Information Technology Reference
In-Depth Information
a group. Second, it determines which users can be added to the group.
Group scope
is an
important concept in network environments because it ultimately defines which resources
users are able to access.
The three types of group scope are as follows:
Domain Local
The scope of
domain local groups
extends as far as the local domain.
When you're using the Active Directory Users and Computers tool, domain local accounts
apply to the computer for which you are viewing information. Domain local groups are
used to assign permissions to local resources, such as files and printers. They can contain
domain locals, global groups, universal groups, and user accounts.
Global
The scope of
global groups
is limited to a single domain. Global groups may
contain any of the users who are a part of the Active Directory domain in which the
global groups reside or other global groups. Global groups are often used for managing
domain security permissions based on job functions. For example, if you need to specify
permissions for the Engineering department, you could create one or more global groups
(such as EngineeringManagers and EngineeringDevelopers). You could then assign security
permissions to each group.
Universal
Universal groups
can contain accounts or other universal groups from any
domains within an Active Directory forest. Therefore, system administrators use them to
manage security across domains. When you are managing multiple domains, it often helps
to group global groups within universal groups. For instance, if you have an Engineering
global group in the
research.stellacon.com
domain and an Engineering global group
in the
asia.stellacon.com
domain, you can create a universal AllEngineers group that
contains both of the global groups. Now whenever you must assign security permissions to
all engineers within the organization, you need only assign permissions to the AllEngineers
universal group.
For domain controllers to process authentication between domains, information about the
membership of universal groups is stored in the global catalog (GC). Keep this in mind if
you ever plan to place users directly into universal groups and bypass global groups because
all of the users will be enumerated in the GC, which will impact size and performance.
Fortunately, universal group credentials are cached on domain controllers that universal
group members use to log on. This process is called
universal group membership caching
.
The domain controller obtains the cached data whenever universal group members log
on, and then it is retained on the domain controller for eight hours by default. This is
especially useful for smaller locations, such as branch offices, that run less expensive domain
controllers. Most domain controllers at these locations cannot store a copy of the entire GC,
and frequent calls to the nearest GC would require an inordinate amount of network traffic.
When you create a new group using the Active Directory Users and Computers tool, you
must specify the scope of the group. Figure 7.1 shows the New Object - Group dialog box
and the available options for the group scope.
Changing group scope, however, can be helpful when your security administration or
business needs change. You can change group scope easily using the Active Directory Users
and Computers tool. To do so, access the properties of the group. As shown in Figure 7.2,
you can make a group scope change by clicking one of the options.
Search WWH ::
Custom Search