Windows Groups and Scopes
Hi Frnz
Today I will share with you some
knowledge of Windows Groups and Scopes.I have seen many people usually don't
have enough idea about Groups and Scopes.
So let’s have details on
this.
Group:-A group is a container that
contains user and computer objects within the group. The user and computer
objects are stored in the group known as group members.. Assigning the security
permission for a group on a resource ensures that all members of the group
receive the permission.
Types of Groups:
Types of Groups:
- Distribution group
- Security group
Distribution groups can be used only with e-mail
applications (such as Exchange) to send e-mail to a collection of users.
Distribution groups are not security-enabled, which means that they cannot be
listed in Access control list.
Security groups are used to
provide access to resources on a network. Security groups are also used to
assign user rights in Active Directory and to assign permissions on shared
resources on the network. Security groups are listed in ACLs
Group
Scopes:-
Security Group or Distribution Group are differentiate by a
scope that identifies the extent to which the group is applied in the domain
tree or forest.
There are three group
scopes:
1. Domain
Local
2. Global
Group
3. Universal
Group
1. Domain
Local:-Members of Domain Local Groups can include other groups and
accounts from any domain and can be assigned permissions only within a domain.
·
Users can be from any
domain.
·
Can have permissions only in the
domain in which it is created.
2. Global
Group:-Members of Global Groups can include other groups and accounts
only from the domain in which the group is defined and can be assigned
permissions in any domain in the forest.
·
Users can be from the domain in
which we create global group
·
Can have permission on any domain
3. Universal
Group:-Members of Universal Group can include other groups and accounts
from any domain in the domain tree or forest and can be assigned permissions in
any domain in the domain tree or forest.
·
Users can be from any domain
·
Can have permission in any
domain
Usage of group with Domain Local Scope
Groups with domain local scope help you define and
manage access to resources within a single domain.
Let’s take an example:-
You need to give ten users access to a particular folder A, you could add all ten user accounts in the folder permissions list. If, however, you later want to give the five users access to other folder B, you would again have to specify all five accounts in the permissions list for the new printer.
If you have good idea about the groups, you can simplify this administrative task by creating a group with domain local scope and assigning it permission to access the folder A. Put the ten user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the ten users access to a folder B, assign the group with domain local scope permission to access the folder B. All members of the group with global scope automatically will access to the folder B
Now you all may have question in your mind that why we used Global Group in the above scenario.
The Answer for that is “it is a best practice and recommended to use the A-G-Dl-P model when assigning permissions.
A->G->Dl->P A=Users G=Global Groups Dl=domain local P= permissions.
What this model means is that you put "user Accounts" in to "Global groups" and then put the global groups into "Domain local" groups and then assign permissions to that Domain local group it is recommended you assign permission on Domain local group, this will be helpful in future. However you can assign permission directly to any Group but the recommended model is A-G-Dl-P
You need to give ten users access to a particular folder A, you could add all ten user accounts in the folder permissions list. If, however, you later want to give the five users access to other folder B, you would again have to specify all five accounts in the permissions list for the new printer.
If you have good idea about the groups, you can simplify this administrative task by creating a group with domain local scope and assigning it permission to access the folder A. Put the ten user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the ten users access to a folder B, assign the group with domain local scope permission to access the folder B. All members of the group with global scope automatically will access to the folder B
Now you all may have question in your mind that why we used Global Group in the above scenario.
The Answer for that is “it is a best practice and recommended to use the A-G-Dl-P model when assigning permissions.
A->G->Dl->P A=Users G=Global Groups Dl=domain local P= permissions.
What this model means is that you put "user Accounts" in to "Global groups" and then put the global groups into "Domain local" groups and then assign permissions to that Domain local group it is recommended you assign permission on Domain local group, this will be helpful in future. However you can assign permission directly to any Group but the recommended model is A-G-Dl-P
Usage of group with Global Scope
Groups with global scope usually used to manage user
and computer accounts that require daily maintenance. Because groups with global
scope are not replicated outside of their own domain .Accounts in a group having
global scope can be changed frequently without generating replication traffic to
the global catalog.The changes that are made on this will remain within the
domain where it exists. By doing this you will restrict more traffic to the
global catalog server.
Let’s take an example:-
In a network with two domains, A.com (India) and B.com (USA), if there is a group with global scope called GLFinance in the A.com (India) domain, there will also be a group called GLFinance in B.com (USA).
It is strongly recommended that you use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.
Let’s take an example:-
In a network with two domains, A.com (India) and B.com (USA), if there is a group with global scope called GLFinance in the A.com (India) domain, there will also be a group called GLFinance in B.com (USA).
It is strongly recommended that you use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.
Usage of group with Universal Scope
Groups with Universal scope usually used to consolidate
groups that are on different domains. To do this, add the accounts to groups
with global scope and nest these groups within groups having universal scope.
Using this strategy, any membership changes in the groups having global scope do
not affect the groups with universal scope.
Let’s take an example:-
In a network with two domains, A.com (India) and B.com (USA), and a group having global scope called GLFinance in each domain, create a group with universal scope called UFinance to have as its members the two GLFinance groups, A.com (India) and B.com (USA). The UFinance group can then be used anywhere in the enterprise. Any changes in the membership of the individual GLFinance groups will not cause replication of the UFinance group.
Let’s take an example:-
In a network with two domains, A.com (India) and B.com (USA), and a group having global scope called GLFinance in each domain, create a group with universal scope called UFinance to have as its members the two GLFinance groups, A.com (India) and B.com (USA). The UFinance group can then be used anywhere in the enterprise. Any changes in the membership of the individual GLFinance groups will not cause replication of the UFinance group.
No comments:
Post a Comment