کد:
http://www.askthemct.com/2008/01/20/groups-groups-and-more-groups/


Domain Local Groups, Global Groups, Universal Groups, Accounts and Permissions oh my; so you installed Active Directory, and now you want to know what all the fuss is about. By now you’ve heard time and time again it’s a “best practice” to put your users in groups and apply permissions to those groups, or was it the groups those groups were nest in? I know what you’re thinking, and yes it can be confusing at times, so let’s make it simple. I’m going to tell you a few key factors that will both help you pass a certification exam while at the same time teaching you the fundamentals of group nesting for your active directory environment. We’ll start with the rules.
Rule 1: To use Universal Groups Active Directory’s Functional Domain model must be at least Windows 2000 Native.
Rule 2: If rule number one is true then you also gain the ability to self nest. (Global Groups in Global Groups, Domain Local Groups in Domain Local Groups…etc)
Rule 3: AGULP will set you free. (But we’ll get to that in just a minute)
First things first; we need to understand the differences in the 3 groups scopes and the two group types. You can have either a Distribution or a Security Group type, both of which can be used for email distribution but only the Security Group Type contains a Unique Security Identifier (SID), which basically means permissions for resources can be applied to it, just like any computer or user account. That’s all the mystery to Group Types and as for the three Scopes, it isn’t much more difficult. To understand these groups we need to also understand its members and its usage. This can be done quite simple with quick definitions of who goes where and were a group can be used.
I’ll begin by first spelling it our then explaining in short hand what I mean. Domain Local Groups can be used only in the Domain they exist in but can receive their members from anywhere in the Active Directory Trusted Locations. (AD Trusted Locations would typically only be the Domains within your single AD Forest, unless



you have multiples. The Global Groups are the complete opposite of Domain Local Groups as they receive their members from only the Domain they exist and are used anywhere in the AD Trusted Locations, as where Universal Groups are the best of both worlds in that they can receive their members from any Trusted Domain and be used in any Trusted Domain. I use the term members instead of users because technically a Group’s membership can contain Users, Computers or other Security Groups. That’s the secret to groups, now to demystify it a little more let me show you quickly what I just said and then we will discuss AGULP and its basis for helping you understand group nesting.

  • Domain Local Groups: (DL)
    • Members From Anywhere
    • Used in Local Domain

  • Global Groups: (GG)
    • Members From Local Domain
    • Used Anywhere

  • Universal Groups: (UG)
    • Members From Anywhere
    • Used Anywhere


Now that we seem to have a firm grasp on what goes in groups and where groups can be used let’s talk about the best practices for using groups to give permissions to users to access the resources in your environment. We will use an example for sharing the access to a Network Based Printer shared through the Active Directory Infrastructure. Typically it is a “best practice” for you to collect your users who need common resources in Security Global Groups in each Domain, for example if you had a Sales Department logic would dictate they need many of the same drive shares SharePoint Access, Databases, Printers etc, so we create a Security Global Groups called “GG Sales Users” for the members of our Sales Team. (It’s a good practice to name your groups with its scope for easy identification along with what it’s for or who/what it contains, in this case GG stands for Global Group and Sales Users tells me who it contains.) You would continue this practice for each department or function of your business etc.
So in our example we purchased a brand new HP LaserJet 4700n Series Network Based Printer for our Sales Team and possibly other Departments as well. We need to give the Sales Team access to this Printer. Now for this particular article I’m not going into Printer Permissions and Sharing, so we will only focus on the groups we will create and add to this Printer for the “Print Permission.” I’ve already established that we have, in our sample environment, a Global Group for the Sale Team, and while I could simply give that group access to this HP Printer I will not, because I want to make certain in the future when I wish to add more Departments to the list of approved users of the device it will be easy to do so. In this case I’ll stick to my “Best Practices” and create a Domain Local Group called “DL HP 4700n Print,” noticing I used the term Print and not Printer, because in this case I plan to use the Domain Local Group to apply the Print Permission only, not the Manage Documents or Manager Printers Permissions, so the groups specifies its purpose precisely.
Once I’ve create that Domain Local Group and applied the Print Permission to it for the HP LaserJet 4700n Printer all I need to do is nest (add a group as a member) the Global Group GG Sales User. In this example if I later needed to add the Marketing Department Users to the approved users who can print to this device I only need to nest the GG Marketing Users group.
Using the nested Methodology AGULP isn’t necessarily new and is often referred to as AGUDLP, but I find it easier to remember AGULP for instructional purposes in my classes. So what is AGULP and how will it help me understand group nesting? The tem AGULP is a simple way to help you remember how all of this really works.
AGULP is Accounts, Global Groups, Universal Groups, Domain Local Groups and Permissions, and the arrows are to help better explain group nesting. For example as you go down groups nest, but it only goes one way. Accounts can be members of Global Groups, Universal Groups or Domain Local Groups, Global Groups can nest inside Universal Groups or Domain Local Groups because both fall below on the AGULP diagram. Domain Local Groups cannot be nested inside a Universal Group or a Global Group because that would be going the wrong way, and it’s actually quite simple as to why.
If you go back and read the definitions of each Group Scope you would see for example that the members of a Domain Local Group can come from anywhere, but the members or a Global Group can only come from its local Domain, so nesting a Domain Local Group in a Global Group would simply not be possible.
If we always assign permissions to our resources through utilizing the Domain Local Groups and by that same methodology assign membership of our Global Groups via their function or department the management of access to the resources we administer will become more efficient and hopefully give us all far less headaches



موضوعات مشابه: