Professional Documents
Culture Documents
Group Strategy
Group Strategy
Overview
Creating Groups
Managing Group Membership
Strategies for Using Groups
Using Default Groups
Lesson: Creating Groups
Group
Windows NT
Windows NT
Domain Server 4.0, Windows 2000,
Windows Server Server 4.0,
controllers Windows 2000, Windows Server
2003 Windows Server
supported Windows Server 2003
2003
2003
Group
Global, domain Global, domain Global, domain Global, domain
scopes
local local, universal local, universal local
supported
What Are Global Groups?
Scope Visible in all domains in the forest and all trusting domains
In the domain:
Account Operators group
Domain Admins group
Enterprise Admins group
Or users with appropriate delegated authority
On the local computer:
Power Users group
Administrators group on the local computer
Or users with appropriate delegated authority
Practice: Creating Groups
Group Group
Group Group
Group
AAGGDL
AAAG PPPP
UGDL
LDL
User Accounts Global Groups Universal Groups Domain Local
User
User Global Universal Domain Local
Permissions
Groups
Accounts Groups Groups Groups
Domain Local
Domain Local
User
User
User Accounts
Accounts
Accounts Global Global Groups
Global Groups
Groups Local Groups Permissions
Permissions
Permissions
Groups Groups
A G U DL
A G U DL P
Permissions
User Local Groups
Global Group strategies:
Accounts Groups
A G AGP
DL AGP U DL P
AA GG A GDL
LDL P A G L PPP
AP G L
Class Discussion: Using Groups in a Single-Domain or
Multiple-Domain Environment
Northwind Traders
Examples
Northwind andwants
1Traders 2 has to react moredomain
a single quickly tothat
market demands.inIt Paris,
is located is
determinedNorthwind
France.
Contoso, that the
Ltd., accounting
has singledata
aTraders must be
domain
managers available
that need to all Accounting
is located
access intoParis,
the
personnel. Northwind Traders wants to create the group structure for
Inventory
France. Contoso
database
the entire Accounting managers
to perform
division, need
which their
access
includesjobs. What
to the do
the Accounts Inventory
you do to
Payable
ensure
database that
and AccountstoReceivable
the
perform
managers
their jobs.
haveWhat
departments. access
What dodoto you
youthe
dodo
Inventory
toto ensure
ensure that that the
database?
managers
the managershave
have access to the
the required Inventory
access and that database?
there is a minimum
of administration?
Place all of the managers in a global group
Example 3 that your network is running in native functional level.
Make sure
CreateLtd.,
Contoso, a domain local grouptoforinclude
has expanded Inventory database in access
Create three global groups called Accountingoperations South
Division, Accounts Payable,
America and
and Accounts
Make Asia and now
Receivable.
the global group has three
a member domains.
of the domain You local need
groupto grant
and
grant
access permissions
Placetothe
allAccounting toDivision
IT managers the domain
from alllocal
global group
domains
group tofordomain
into the accessing
the IT_Admin the tools
local group so
Inventory
that users
shared database
foldercanin access the accounting
the Contoso domain. data.
Create a domain local group called Accounting Data.
Grant this group appropriate permission for the accounting data
resources file.
Practice: Nesting Groups and Creating Universal
Groups
Manager Group
Place a user in a default group when you are sure that you
want to give the user all the user rights and permissions
assigned to that group in Active Directory; otherwise, create
a new security group
As a security best practice, members of default groups
should use Run as
System Groups