Information Technology Reference
In-Depth Information
3. In the right pane of Active Directory Users and Computers, click
Group1-G
, and open its
Properties dialog box. Click the
General
tab, if necessary. In the Group scope section, notice
that the Domain local option is disabled because converting from global to domain local
isn't allowed.
4. Click the
Members
tab, and then click
Add
. Type
Group2-G
, click
Check Names
, and then
click
OK
.
5. Click
Add
. Type
Group1-DL
and click
Check Names
. The Name Not Found message box
is displayed because domain local groups can't be members of global groups. Click
Cancel
.
6. Click
Advanced
, and then click
Find Now
. Active Directory displays only valid objects that
can be made a group member, so no domain local or universal groups are listed. Click
Cancel
twice, and then click
OK
.
7. Click
Group2-G
, and open its Properties dialog box. In the Group scope section, click the
Universal
option button, and then click
OK
. You should get an error message stating that a
global group can't have a universal group as a member. Because Group2-G is a member of
Group1-G, attempting to convert it to universal violates that rule. Click
OK
, and then click
Cancel
.
8. Click
Group1-DL
, and open its Properties dialog box. In the Group scope section, the
Global option is disabled because you can't convert a domain local group to a global
group.
9. Click the
Members
tab, and then click
Add
. Type
Group1-G
and click
Check Names
.
Adding a global group as a member of a domain local group is in line with the AGDLP best
practice. Click
OK
twice.
10. Click
Group1-U
, and open its Properties dialog box. Add
Group2-U
as a member, and
then click
OK
. Click
Group2-U
, and open its Properties dialog box. In the Group scope
section, click
Domain local
, and then click
OK
. You get an error message, which rein-
forces the rule that universal groups can be converted to domain local groups only if they
aren't already a member of another universal group. Click
OK
, and then click
Cancel
.
11. Click
Group1-U
, and open its Properties dialog box. Try to add
Group1-DL
as a member.
Nesting domain local groups in universal groups isn't permitted. Add
Group1-G
as a
member. Success!
12. Leave Active Directory Users and Computers open for the next activity.
When an Active Directory domain is created, some default groups are created automatically to
establish a framework for assigning users rights and permissions to perform common tasks and
access default resources. Windows assigns default groups a variety of rights and permissions so
that users can carry out certain tasks simply by being added to the appropriate group. For exam-
ple, the default Backup Operators group is assigned the right to back up all files and directories
on all computers in the Domain Controllers OU. To give users this capability, simply add them
as members of the Backup Operators group.
There are three categories of default groups in a Windows domain: groups in the Builtin
folder, groups in the Users folder, and special identity groups that don't appear in Active
Directory Users and Computers and can't be managed there. A fourth category, the default local
groups in the SAM database on member computers, corresponds roughly to groups in the
Builtin folder.
Default Groups in the Builtin Folder
All default groups in the Builtin folder are
domain local groups used for assigning rights and permissions in the local domain. Neither the
group scope nor type can be converted. Each group in this folder has a brief description that can
be seen in Active Directory Users and Computers. Table 5-2 lists fuller descriptions for the most
prominent of these groups.
Search WWH ::
Custom Search