Skip to content

Microsoft Active Directory - groups explanation - exam 70-294

I’m doing training for this exam, so groups have always been kinda messed up for me, and i guess not just for me, but for many of you. So here it goes. I am writing this on the fly, and making it as simple as i can.

Windows groups can be really fuzzy. At least for me they are, so, in order to understand them, i will explain it as i understand the things, and i will try to make it as simple as it could.

Active Directory has 2 group characteristics: type and scope.

Types of groups : Distribution / Security
Group scopes: Domain Local / Global / Universal

So far all seems ok, the hard part comes when you have either to design the AD structure, and you have to make a logic and understand clearly which group can contain which, and how can you use them, in which network infrastructure.

So first of all, brief explanation of group types:

Distribution groups - used to distribute mails to members. CANNOT be used to assign permissions for resources.
Security groups - distribute mails + assign permissions.

Domain functionality - if you have older windows server versions on the network, you will have to setup a level of func:

Windows 2000 mixed - NT 4.0/5.0 + Win2000 DC + Win2003 DC (no security groups)
Win 2000 native - Win2000 DC + Win2003 (minimum lvl for security groups + group nesting)
Win 2003 - All features enabled.

Domain local groups = DLG
Global groups         = GG
Universal groups    = UG

DLG - used when assigning permissions or user rights. Other groups can be added to the DL groups.

Win2000 mixed - DLG consist of: users/computers/GG from the domain of the DLG, and any trusted domain.
Win2000 native/Win2003 - DLG = Win2000 mixed + Other DLG + UG

Microsoft recommends DLG = usage only for containing other groups.

GG - container for users/computers.

Win2000 mixed - GG consist of: users/computers from the same domain of the GG.
Win2000 native/Win2003 - GG = Win2000 mixed + Other GG

UG - stored in the Global Catalog. (modifications trigger forest-wide replication)

Microsoft recommends UG = usage only for containing other groups.

UG (security) - do not exist in Win2000 mixed.
Win2000 native/Win2003 - UG (Security) - can contain users/computers/GG from any trusted domain/UG

Posted in Microsoft windows training.

By admin
July 4, 2007

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

(required)

(required, but never shared)

or, reply to this post via trackback.