Information Technology Reference
In-Depth Information
to group users who have similar roles but work in different departments. For example, you can
create a global group for supervisors in each department and place users in each department with
a supervisory role in this group. Next, create a SuperAll global group and place the departmen-
tal supervisor groups in this group (see Figure 5-18). In this way, all departmental supervisors
can easily be assigned the rights and permissions their role specifies. Furthermore, in a multido-
main environment, a similar group configuration can be developed for each domain. The
SuperAll global groups from each domain can then be added to a universal supervisors group for
assigning permissions and rights throughout the forest. This example follows the AGGUDLP
rule described earlier.
5
SuperMktg-G
SuperEng-G
SuperOps-G
SuperAll-G
Figure 5-18
Nesting global groups
Although there are few restrictions on group nesting in a Windows 2000 native or higher
domain functional level, the complexity of tracking and troubleshooting permissions increases
as the number of levels of nested groups increases. Like OUs, groups can be nested an unlim-
ited number of levels, but that doesn't mean you should. In most circumstances, one level of
nesting groups of the same type should suffice, as in Figure 5-18. An additional level, such as
aggregating nested global groups into a universal group, should work for most designs. The last
step is to put your group of groups, whether global or universal, into a domain local group for
resource access.
When you create a group, the default setting is a security group with global scope. However, just
as you can convert group type from security to distribution and vice versa, you can convert the
group scope, with some restrictions, as explained in the following list:
• Universal to domain local, provided it's not a member of another universal group
• Universal to global, provided no universal group is a member
• Global to universal, provided it's not a member of another global group
• Domain local to universal, provided no domain local group is a member
Activity 5-9: Creating Groups with Different Scopes
Time Required:
20 minutes
Objective:
Create groups with different scopes.
Description:
You want to experiment to see how nesting groups and converting group scope
work.
1. If necessary, log on to your server as Administrator and open Active Directory Users and
Computers.
2. Click
TestOU
, and create the following security groups with the indicated scope:
Group1-
G
(global),
Group2-G
(global),
Group1-DL
(domain local),
Group2-DL
(domain local),
Group1-U
(universal),
Group2-U
(universal).
Search WWH ::
Custom Search