I’m doing training for this exam, so groups have always been kinda messed up for me, and i guess not just for me, but for many of you. So here it goes. I am writing this on the fly, and making it as simple as i can.
Windows groups can be really fuzzy. At least for me they are, so, in order to understand them, i will explain it as i understand the things, and i will try to make it as simple as it could.
Active Directory has 2 group characteristics: type and scope.
Types of groups : Distribution / Security
Group scopes: Domain Local / Global / Universal
So far all seems ok, the hard part comes when you have either to design the AD structure, and you have to make a logic and understand clearly which group can contain which, and how can you use them, in which network infrastructure.
So first of all, brief explanation of group types:
Distribution groups – used to distribute mails to members. CANNOT be used to assign permissions for resources.
Security groups – distribute mails + assign permissions.
Domain functionality – if you have older windows server versions on the network, you will have to setup a level of func:
Windows 2000 mixed – NT 4.0/5.0 + Win2000 DC + Win2003 DC (no security groups)
Win 2000 native – Win2000 DC + Win2003 (minimum lvl for security groups + group nesting)
Win 2003 – All features enabled.
Domain local groups = DLG
Global groups = GG
Universal groups = UG
DLG – used when assigning permissions or user rights. Other groups can be added to the DL groups.
Win2000 mixed – DLG consist of: users/computers/GG from the domain of the DLG, and any trusted domain.
Win2000 native/Win2003 – DLG = Win2000 mixed + Other DLG + UG
Microsoft recommends DLG = usage only for containing other groups.
GG – container for users/computers.
Win2000 mixed – GG consist of: users/computers from the same domain of the GG.
Win2000 native/Win2003 – GG = Win2000 mixed + Other GG
UG – stored in the Global Catalog. (modifications trigger forest-wide replication)
Microsoft recommends UG = usage only for containing other groups.
UG (security) – do not exist in Win2000 mixed.
Win2000 native/Win2003 – UG (Security) – can contain users/computers/GG from any trusted domain/UG