Networking computers is done to serve one purpose; to share resources. As you probably already know, resources can be anything from printers to files to internet access, and more.
In order to be able to govern the use of resources by your users you will need a way to assign permissions to these resources. Windows 2000 does this through the use of users and groups (as do all network operating systems). Groups do not *have* to be used, as permissions could be made on resources for individuals (rather than groups), however the administrative overhead of such a design is extremely high.
Let me use an example to clarify. Suppose that you have a user in a particular department in your company that transfers to another department. If you were not using groups to share out your resources, you would have to go and check all of the departmental resources that this user had access to prior to the transfer and remove those permisssions.
Now, suppose that you had been using groups to share out network resources. All that you would have to do at this point is to remove that user from the group or groups that have access to said resources and you would be accomplishing the same thing. This (usually) has a much lower administrative overhead than assigning user access on each resource.
In order to effectively administer a Windows 2000 network, you will need to have a firm grasp on what groups are, what can be done with groups, and the differences between the types of groups.
With regard to Windows 2000, there are two main types of groups. The first would be groups that are objects in Active Directory. These groups affect network resources in a Windows 2000 environment. The second type of group is the local group. This group affects local resources (resources on a single machine) in much the same way that Active Directory affects network resources.
In other words, a user can belong to the local administrator’s group on a machine and would have full access to everything on that machine. This same user, however, would not necessarily have administrative rights in Active Directory. In fact, this user’s account may not even exist anywhere but locally.
On the other hand, users can belong to as many groups as you like, both local and Active Directory integrated. For the remainder of today’s discussion, any references to groups will mean Active Directory groups, not local groups.
Users are not the only objects that can belong to a group. Machines, other groups and contacts can all belong to groups.
I would like to point out an area of confusion here. Nesting of groups (i.e. making one group a member of another group) is only fully possible in a Windows 2000 domain that is running in Native Mode. Native Mode is the term used to refer to a domain that does not have any domain controllers that are not Windows 2000 domain controllers.
In Active Directory, there are two types of groups. There are security groups and distribution groups. With regards to assigning permissions, security groups are the only one of these two types of groups to which you can assign permissions.
Distribution groups can contain computers as their only objects and can be used primarily for software distribution (go figure!). Distribution groups can also be used for sending emails, etc… to individuals that make up a distribution group, as well. Regardless, my point here is that distribution groups are not used to assign permissions to network resources.
When you create a security group, you will have to define that groups scope. There are three group scopes to choose from- global, domain local, and universal.
Global scope, with regard to a security group, refers to the ability to assign permissions on network resources accross domains. This can be misleading in that members of a global group have to be members of the domain in which the global group is created, however permissions can be assigned to resources outside of the domain that the global group was created in. What this effectively allows you to do is to control network resources globally for users that are members of the same domain. Only global groups from the same domain and user accounts from the same domain can belong to a global group.
Domain local groups can be thought of as the inverse of global groups. Domain local groups are used to share resources in a single domain with users from anywhere in the enterprise. Domain local groups can be comprised of other domain local groups in the same domain, global groups from any domain, universal groups from any domain, and/or individual user accounts from any domain.
Universal groups, which can only exist in Windows 2000 Native Mode networks, are security groups that act as a combination of global groups and domain local groups. In other words, universal groups can have members from any domain and can assign permissions to resources in any domain. Be very careful using universal groups. Although they may be the easiest solution to implement, universal groups have a very high network overhead that can bog a network down very quickly.
That about covers the types of groups available with Windows 2000. In our next issue, we will take a look at planning a group strategy.
Jay Fougere is the IT manager for the Murdok network. He also writes occasional articles. If you have any IT questions, please direct them to Jay@https://murdok.org.
