group

Group (in computer networking) is a collection of user accounts that allows administrators to group similar user accounts together in order to grant them the same rights and permissions.

What is Group (in computer networking)?

A collection of user accounts. Groups simplify the task of network administration by allowing administrators to group similar user accounts together in order to grant them the same rights and permissions.

The scope of a group is the portion of the network where the group can be granted rights and permissions. For example, a group whose scope is global can be granted permissions to resources in its own domain and to resources in trusting domains. On the other hand, a group whose scope is local can be granted permissions to resources only on the machine where it was created.

On Microsoft Windows NT–based networks, groups are created using User Manager for Domains. Windows NT groups have two levels of scope:

  • Global groups:
    A global group can be granted permissions to resources in its own domain and to resources in trusting domains. A global group can contain user accounts only from its own domain. Global groups are created on Windows NT domain controllers and exist in the domain directory database.

     

  • Local groups:
    A local group created with Windows NT Workstation can be granted permissions only to resources on the machine where it was created. A local group created with Windows NT Server (on a domain controller) can be granted permissions only to resources on the domain controllers of its own domain. A local group can contain user accounts and global groups both from its own domain and from trusted domains. Network administrators of enterprise-level Windows NT networks can use a resource-access strategy called AGLP (Accounts are organized by placing them in Global groups, which are then placed in Local groups that have appropriate Permissions and rights assigned to them) to plan and implement local groups in their network.

     

The situation in Windows 2000 is a little different. First, you create Windows 2000 groups using Active Directory Users and Computers. Groups are stored as group objects within Active Directory. Also, there are two types of groups in Windows 2000–based networks:

  • Security groups:
    Can contain members and can be granted permissions in order to control user access to network resources. Windows 2000 security groups are similar in function to the Windows NT groups just described. However, in Windows 2000, these groups have three different levels of scope, rather than two. Also, security groups in Windows 2000 can contain users, other groups, and even computers.

     

  • Distribution groups:
    Used for nonsecurity functions such as grouping users together to send e-mail. Unlike security groups, these groups cannot be used to control user access to network resources.

     

These two types of groups are stored in Active Directory. There are three levels of scope for security groups in Windows 2000–based networks:

  • Universal groups:
    Can contain members from any domain and can be granted permissions to resources in any domain in the current domain forest. Universal groups can contain user accounts, global groups, and universal groups from any domain in the current forest. Note that you can create universal groups only when the domain is in native mode, and not in mixed mode.

     

  • Global groups:
    Can contain members only from their own domain, but can be granted permissions to resources in any trusting domain. When the domain is in native mode, global groups can contain user accounts and global groups from the same domain. When the domain is in mixed mode, these groups can contain only user accounts.

     

  • Domain local groups:
    Can contain members from any domain, but can be granted permissions only to resources in their own domain. However, unlike the local groups of Windows NT, a domain local group can be granted permissions to resources on all servers (both the domain controllers and member servers) in its domain. When the domain is in mixed mode, domain local groups can contain user accounts and global groups from any domain in the forest. When the domain is in native mode, they can also contain domain local groups from their own domain and universal groups from any domain in the forest.

     

NOTE

Users can belong to multiple groups at the same time. A group does not actually contain its member user accounts; it is merely a list of user accounts. Nesting of groups (adding groups to other groups) is allowed, with certain restrictions. For example, in Windows NT a local group can contain global groups (but not other local groups) as members, while a global group can contain only users as members, not other global or local groups.

Graphic G-7. Nesting of groups in Windows NT and in Windows 2000.

With Windows 2000, the nesting of groups is more complicated, as shown in the diagram. Furthermore, you can nest groups inside groups to any level, although nesting to one level is the recommended practice for effective administration.

Note that on Windows 2000–based networks, universal groups are available only when your domain controllers are running in native mode, not when they are running in mixed mode. Also, repeated nesting of groups is allowed only in native mode.

On member servers and computers running Windows 2000 Professional, you can also create a fourth type of group called a local group, one that exists only within the local security database of the machine on which it is created. Local groups in Windows 2000 are similar to local groups in Windows NT. They can contain user accounts that are local to the machine, and user accounts and global groups from their own domain. A local group can be granted permissions only to resources on the machine where it was created. You use Local Users and Groups, a snap-in for Microsoft Management Console (MMC), to create local groups on a machine.

TIP

On high-speed Windows 2000 networks, using only universal groups simplifies network administration. But if you have slower WAN links within your enterprise, using global and domain local groups can reduce the size of the global catalog at each site and significantly reduce the wide area network (WAN) traffic required to keep the global catalog current. Using global and domain local groups further reduces WAN traffic by reducing the size of users’ security tokens.

If your Windows 2000 network has only a single domain, use global groups and domain local groups for granting permissions to network resources. Create global groups according to function, add users to the global groups, create domain local groups according to groups of common resources, assign permissions to the domain local groups, and finally, place the global groups in the appropriate domain local groups. If you have a domain tree, use global and universal groups instead in a similar administrative approach.

In Windows 2000, you can change the scope of a group if desired. For example,

  • Global groups that are not members of other global groups can be converted to universal groups.
  • Domain local groups that do not contain other domain local groups can be converted to universal groups. Do this if you want to enable users in other domains to access resources that have been made accessible to the domain local group under consideration.