Understanding Groups on the Windows Server Platform
This article deals with the concept of groups in Active Directory. Active Directory was first introduced by Microsoft in its server operating systems on Windows Server 2000 as a method of providing better organization for the users, groups, computers and other objects in the domain.
If are new to the wonderful world of Information Technology, or at least to the Windows Server platform, groups as discussed in this article may be a foreign concept to you. Even if you have been working with Windows Server products in the past, you still may not know everything you think you know about groups; many things have changed over the past through years.
I started on Windows NT 4 server a few years ago and to me, a group was simply a logical grouping of users. Sure, that’s a simple way of looking at them. But in order to use groups to their fullest capacity, we need to understand the different types of groups, their scopes, and the options that are available to us. Read On!
In This Article:
- Why Are Groups Needed?
- Group Types
- Domain Functional Level (DFL)
- Group Scopes
- Local Groups
- Global Groups
- Domain Local Groups
- Universal Groups
- Group Nesting & Conversion
- Further Reading
Why Are Groups Needed?
Let’s say that you are a teacher. Which is easier: to refer to each of your pupils individually or simply refer to them as your class? Instead of saying "Attention class," you would not say "Johnny, Bobby, Sue, Jane…. Listen up!"- it would take too much time. Groups provide you with the ability to logically lump certain Active Directory objects, mainly users and computers, together to make things easier on the administration side of things.
Group Types
Have you every heard the saying "there are 10 types of people in the world: those that understand binary and those that can’t"? Well the same goes for groups, there are only two types: Distribution and Security.
Most of the time, you will create a Security group. In fact, this is the default group type when you create a group using the Active Directory Users and Computers interface. In order to set permissions based on a group, the group type must be Security. If you are coming into this article with a bit of NT4 experience, Security Groups were the only type available in those days.
Distribution groups are used primarily for email application. An email sent to a group would be sent to each of the groups members. This is possible with a Security group, depending on the email application you are using.
Since Security Groups are the most commonly used type of group, we are going to focus only on Security Groups from here on in. Distribution groups may be covered in a later article.
Domain Functional Level (DFL)
What is Domain Functional Level and what does it have to do with groups? The Domain Functional Level is a new concept for Windows Server 2003. It is essentially a setting configured in Active Directory Users and Computers that is used to discern which Active Directory features will be available in your domain.
As ideal as it would be, very few organizations use the newest hardware and operating systems. Because of the possibility of having Domain Controllers running NT4, Windows 2000 and Windows Server 2003 operating systems in the same domain, compatibility is an issue. To ensure backwards compatibility, the DFL is used to disable the ability to use features that are not built into Active Directory on all of the server operating systems in your domain.
There are four available Domain Functional Levels available. Listed below are the four levels as well as which operating systems may reside in a domain sporting that DFL.
|
DFL
|
NT4 Compatible
|
Windows 2000
|
Windows Server 2003
|
|
Windows 2000 Mixed (Default)
|
Yes
|
Yes
|
Yes
|
|
Windows 2000 Native
|
-
|
Yes
|
Yes
|
|
Windows 2003 Interim
|
Yes
|
-
|
Yes
|
|
Windows Server 2003
|
-
|
-
|
Yes
|
Table 1: Domain Functional Level Types
Think of the first DFL listed, Windows 2000 Mixed, as the most compatible. Windows 2003 is only available when the entire domain or forest is running Windows Server 2003 domain controllers, making it the least compatible.
A server cannot be set up as a Domain Controller if it does not meet the operating system requirements of the Domain Functional Level. Once the DFL is raised, it can’t be lowered. Plan wisely! Also note that the Domain Functional Level is only concerned with the operating systems installed on Domain Controllers; member servers don’t influence the DFL.
Knowing what effect the Domain Functional Level has on your domain is important when talking about groups because some of the features related to groups are enabled or disabled depending on the DFL. A list of some of the group-related features that different DFLs support is listed as follows.
|
Domain Feature
|
Windows 2000 Mixed
|
Windows 2000 Native
|
Windows Server 2003
|
|
Universal Groups
|
Enabled for Distribution
Disabled for Security |
Enabled for both Group Types
|
Enabled for Both Group Types
|
|
Group Nesting
|
Enabled for Distribution
Disabled for Security1 |
Enabled
|
Enabled
|
|
Group Conversion
|
Disabled
|
Enabled2
|
Enabled2
|
Table 2 : Group-related features enabled by different DFLs
1 Domain Local Groups may have Global Groups as members
2 Groups can be converted between Distribution and Security types freely
2 Groups can be converted between Distribution and Security types freely
Domain Functional Levels, as well as Forest Functional Levels, are a large topic and will not be discussed in its entirety. This may be the focus of a future article.
Group Scopes
The scope of a group defines to which extent a group’s attributes apply in a domain. In other words, a Local group only applies on the local machine, but Global groups are recognized throughout the domain. The four types of Group Scopes are explained below.
Local Groups
Local Groups, also known as Machine Local Groups, are configured by default on all Windows 2000, XP and Server 2003 computers. A Local Group, as the name implies, is only functional machine-wide; permissions assigned to the group are only valid on the local machine.
By default groups such as Administrators, Power Users, Backup Operators, Guests can be found on local machines in the Computer Management Console. When a server is promoted to the role of a Domain Controller, local groups are disabled. The remainder of this article will focus on the remaining group types.
Global Groups
Global groups are usually created to gather users or computer with a similar job function. You might want to put all of your users, for example, from the Sales department into a Sales Global Group. While you may only add computers or users to a Global Group from your own domain, permissions can be assigned to a Global Group for resources in any domain in your forest or trusted domains outside your forest.
Domain Local Groups
Domain Local Groups are usually created based on the resources they will be applied to. To understand how Domain Local Groups are used, let’s look at this example:
You have a Global Group named ‘Marketing’ containing all of the user accounts for your company’s marketing team. Members of the marketing group require access to a special color laser printer to print out promotional material and also to access the material created by your Graphic Design department. In order to do this, you can simply nest the Global Marketing Group inside the Domain Local Groups ‘Color Printer’ and ‘Promo Material’ that were created for each resource.
When a new employee is added to the marketing department, you can simply add the user to the Marketing Global Group and they will be given permissions automatically to the promotional material folder and color laser printer. This is process is known as group nesting, which we will talk about shortly. If your Graphic Design department requires access to the color printer, you can add them to the Domain Local Group ‘Color Printer’ and they will be given the permissions granted to that printer from the ‘Color Printer’ group.
Figure 1: Nesting Global Groups inside Domain Local Groups
Universal Groups
Universal Groups can grant access to resources in any trusted domain in which the Domain Functional Level is set to Windows 2000 Native or Windows Server 2003. This is because Universal Groups are not supported by Domain Controllers running Windows NT4.
The best practice is to avoid adding users to a Universal Group. This may seem strange, but it all comes down to a concept called ‘Replication’. This is where Domain Controllers exchange Active Directory information between themselves. If you have a background with routers, this can be compared to ‘Convergence’. If a user is added to a Universal Group, all of its information must be sent to each Domain Controller. This can use unnecessary amounts of bandwidth during the replication process. You should add your users to a Global Group and then nest that group within a Universal Group. Then only information about the nested group must be replicated, saving bandwidth and reducing replication time. We’ll talk about group nesting next, so don’t worry if you are unfamiliar with the topic.
Group Nesting & Conversion
We may not realize it, but we are always ‘nesting groups’ in our everyday lives. Group nesting is a lot like categorizing. We start out with the broadest description and work our way down to the most accurate. For example, you may live in a city. Nested within that city is a neighborhood. Within that neighborhood are streets and within a street are blocks. As you can see, nesting is not a difficult concept. The difficulty comes when thinking about all of the rules that apply when nesting groups.
Rather than remembering which groups can be nested within others, it is easier to remember which groups can’t be nested.
- Domain Local groups can only be nested within other Domain Local Groups within the same Domain.
- Global groups can only be nested within a Domain Local group in its own Domain. All other nesting is possible.
- Universal groups cannot be nested within Global groups but can be nested within all other types.
Whether the reason is the restructuring of your domain or even just a mistake made at the time the group was created, you are able to convert existing groups to different group scopes. Some conditions do apply, however.
- Domain Local groups can be converted to Global Groups, but not to Universal
- Global groups can be converted to universal only if the Global group is not nested within another Global group. This is because Universal groups cannot be nested within Global groups. Global groups cannot be converted to Domain Local
- Universal groups can be converted to Domain Local groups. They can also be converted to a Global group, but only if there are no nested Universal groups. This is because Universal groups, as we found out earlier, cannot be nested within Global groups.
The following chart should help to explain what conversion and nesting capabilities are available for each type of group.
|
Domain Local
|
Global
|
Universal
|
Conversion
|
|
|
Domain Local
|
Same domain
|
No
|
No
|
No to Global
Yes to Universal |
|
Global
|
Same domain
|
Yes
|
Yes
|
Yes to Universal1
No to Domain Local |
|
Universal
|
Yes
|
No
|
Yes
|
Yes to Domain Local
No to Global2 |
Table 3: A quick snapshot of Group Nesting and Conversion
1 Only if the Global Group is not nested within another Global group because Universal Groups cannot be nested inside Global Groups
2 This is not possible only when there are nested Universal Groups because Universal Groups cannot be nested inside Global Groups
2 This is not possible only when there are nested Universal Groups because Universal Groups cannot be nested inside Global Groups
Further Reading
- Dan Home, Orin Thomas (2004) "Chapter 4: Group Accounts." Managing and Maintaining a Microsoft Windows Server 2003 Environment. Microsoft Press, pgs 4-1 to 4-23.
- Microsoft TechNet (2005). Security Groups, User Rights and Permissions.
- Microsoft TechNet (2005). What Are Active Directory Functional Levels?.
- Mitch Tulloch, Ingrid Tulloch (2002) "Groups." Encyclopedia of Networking. Microsoft Press, pg 532.
- Mitch Tulloch, Ingrid Tulloch (2002) "Security Groups." Encyclopedia of Networking. Microsoft Press, pg 1024.
No related posts.
