Active Directory groups are objects that may hold users, contacts, computers, or other groups. When you want to manage users, computers, and other resources, such as files, directories, printers, network shares, and e-mail distribution lists, using groups can decrease administration time and improve network performance.
Types of groups and group scope are essential topics in planning and managing an efficient network. Planning an environment that uses Active Directory and groups is critical—failing to plan or taking shortcuts could negatively affect network traffic and create more administrative work in the long run. There are two types of groups and three group scopes.
Group management has been enhanced with two new features for universal groups. Before Windows Server 2003, all changes to universal groups would be replicated to all global catalog servers across the enterprise. Thus, if you used universal groups on your network, and you had slow network connectivity between global catalog servers, careful implementation of universal groups was crucial to preventing slow network throughput. To alleviate this possible bottleneck in network traffic, Microsoft has enhanced universal groups with caching of universal group membership and global catalog replication.
Caching universal groups may be useful in a Windows Server 2003 domain when the functional level is set to Windows 2000 Native functional level. You configure caching of a universal group when Active Directory sites are widely scattered geographically or connected by slow network and you want to minimize network traffic and increase logon efficiency and authentication. For instance, suppose you have a small remote office that has a slow wide area network (WAN) connection to the main office. Instead of the users having to connect to a domain controller in the main office, a domain controller can be configured in the remote office to cache the universal groups. This way you do not have to have the global catalog on the remote domain controller. When someone logs on in the remote office, the process uses cached logon credentials on the remote domain controller. By default, this cached data is refreshed every eight hours.
To improve dependability and performance, Microsoft has made some primary changes in replication and synchronization of Active Directory data. Within groups, all group membership data is no longer replicated between global catalog sites when group members are added, deleted, or changed. Rather, only the changed group member data is replicated. This helps reduce network traffic and also lowers the amount of required processing.
There are two types of groups used in Windows Server 2003: security groups and distribution groups.
Security groups are used to control access to resources. This is the kind of group you will probably use most often, and it may already be familiar. Security groups are listed in Discretionary Access Control Lists (DACLs). DACLs are part of an object's descriptor and are used to define permissions on objects and resources.
Distribution groups are used for unsecured e-mail lists. Distribution lists do not use the functionality of the DACL permissions that security groups do. Distribution groups are not security-enabled but can be used by e-mail servers such as Microsoft Exchange Server.
Windows Server 2003 uses three types of groups: domain local, global, and universal. Each of these groups has a different scope that determines the types of objects that can be included as members of a group and the permissions and rights those objects can be granted. In practice, you will almost always use security groups, because they include distribution group functionality and are the only types of groups that have DACLs.
Domain Local Groups. Consider using domain local groups first when you are giving groups or users access to local domain resources. For instance, if you have a domain named northwind.com and you want users or groups in that local domain to access a shared folder in the northwind.com local domain, you could create a domain local group called SalesPersons, insert in the SalesPersons group the users and global groups you want to give access to the shared folder, and then assign the SalesPersons group permissions on the resource.
Access policies for domain local groups are not stored in Active Directory. This means that they do not get replicated to the global catalog and thus queries performed on the global catalog will not return results from domain local groups. This is because domain local groups cannot be determined across domains. Domain local groups are analogous to local groups in Windows NT when used in Windows 2000 Mixed functional level.
Global Groups. Use global groups to give users or groups access to resources according to how they have been organized. For instance, users from the Marketing or Development departments could be put in separate global groups in order to simplify administration of their need to access resources like printers and network shares.
Global groups behave differently depending on the functional level of your domain. In Windows 2000 Mixed functional level, global groups can only be put into the security descriptors of objects that are in the same domain. In Windows 2000 Native functional level, global groups can be nested in order to grant access to any domain in the forest.
Universal Groups. Universal groups have very few fundamental restrictions. Universal groups are available only in Windows 2000 Native functional level or higher. Universal groups can be a tempting shortcut for administrators to use, because they can be used across domains in the forest. Memberships in universal groups can be drawn from any domain, and permissions can be set within any domain. However, using universal groups as your main method of grouping users, groups, and computers has a significant caveat.
Universal groups are stored in the global catalog, and whenever changes are made to a universal group, it must be replicated to other domain controllers configured as global catalog servers. For networks with slow network links, judicious use of universal groups to prevent network bottlenecks or slowed performance during authentication and global catalog changes is essential to reduce administrative and ownership costs.
Which Group Scope Should You Use? There is a strategy in choosing when to use a group scope and which group scope to use. A common strategy is to organize user accounts into logical groups based on the permissions they need to access specific resources. In a business model, this often can be determined according to the department the user belongs to. For instance, the Development department of a software business may put all their developers in a Dev group, and then assign permissions to a network share to the Dev group. On the other hand, in a Windows Server 2003 environment it becomes more complex than this, because there are different scopes for groups. Furthermore, groups may contain not only users, but also computers and even other groups, and can be nested to any scale.
Some important constraints on group scope in Windows Server 2003 include the following:
Universal groups are available only in Windows 2000 Native functional level or higher.
Universal groups are stored in the global catalog and replicated across the network. However, Windows Server 2003 has new features that allow caching of the global catalog and replication of only the changes in it.
When the domain functional level is in Windows 2000 Mixed functional level, global groups can be included in an object's security data structure only if that object is in the same domain as the global group. In Windows 2000 Native functional level or higher, global groups can be nested in order to grant access to any domain in the forest.
Domain local groups cannot be processed in other domains.
Group scope functionality and limitations include member inclusion and permissions. Table 37-4 lists how the three scopes function.
Table 37-4. How Group Scope Functions Using Windows Server 2003 Domain Functional Levels
Group | Member Inclusion | Permissions |
|---|---|---|
Universal | You can include users, computer accounts, global groups, and universal groups from any domain. | Within any domain, universal groups can be added to other groups and granted permissions. |
Global | You can put in a global group, any user or computer account or other global groups from the same domain. | Global groups can be added to other global groups in any domain in the forest and assigned permissions. |
Domain local | Same as universal groups, but you can also include domain local groups from the same domain. | Domain local groups can be added only to other domain local groups in the same domain and assigned permissions. |
In Native mode, Windows Server 2003 groups have nesting limitations that are dependent on the group scope. Limitations for nesting are listed in Table 37-5.
Table 37-5. Group Scope Nesting in Windows 2000 Native Functional Levels
Group Type | Can Nest in Universal? | Can Nest in Global? | Can Nest in Domain Local? |
|---|---|---|---|
Universal | No | Yes | Yes |
Global | Yes | Yes (only in the same domain) | Yes |
Domain local | No | No | No |
Why Use Domain Local Groups? Domain local groups are used when you want to give users, computers, or specific groups access to resources in a single local domain. In a domain local group, you can include other domain local groups with domain local scope, global groups, or universal groups. You can also include single accounts in the domain local group. However, including single user accounts can increase the amount of administration for you instead of reducing it, so unless management has specifically requested a special permission, this may not be the best route.
A common scenario for using domain local groups is to provide access to printers for members of a department (such as the Developers department).
In this scenario, you would use Active Directory Users And Computers:
Create a domain local group by right-clicking an OU, and then selecting New, Group.
Assign permissions to use the printer by adding the new domain local group to the printer by opening Control Panel, Printers and Faxes, then right-clicking Properties, selecting the Security tab, and finally adding the domain local group to the printer.
Create a global group.
Add the user accounts from the Development department to the global group
Add the global group to the domain Local group you created at the beginning.
This way, if you ever add a new printer, all you have to do is add access to it in the domain local group, and the Developers automatically get access because their global group is part of the domain local group.
If a new domain is added, all you have to do to give the people in the new domain access to the printer is add the new global groups from the new domain to the domain local group.
Why Use Global Groups? An important aspect of global groups is they are not replicated outside their own domain. They are not part of the global catalog replication. Thus, you should use global group membership for objects that need high regular maintenance or modifications. These changes will not be replicated across your network and thus will not slow network traffic over slow links. Therefore, a main reason to use Global groups is to organize users with similar needs within a domain to give them access to resources. For instance, you have two domains, one in the United States, the other in India. In each domain you have developers. Because your business model requires that neither group of developers needs access to the other's source code, you could create two global groups, USADev and IndiaDev, and give the global groups permissions to different source code shares.
Why Use Universal Groups? Using universal groups extends this idea so that users in groups of different domains may be able to access resources without affecting network traffic because of global catalog replication. By creating a universal group and adding global groups to it, you can give users from different domains in the forest access to the same resource. For instance, in the above scenario, a third group could be created for the developers, called UniDev. This would be a universal group to which you would add both global groups, USADev and IndiaDev, and assign permissions to perhaps even a second network share of source code that both groups of users must access. This is a good strategy, because if you add new user accounts to the global groups, the changes are not replicated to the global catalog and little if no impact to network traffic is incurred. However, be careful about changing memberships to universal groups, because those changes are replicated across all links to other domain controllers configured with global catalogs.
You may create groups in the Users container or in a new OU that you have created in the domain. To create a group, start Active Directory Users And Computers. Right-click the Users container or the OU in which you want to place the group, point to New, and then select Group. This displays the New Object–Group dialog box shown in Figure 37-17. Type a group name, and then select Group Scope and Group Type. Afterward, click OK to create the group.
In Windows 2000 Native and Windows Server 2003 domain functional levels, you have three group scopes and two group types you can select from (Universal scope is not available in Mixed mode). This allows you to create six different combinations of groups. You must be a member of the Account Operators, Domain Admins, or Enterprise Admins group to create new groups.
Note
The built-in accounts for Active Directory in Windows Server 2003 are located in two places. The built-in domain local groups such as Administrators, Account Operators, and Backup Operators, are located in the Builtin container. Built-in global groups such as Domain Admins and Enterprise Admins are located in the Users container.
The easiest way to add users to a group is to right-click the user in the details pane of Active Directory Users And Computers, and then select Add To A Group. The Select Group dialog box appears and you can select the group of which the user is to become a member. You can also get to the same dialog box by right-clicking on the user name, selecting Properties, and then choosing the Member Of tab and clicking Add.
Tip
To add multiple users to a group, select more than one user, using Shift+click or Ctrl+click, and follow the same steps.
If you want to add both users and groups as members of a group, you can do this by performing the following steps:
Double-click the group entry in Active Directory Users And Computers. This opens the group's Properties dialog box.
On the Members tab, click Add to add accounts to the group.
Use the Select Users, Contacts, Computers, Or Groups dialog box to choose users, computers, and groups that should be members of the currently selected group. Click OK.
Repeat steps 2 and 3 as necessary to add additional users, computers, and groups as members.
Click OK.
Deleting a group is as simple as right-clicking the group name within Active Directory Users And Computers, and then selecting Delete. You should be very careful when deleting groups because, though it does not delete the user accounts contained by the group, the permissions you may have assigned to the group are lost and cannot be recovered by merely recreating the group with the same name.
There are a number of modifications, property changes, and management procedures you may want to apply to groups. You can change the scope, the members and other groups contained in the group, move a group, delegate management of a group, and send mail to a group.
When you have a substantial number of groups, you can use the Find function to locate the one you need to manage. Just right-click the domain or OU, and then select Find. In the Find Users, Contacts, And Groups dialog box, you can specify what type of object to find, change the starting point, or structure a search query from the available tabs. Once the query has run, many administrative or management functions can be performed on the objects returned in the results window.
Inside Out: Saved queries in Active Directory
Part of the new enhanced user interface in Active Directory, a new feature for Windows Server 2003 is the ability to reuse and save queries. This allows you to find groups quickly and repeatedly when you want to manage and modify them. You can locate the new Saved Queries folder in the default position at the top of the Active Directory Users And Computers console tree (left pane). You cannot save queries from the Find menu when you rightclick a group. You can only save them using the Saved Query procedure that is found in the uppermost part of the tree in Active Directory Users And Computers and creating a new query.
When you double-click a group name in Active Directory Users And Computers, the Group Properties dialog box appears. You can configure the following six areas or functions:
General You change the description or group e-mail address here. In addition, you may be able to change the type of group or the scope of the group. When in Windows Server 2003 domain functional level, there are limitations on changing Group Scope, as shown in Table 37-6.
Members You can list, add, and remove group members.
Member Of Lists the groups the current group is a member of. These can be domain local groups or universal groups from the local domain or universal groups from other domains in the current domain tree or forest.
Managed By Add, clear, or modify the user account you want to make responsible for managing this group.
Object View the canonical name of the group object. This tab is visible only in Advanced view. To access Advanced view, select Advanced Features from the View menu in Active Directory Users And Computers.
Security Used to configure advanced permissions for users and groups that can access the group object in Active Directory. This tab is visible only in Advanced view.
You can modify other group settings using Active Directory Users And Computers. You can perform the following tasks:
Move a Group To move a group, right-click it, and then select Move. The Move dialog box appears, allowing you to select the container to which you want to move the group. Alternatively, you can drag the group icon into a new container. You can also select multiple groups to move by using Windows keyboard shortcuts such as Ctrl, then selecting multiple groups, or using Shift and selecting the first and last group.
Rename a Group Right-click the group name, and then select Rename. Type the new group name, and then press Enter. Multiple group selection is disabled for this function.
Send Mail to a Group Right-click the group name, and then select Send Mail. An error will occur if no e-mail address has been configured on the General tab of Group Properties. Otherwise, the default mail client will be used to open a new mail message addressed to the group, which you can complete and send.