Group Scope and Group Type
Groups created in a domain have both a group scope and a group type. You can access this in Active Directory Users and Computers by right-clicking a container and selecting New → Group.
The three group scopes are global, domain local, and universal:
Global
Global groups are commonly used to organize users (such as all the users in the Sales department with a group named G_Sales). Global groups can also contain other global groups.
Domain local Domain local groups are sometimes used in administrative models in larger domains. A domain local group commonly identifi es assigned permissions to specifi c resources. As an example, the DL_Print_ClrLaserPrinter group could be used to identify a group that is assigned print permission for a color laser printer. A domain local group typically contains one or more global groups and can also contain universal groups.
Universal Universal groups are used in multiple-domain environments. They can contain global groups from any domain and can be added to domain local groups in any domain.
Note A commonly used naming convention is to begin the group name with the group scope G_Sales is easily identified as a global group used to organize the users in the Sales group Similarly, it's common to include the permissions and resources in the domain local group DL_Print_ClrLaser- Printer identifies it as a domain local group used to grant print permission for a color laser printer.
The two group types are distribution and security:
Distribution A distribution group is used for email only. It cannot be assigned permissions.
Security A security group can be assigned permissions or used as a distribution group.
In larger domains where both global and domain local groups are used, a common strategy known as A G DL P is used. Figure below shows an example of A G DL P.
When A G DL P is used, accounts (A) are added to global groups (G). Global groups are added to domain local (DL) groups, and permissions (P) are assigned to domain local groups.
The direction of the arrows in the figure also helps to identify what can be added to a group. The arrow goes down from the accounts, indicating they can be added to global groups or domain local groups. The arrow also goes down from the global group, indicating it can be added to a domain local group.
However, a global group can't be added to a user (which admittedly sounds silly), and a local group can't be added to a global group; both of these examples go against the arrow. The arrow goes up from permissions. Permissions can be assigned to accounts or any type of group, but it's a good practice to assign permissions to groups whenever possible. When you begin assigning permissions directly to users, administration becomes more difficult.
The benefits of using domain local groups are realized only in larger domains where administrators want to manage permissions for some resources more closely. Most organizations use a simpler model of AGP where accounts (A) are placed into global (G) groups and permissions (P) are assigned to the global groups.
In this tutorial:
- Managing Windows 7 in a Domain
- The Domain
- What is Wrong with Workgroups
- The Domain Concept
- Active Directory
- Domain Security
- Joining a Domain
- Windows 7 Offline Domain Join
- Browsing the Domain
- Searching the Domain
- Custom Searches
- Assigning Permissions to Domain Members
- The Double-Thick Security Trick
- Creating a Test Bed
- Creating a Domain
- Installing Windows Server 2008 on vPC
- Configuring a Windows Server 2008 Server
- Promoting a Server to a Domain Controller
- Joining Windows 7 to a Domain
- Authentication vs Authorization
- Authentication
- Authorization
- Built-in Groups
- Organizing Users with Groups
- Group Scope and Group Type
- Creating Users and Groups in a Domain
- Using HomeGroup with a Domain-Based Computer
- Identifying and Resolving Logon Issues
- Hardware vs. Network
- Using Cached Credentials
- Password Expiration
- Determining Logon Context
- Logon Hours Compliance
- Restricting Computer Access
- Time Synchronization
- Understanding User Profiles
- Standard Profiles
- Roaming Profiles
- Implementing Roaming Profiles
- Mandatory Profiles
- Super-Mandatory User Profiles
- Modifying the Default User Profile
- Configuring Settings with Scripts
- Anti-Malware Software
- Microsoft Windows 7 Defender
- Third-Party Anti-malware Software