A collection of user accounts. Groups simplify the task of network administration by allowing administrators to group similar user accounts together in order to grant them the same rights and permissions.
The scope of a group is the portion of the network where the group can be granted rights and permissions. For example, a group whose scope is global can be granted permissions to resources in its own domain and to resources in trusting domains. On the other hand, a group whose scope is local can be granted permissions to resources only on the machine where it was created.
On Microsoft Windows NT–based networks, groups are created using User Manager for Domains. Windows NT groups have two levels of scope:
The situation in Windows 2000 is a little different. First, you create Windows 2000 groups using Active Directory Users and Computers. Groups are stored as group objects within Active Directory. Also, there are two types of groups in Windows 2000–based networks:
These two types of groups are stored in Active Directory. There are three levels of scope for security groups in Windows 2000–based networks:
Users can belong to multiple groups at the same time. A group does not actually contain its member user accounts; it is merely a list of user accounts. Nesting of groups (adding groups to other groups) is allowed, with certain restrictions. For example, in Windows NT a local group can contain global groups (but not other local groups) as members, while a global group can contain only users as members, not other global or local groups.
Graphic G-7. Nesting of groups in Windows NT and in Windows 2000.
With Windows 2000, the nesting of groups is more complicated, as shown in the diagram. Furthermore, you can nest groups inside groups to any level, although nesting to one level is the recommended practice for effective administration.
Note that on Windows 2000–based networks, universal groups are available only when your domain controllers are running in native mode, not when they are running in mixed mode. Also, repeated nesting of groups is allowed only in native mode.
On member servers and computers running Windows 2000 Professional, you can also create a fourth type of group called a local group, one that exists only within the local security database of the machine on which it is created. Local groups in Windows 2000 are similar to local groups in Windows NT. They can contain user accounts that are local to the machine, and user accounts and global groups from their own domain. A local group can be granted permissions only to resources on the machine where it was created. You use Local Users and Groups, a snap-in for Microsoft Management Console (MMC), to create local groups on a machine.
On high-speed Windows 2000 networks, using only universal groups simplifies network administration. But if you have slower WAN links within your enterprise, using global and domain local groups can reduce the size of the global catalog at each site and significantly reduce the wide area network (WAN) traffic required to keep the global catalog current. Using global and domain local groups further reduces WAN traffic by reducing the size of users’ security tokens.
If your Windows 2000 network has only a single domain, use global groups and domain local groups for granting permissions to network resources. Create global groups according to function, add users to the global groups, create domain local groups according to groups of common resources, assign permissions to the domain local groups, and finally, place the global groups in the appropriate domain local groups. If you have a domain tree, use global and universal groups instead in a similar administrative approach.
In Windows 2000, you can change the scope of a group if desired. For example,