up resources with departments. For example, a company might start bycreating a group for each department. They might create a Finance group, a Marketing
group, an IT group, and so on. Next, they would place users into the group that
corresponds to the department that the user works in.
The next step in the process would be to create groups that correspond to the variousresources that you need to grant access to. For example, if you knew that everyone in the
finance department was going to need access to an accounting application, you could
create a group that grants access to the application, and then place the finance group intothat group. You don’t have to nest groups, but doing so sometimes allows you to keep
things a little bit better organized, while saving a little bit of work in the process. For
instance in the previous example, you didn’t have to manually place individual user
![Page 7: The various types of security groups that Windows allows you to create](https://reader036.vdocument.in/reader036/viewer/2022082800/577d2ec71a28ab4e1eaff5a7/html5/thumbnails/7.jpg)
8/7/2019 The various types of security groups that Windows allows you to create
http://slidepdf.com/reader/full/the-various-types-of-security-groups-that-windows-allows-you-to-create 7/7
accounts into the group for the accounting application. Instead, you just reused a group
that already existed.
Keep in mind that not every group can be nested into every other type of group. The table below shows which types of groups can be nested into other groups.
Group Type Can Be Nested
into Local
Can Be Nested
into Domain
Local
Can Be Nested
into Global
Can Be Nested
into Universal
Local No No No No
Domain Local Yes Yes, if in thesame domain
No No
Global Yes Yes Yes, if in the
same domain
Yes
Universal Yes Yes No Yes
Table 1
Caveats
If Windows is operating in Windows 2000 mixed mode, the following limitations apply:
• Universal groups cannot be created
• Domain local groups can only contain global groups
• Global groups can not contain other groups
Conclusion
In this article, I have explained that it is sometimes advantageous to nest one group
within another group. I then went on to discuss under which situations it is possible to do
this.