UEU-co logo


Previous Page Next Page

Hour 9. Creating Active Directory Groups, Organizational Units, and Sites

What You’ll Learn in This Hour:

This hour examines two Active Directory objects: groups and Organizational Units. It also discusses the use of Active Directory sites and issues related to Active Directory replication and the Global Catalog.

Understanding Active Directory Groups

The Active Directory Users and Computers snap-in is used to manage Active Directory objects such as users, computers, and groups. A group is a collection of active directory objects (which can include nested groups—more about these later in the hour). The primary purpose of a group is to enable you to group users and define permissions based on group membership. This is a much easier strategy for determining the access levels that users have to domain resources when compared to the alternative of assigning permissions on a per-user basis.

A number of default Active Directory groups are available for the administrator to use. You can create new groups by using the Active Directory Users and Computers snap-in. Before we look at the default Active Directory groups provided, we should expand our definition of Windows Server 2008 groups. There are actually two different group types: security and distribution.

A security group is a group that defines permissions related to resources and objects in the domain. Members of a security group (such as users) are assigned a security token when they log on to the domain, which provides them with the necessary permissions to files, printers, and other resources.

The second type of Windows Server 2008 group is the distribution group. A distribution group is really nothing more than a list of users, such as a grouping of contacts to which you would send an email. Distribution groups cannot be used to assign permissions to the users in the group. Microsoft Exchange Server is an example of a platform that uses distribution groups.

Security groups are discussed in this hour and they’re used throughout the book as permissions are assigned related to various Windows Server 2008 services. Before you look at using or creating groups, however, you need to understand how security groups operate at the different levels in the Active Directory hierarchy (especially when you are working with enterprise networks that contain a number of domains).

Windows Server 2008 Group Scopes

A security group always has a particular scope. The group scope refers to the level at which the group operates within the Microsoft network (and within the Active Directory Domain Services hierarchy). It also refers to the types of objects that actually can be contained in the object. Remember that you are potentially working with a network that can consist of not only a single domain, but that also could span a domain tree or even a forest. The three group scopes are universal, global, and domain local.

Whether you actually use all these different types of groups depends on the size of your network. If your network consists of only one domain, you would typically use global groups to organize your users into security subsets, with each group assigned a particular level of permissions to resources within the domain.

Universal groups usually come into play only if your network is of greater scope, meaning that your Windows Server 2008 network is big enough to embrace multiple domains. For example, your company might be made up of several divisions, with each division its own domain.

Domain local groups are most often used to assign users permissions to specific resources within a domain (where the group has been created). The fact that other group scopes can be nested (discussed in the next section) within domain local groups means that you can use the domain local group to specify the permissions for domain resources and then add users to groups from the domain tree (or forest) as required.

Nesting Groups and Group Membership

You can actually create a group hierarchy by nesting groups inside other groups. Nesting simply means placing a group inside another group. For example, you can add a global group (which provides a way to organize a group of users in a particular domain) to a domain local group. The global group provides the list of users, and the domain local group actually provides the permission level that will be assigned to members of the domain local group; in this case, that includes the global group you’ve nested.

The nesting of groups is controlled by the group membership rules for each group scope. In the Windows 2000 functional level (or the 2003 and 2008 functional level), the group scopes allow the following memberships:

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.


apply_nowPepperstone Group Limited