Windows Groups and Scopes
Hi Frnz
Today
I will share with you some knowledge of Windows Groups and Scopes.I
have seen many people usually don't have enough idea about Groups and
Scopes.
So let’s have details on this.
Group:-A
group is a container that contains user and computer objects within
the group. The user and computer objects are stored in the group known
as group members.. Assigning the security permission for a group on a
resource ensures that all members of the group receive the permission.
Types of Groups:
Types of Groups:
- Distribution group
- Security group
Distribution
groups can be used only with e-mail applications (such as Exchange) to
send e-mail to a collection of users. Distribution groups are not
security-enabled, which means that they cannot be listed in Access
control list.
Security
groups are used to provide access to resources on a network. Security
groups are also used to assign user rights in Active Directory and to
assign permissions on shared resources on the network. Security groups
are listed in ACLs
Group Scopes:-
Security Group or Distribution Group are differentiate by a scope that identifies the extent to which the group is applied in the domain tree or forest.
There are three group scopes:
1. Domain Local
2. Global Group
3. Universal Group
1. Domain Local:-Members
of Domain Local Groups can include other groups and accounts from any
domain and can be assigned permissions only within a domain.
· Users can be from any domain.
· Can have permissions only in the domain in which it is created.
2. Global Group:-Members
of Global Groups can include other groups and accounts only from the
domain in which the group is defined and can be assigned permissions in
any domain in the forest.
· Users can be from the domain in which we create global group
· Can have permission on any domain
3. Universal Group:-Members
of Universal Group can include other groups and accounts from any
domain in the domain tree or forest and can be assigned permissions in
any domain in the domain tree or forest.
· Users can be from any domain
· Can have permission in any domain
Usage of group with Domain Local Scope
Groups with domain local scope help you define and manage access to resources within a single domain.
Let’s take an example:-
You need to give ten users access to a particular folder A, you could add all ten user accounts in the folder permissions list. If, however, you later want to give the five users access to other folder B, you would again have to specify all five accounts in the permissions list for the new printer.
If you have good idea about the groups, you can simplify this administrative task by creating a group with domain local scope and assigning it permission to access the folder A. Put the ten user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the ten users access to a folder B, assign the group with domain local scope permission to access the folder B. All members of the group with global scope automatically will access to the folder B
Now you all may have question in your mind that why we used Global Group in the above scenario.
The Answer for that is “it is a best practice and recommended to use the A-G-Dl-P model when assigning permissions.
A->G->Dl->P A=Users G=Global Groups Dl=domain local P= permissions.
What this model means is that you put "user Accounts" in to "Global groups" and then put the global groups into "Domain local" groups and then assign permissions to that Domain local group it is recommended you assign permission on Domain local group, this will be helpful in future. However you can assign permission directly to any Group but the recommended model is A-G-Dl-P
You need to give ten users access to a particular folder A, you could add all ten user accounts in the folder permissions list. If, however, you later want to give the five users access to other folder B, you would again have to specify all five accounts in the permissions list for the new printer.
If you have good idea about the groups, you can simplify this administrative task by creating a group with domain local scope and assigning it permission to access the folder A. Put the ten user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the ten users access to a folder B, assign the group with domain local scope permission to access the folder B. All members of the group with global scope automatically will access to the folder B
Now you all may have question in your mind that why we used Global Group in the above scenario.
The Answer for that is “it is a best practice and recommended to use the A-G-Dl-P model when assigning permissions.
A->G->Dl->P A=Users G=Global Groups Dl=domain local P= permissions.
What this model means is that you put "user Accounts" in to "Global groups" and then put the global groups into "Domain local" groups and then assign permissions to that Domain local group it is recommended you assign permission on Domain local group, this will be helpful in future. However you can assign permission directly to any Group but the recommended model is A-G-Dl-P
Usage of group with Global Scope
Groups
with global scope usually used to manage user and computer accounts
that require daily maintenance. Because groups with global scope are not
replicated outside of their own domain .Accounts in a group having
global scope can be changed frequently without generating replication
traffic to the global catalog.The changes that are made on this will
remain within the domain where it exists. By doing this you will
restrict more traffic to the global catalog server.
Let’s take an example:-
In a network with two domains, A.com (India) and B.com (USA), if there is a group with global scope called GLFinance in the A.com (India) domain, there will also be a group called GLFinance in B.com (USA).
It is strongly recommended that you use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.
Let’s take an example:-
In a network with two domains, A.com (India) and B.com (USA), if there is a group with global scope called GLFinance in the A.com (India) domain, there will also be a group called GLFinance in B.com (USA).
It is strongly recommended that you use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.
Usage of group with Universal Scope
Groups
with Universal scope usually used to consolidate groups that are on
different domains. To do this, add the accounts to groups with global
scope and nest these groups within groups having universal scope. Using
this strategy, any membership changes in the groups having global scope
do not affect the groups with universal scope.
Let’s take an example:-
In a network with two domains, A.com (India) and B.com (USA), and a group having global scope called GLFinance in each domain, create a group with universal scope called UFinance to have as its members the two GLFinance groups, A.com (India) and B.com (USA). The UFinance group can then be used anywhere in the enterprise. Any changes in the membership of the individual GLFinance groups will not cause replication of the UFinance group.
Let’s take an example:-
In a network with two domains, A.com (India) and B.com (USA), and a group having global scope called GLFinance in each domain, create a group with universal scope called UFinance to have as its members the two GLFinance groups, A.com (India) and B.com (USA). The UFinance group can then be used anywhere in the enterprise. Any changes in the membership of the individual GLFinance groups will not cause replication of the UFinance group.
No comments:
Post a Comment