Microsoft Active Directory – groups explanation – exam 70-294

I’m doing training for this exam, so groups have always been kinda messed up for me, and i guess not just for me, but for many of you. So here it goes. I am writing this on the fly, and making it as simple as i can.

Windows groups can be really fuzzy. At least for me they are, so, in order to understand them, i will explain it as i understand the things, and i will try to make it as simple as it could.

Active Directory has 2 group characteristics: type and scope.

Types of groups : Distribution / Security
Group scopes: Domain Local / Global / Universal

So far all seems ok, the hard part comes when you have either to design the AD structure, and you have to make a logic and understand clearly which group can contain which, and how can you use them, in which network infrastructure.

So first of all, brief explanation of group types:

Distribution groups – used to distribute mails to members. CANNOT be used to assign permissions for resources.
Security groups – distribute mails + assign permissions.

Domain functionality – if you have older windows server versions on the network, you will have to setup a level of func:

Windows 2000 mixed – NT 4.0/5.0 + Win2000 DC + Win2003 DC (no security groups)
Win 2000 native – Win2000 DC + Win2003 (minimum lvl for security groups + group nesting)
Win 2003 – All features enabled.

Domain local groups = DLG
Global groups         = GG
Universal groups    = UG

DLG – used when assigning permissions or user rights. Other groups can be added to the DL groups.

Win2000 mixed – DLG consist of: users/computers/GG from the domain of the DLG, and any trusted domain.
Win2000 native/Win2003 – DLG = Win2000 mixed + Other DLG + UG

Microsoft recommends DLG = usage only for containing other groups.

GG – container for users/computers.

Win2000 mixed – GG consist of: users/computers from the same domain of the GG.
Win2000 native/Win2003 – GG = Win2000 mixed + Other GG

UG – stored in the Global Catalog. (modifications trigger forest-wide replication)

Microsoft recommends UG = usage only for containing other groups.

UG (security) – do not exist in Win2000 mixed.
Win2000 native/Win2003 – UG (Security) – can contain users/computers/GG from any trusted domain/UG