University of Colorado at Boulder  
Map A to Z Index Search CU Home
ITS logo
Information Technology Services News | ITS Search
UCB Windows 2000 Resource Center

 
Learn More
Site Overview
Project Description
UCB W2K FAQ
Campus Windows 2000 Administrators Guide
Project Updates
ITS Windows 2000 Resouces
Microsoft Windows 2000 Resources
Windows 2000 Projects at other schools


Learn More
Other ITS Pages
  ITS Projects and Initiatives

 

Groups and Group Usage in the UCB AD

This document reviews the types of groups available in Active Directory and their suggested use at UCB. Group options are affected by the "mode" of an Active Directory, the UCB AD is in "native mode" and the following information reflects this status.

AD Group Types and Nesting

The two major classes of groups in Active Directory are security groups and distribution groups. Distribution groups are generally only used for group e-mails using products like MS Exchange. Security groups can also act as distribution groups.
There are three types of security groups in an Active Directory, the chart below outlines the major differences including which groups can be nested within others: (from msdn.microsoft.com/library/en-us/netdir/ad/scope_of_groups.asp)

Scope Members Grant Permissions Member of Other Groups
Universal

From any Windows NT/Windows 2000 domain in the forest:

Universal Groups, Global Groups and users (including contacts) from any domain in the forest.

 On any domain in the forest

Can be a member of the following groups in the forest:

Local Groups and Universal Groups.
Global

Only from the domain containing the group:

Global Groups, Universal Groups, and users (including contacts) from the domain containing the group.

 On any domain in the forest

Can be a member of any group in the forest:

Global Groups, Local Groups, and Universal Groups.
Domain Local

From any domain in the forest:

Global Groups, Universal Groups, and users (including contacts) from any domain in the forest.

Domain local groups from the domain containing the group.

 Only on the domain containing the group. Only can be a member of Local Groups in the domain containing the group.

Group Usage

Since most departments will only need to deal with users and resources in a single domain, all of the group types will fulfill most needs. One point to pay attention to is the rules for groups nested within other groups. This can be a very useful feature, and changes greatly with group type. Using only a single group type ensures that all of your groups will be able to nest within each other.

Departments with child domains will have to pay particular attention to group types in order to join users from the parent domain. Domain Local groups are the first choice for such a role, but Universal groups can be used if the group will also be used to grant access to resources in the parent domain.

Because of the additional burden they place on replication, ITS recommends against using Universal groups unless necessary.

Groups created by ITS (like the OU administrator groups) will be Global group to allow for greatest flexibility in joining them to your own groups.

Using Pre-defined Active Directory Groups

There are several pre-defined groups in an Active Directory that one could use to grant access to resources. Some of these groups are similar to default local groups on a Windows 2000/XP computer and others are specific to Active Directory. Note that the groups similar to standard local groups have broader implications in an Active Directory. Below is a brief description of some of those groups with the group type given in parentheses after the group name:

Users (Domain Local): Includes the 'Domain Users,' 'Authenticated Users' and 'Interactive' groups described below.

Domain Users (Global): Contains all user objects within the domain. This group is automatically joined to the local 'Users' group on any computer joined to an Active Directory.

Domain Administrators (Global): The membership of this group in the root domain is restricted to a small number of ITS employees who manage the UCB AD. This group is automatically joined to the local 'Administrators' group on any computer joined to an Active Directory.

Authenticated Users (special): A special group containing all users authenticated to the domain or a trusted domain, including all child domains.

Everyone (special): This group contains all users in the active directory, including anonymous access. Since the guest account is disabled in the UCB AD, this group is very similar to the 'Users' group described above.

Interactive (special): This group contains the user account for whatever user is currently logged into the local console.

Group Naming

Because group names must be unique within a domain ITS requests that departments prefix their group names with the department's name or abbreviation. For example, a group containing users in the ITS networking group might be called "ITS Networking group users." This prevents conflicts from popular name choices like "Business Office."

To simplify group name prefixes, ITS also recommends using the name of the department's organizational unit as the group name prefix.

More information on groups

Active Directory Users, Computers, and Groups

Learn Active Directory in 15 Minutes a Week: Active Directory Groups

Getting Help

help@colorado.edu
       
       Support | Training | Facilities | About ITS | ITS Home
 

Last reviewed: October 30, 2006

IT Service Center: 303-735-4357 (5-HELP), help@colorado.edu, Location and Hours of Operation
Computer Support Representative (CSR) look-up tool

itsfeedback@colorado.edu  | Policies | Privacy
© 2000 The Regents of the University of Colorado