Friday, September 21, 2012

Windows Groups and Scopes

Windows Groups and Scopes

Hi Frnz

Today I will share with you some knowledge of Windows Groups and Scopes.I have seen many people usually don't have enough idea about Groups and Scopes.

So let’s have details on this.

Group:-A group is a container that contains user and computer objects within the group. The user and computer objects are stored in the group known as group members.. Assigning the security permission for a group on a resource ensures that all members of the group receive the permission.

Types of Groups:

  1. Distribution group
  2. Security group
Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to a collection of users. Distribution groups are not security-enabled, which means that they cannot be listed in Access control list.
Security groups are used to provide access to resources on a network. Security groups are also used to assign user rights in Active Directory and to assign permissions on shared resources on the network. Security groups are listed in ACLs 
Group Scopes:-

Security Group or Distribution Group are differentiate by a scope that identifies the extent to which the group is applied in the domain tree or forest.

There are three group scopes: 

         1. Domain Local
         2. Global Group
         3. Universal Group

1. Domain Local:-Members of  Domain Local Groups can include other groups and accounts from any domain and can be assigned permissions only within a domain.

·     Users can be from any domain.
·     Can have permissions only in the domain in which it is created.

2. Global Group:-Members of Global Groups can include other groups and accounts only from the domain in which the group is defined and can be assigned permissions in any domain in the forest.

·     Users can be from the domain in which we create global group
·     Can have permission on any domain 

 3. Universal Group:-Members of Universal Group can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any domain in the domain tree or forest.

·     Users can be from any domain
·     Can have permission in any domain

Usage of group with Domain Local Scope

Groups with domain local scope help you define and manage access to resources within a single domain.

Let’s take an example:-

You need to give ten users access to a particular folder A, you could add all ten user accounts in the folder permissions list. If, however, you later want to give the five users access to other folder B, you would again have to specify all five accounts in the permissions list for the new printer.


If you have good idea about the groups, you can simplify this administrative task by creating a group with domain local scope and assigning it permission to access the folder A. Put the ten user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the ten users access to a folder B, assign the group with domain local scope permission to access the folder B. All members of the group with global scope automatically will access to the folder B


Now you all may have question in your mind
that why we used Global Group in the above scenario.
The Answer for that is “
it is a best practice and recommended to use the A-G-Dl-P model when assigning permissions. 
                  A->G->Dl->P    A=Users G=Global Groups Dl=domain local P= permissions. 

What this model means is that you put "user Accounts" in to "Global groups" and then put the global groups into "Domain local" groups and then assign permissions to that Domain local group it is recommended you assign permission on Domain local group, this will be helpful in future. However you can assign permission directly to any Group but the recommended model is A-G-Dl-P

Usage of group with Global Scope

Groups with global scope usually used to manage user and computer accounts that require daily maintenance. Because groups with global scope are not replicated outside of their own domain .Accounts in a group having global scope can be changed frequently without generating replication traffic to the global catalog.The changes that are made on this will remain within the domain where it exists. By doing this you will restrict more traffic to the global catalog server.

Let’s take an example:-


In a network with two domains, A.com (India) and B.com (USA), if there is a group with global scope called GLFinance in the A.com (India) domain, there will also be a group called GLFinance in B.com (USA).

It is strongly recommended that you use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.

Usage of group with Universal Scope

Groups with Universal scope usually used to consolidate groups that are on different domains. To do this, add the accounts to groups with global scope and nest these groups within groups having universal scope. Using this strategy, any membership changes in the groups having global scope do not affect the groups with universal scope.

Let’s take an example:-


In a network with two domains, A.com (India) and B.com (USA), and a group having global scope called GLFinance in each domain, create a group with universal scope called UFinance to have as its members the two GLFinance groups, A.com (India) and B.com (USA). The UFinance group can then be used anywhere in the enterprise. Any changes in the membership of the individual GLFinance groups will not cause replication of the UFinance group.