Information Technology Reference
In-Depth Information
When an administrator creates a group in Active Directory Users and Computers, aside from
assigning a name, there are two additional settings, discussed in the following sections: group
type and group scope.
There are two group types: security groups and distribution groups. A
distribution group
is used
to group users together mainly for sending e-mails to several people at once with an Active
Directory-integrated e-mail application, such as Microsoft Exchange. Distribution groups aren't
security principals and, therefore, can't be used to assign rights and permissions to their mem-
bers. A distribution group can have the following objects as members: user accounts, contacts,
other distribution groups, security groups, and computers.
Because you can mix user accounts and contacts, you can build useful distribution lists that
include people outside your organization. You can also nest groups, which makes organizing
users and contacts more flexible. However, because distribution groups aren't used for security
and are useful only with certain applications, their use in Active Directory is more limited than
security groups.
Security groups
are the main Active Directory object administrators use to manage network
resource access and grant rights to users. Most discussions about groups focus on security groups
rather than distribution groups, and in general, when the term “group” is used without a qual-
ifier, a security group should be assumed. Security groups can contain the same types of objects
as distribution groups. However, if a security group has a contact as a member and the security
group is granted permission to a resource, the permission doesn't extend to the contact because
a contact isn't a security principal. Security groups can also be used as distribution groups by
applications such as Microsoft Exchange, so re-creating security groups as distribution groups
isn't necessary for e-mail purposes.
Converting Group Type
You can change the group type from security to distribution
and vice versa. However, only a security group can be added to a resource's DACL. If a security
group is an entry in the DACL for a shared folder, for example, and the security group is con-
verted to a distribution group, the group remains in the DACL but has no effect on access to the
resource for any of its members.
The need to convert group type isn't all that common, but when it's necessary, usually a dis-
tribution group is converted to a security group. This conversion might be necessary when, for
example, a group of users is assigned to collaborate on a project. Initially, distribution groups com-
posed of team members might be created for the purpose of e-mail communication, but later, it's
determined that the project requires considerable network resources to which team members need
access. The distribution group could be converted to a security group for the purpose of assigning
rights and permissions, and the security group could still be used as an e-mail distribution list.
The
group scope
determines the reach of a group's application in a domain or a forest: which
security principals in a forest can be group members and to which forest resources a group can
be assigned rights or permissions. Three group scope options are possible in a Windows Server
2008 forest: domain local, global, and universal. A fourth scope called local applies only to
groups created in the SAM database of a member computer or stand-alone computer. Local
groups aren't part of Active Directory.
The functionality of groups depends on the domain functional level. In Chapter 3, when you
installed Active Directory, you had the option to choose the forest and domain functional level.
When a DC in the domain runs Windows Server 2008, you can choose from three domain func-
tional levels: Windows 2000 native, Windows Server 2003, and Windows Server 2008. Windows
Server 2003 and Windows 2000 Server support another domain functional level called Windows
2000 mixed, which allows Windows NT DCs to participate in the domain. This functional level
isn't supported in Windows Server 2008, however. The following discussion about group scopes
applies to domains running at the Windows 2000 native functional level or higher.
Table 5-1 summarizes for each group scope possible group members, which groups the scope
can be a member of, and to which resources permissions or rights can be assigned.
Search WWH ::
Custom Search