Information Technology Reference
In-Depth Information
universal groups. For that reason, a remote office with many users should have at least one
domain controller configured as a global catalog server to reduce WAN traffic during user logons.
An alternative to having a global catalog server at each site is enabling caching of universal
group membership information on a remote office's domain controller. With caching enabled, a
domain controller queries a global catalog server to determine universal group membership, and
then keeps a local copy of that information to use for future logons.
Universal group membership changes require replication to all global catalog servers. In
a forest operating at the Windows 2000 functional level, replicating universal groups can
create considerable network traffic because the entire group membership is copied. Windows
Server 2003 and later forest functional levels include a feature called linked value replication,
which allows replicating only group membership changes instead of the entire membership
list. Having said that, there's still a benefit to keeping group membership lists short by nest-
ing groups.
Universal groups didn't exist in Windows NT domains. The domain func-
tional level must be at least Windows 2000 native to support universal
groups.
Local Groups
A
local group
is created in the local SAM database on a member server or
workstation or a stand-alone computer. Because groups and users created on a stand-alone com-
puter can't interact with Active Directory, this discussion focuses on local groups created on
computers that are members of an Active Directory domain.
Local groups can be found on any Windows computer that isn't a domain controller, and
you manage them with the Local Users and Groups snap-in in the Computer Management
MMC. Using local groups to manage resources on a member computer is generally discour-
aged because it decentralizes resource management. Assigning permissions and rights on
member computers to domain local groups is better. However, when a Windows computer
becomes a domain member, Windows changes the membership of two local groups auto-
matically:
•
Administrators
—The Domain Admins global group is made a member of this local group,
so any Domain Admins group member has administrative access to every member com-
puter in the domain.
•
Users
—The Domain Users global group is made a member of this local group, giving
Domain Users group members a set of default rights and permissions appropriate for a
regular user on every member computer in the domain.
Local groups can have the following account types as members:
• Local user accounts created on the same computer
• Domain user accounts from any domain in the forest or trusted domains in another forest
• Domain local groups from the same domain (except domain local groups in the Builtin folder)
• Global or universal groups from any domain in the forest or trusted domains in another forest
Local groups can be assigned permissions only to resources on the local computer. The most
common use of local groups, besides the Administrators and Users local groups, is in a work-
group environment on non-domain computers. However, when a member computer's user
requires considerable autonomy for managing local computer resources, you can grant the user
enough rights on the local computer for this autonomy.
Nesting groups is exactly what it sounds like: making one group a member of another group. In
a Windows NT domain, the only group nesting allowed is to make a global group a member of
a domain local group. However, in Windows 2000 and later, there are few restrictions on group
nesting, as long as you follow the group scope's membership rules. Group nesting is often used
Search WWH ::
Custom Search