Managing Groups
Active Directory groups are objects that may hold users, contacts, computers, or other groups. When you want to manage users, computers, and other resources, such as files, directories, printers, network shares, and e-mail distribution lists, using groups can decrease administration time and improve network performance.
Understanding Groups
Types of groups and group scope are essential topics in planning and managing an efficient network. Planning an environment that uses Active Directory and groups is critical-failing to plan or taking shortcuts could negatively affect network traffic and create more administrative work in the long run. There are two types of groups and three group scopes.
Group management was enhanced for Windows Server 2003 and Windows Server 2008. Before Windows Server 2003, all changes to universal groups would be replicated to all global catalog servers across the enterprise. Thus, if you used universal groups on your network, and you had slow network connectivity between global catalog servers, careful implementation of universal groups was crucial to preventing slow network throughput. To alleviate this possible bottleneck in network traffic, Microsoft has enhanced universal groups with caching of universal group membership and global catalog replication.
Caching universal groups is useful to enhance performance during log on. You configure caching of a universal group when Active Directory sites are widely scattered geographically or connected by a slow network and you want to minimize network traffic and increase logon effi ciency and authentication. For instance, suppose you have a small remote office that has a slow wide area network (WAN) connection to the main office. Instead of the users having to connect to a domain controller in the main office, a domain controller can be configured in the remote office to cache the universal groups. This way you do not have to have the global catalog on the remote domain controller. When someone logs on in the remote office, the process uses cached logon credentials on the remote domain controller. By default, this cached data is refreshed every eight hours.
To improve dependability and performance, Microsoft has made some primary changes in replication and synchronization of Active Directory data. Within groups, all group membership data is no longer replicated between global catalog sites when group members are added, deleted, or changed. Rather, only the changed group member data is replicated. This helps reduce network traffic and also lowers the amount of required processing.
Before Windows Server 2008, all values associated with a multi-valued attribute were replicated. With a domain operating in Windows Server 2008 domain functional level, only the changed attribute is replicated.
Types of Groups
There are two types of groups used in Windows Server 2008: security groups and distribution groups.
- Security groups are used to control access to resources. This is the kind of group you will probably use most often, and it may already be familiar. Security groups are listed in discretionary access control lists (DACLs). DACLs are part of an object's descriptor and are used to define permissions on objects and resources.
- Distribution groups are used for unsecured e-mail lists. Distribution lists do not use the functionality of the DACL permissions that security groups do. Distribution groups are not security-enabled but can be used by e-mail servers such as Microsoft Exchange Server.
In this tutorial:
- Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Configuring User Account Policies
- Enforcing Password Policy
- Configuring Account Lockout Policy
- Creating Password Settings Objects and Applying Secondary Settings
- Understanding User Account Capabilities, Privileges, and Rights
- Assigning User Rights
- Creating and Configuring Domain User Accounts
- Configuring Account Options
- Configuring Profile Options
- Troubleshooting User Accounts
- Implementing and Creating Preconfigured Profiles
- Configuring Local User Profiles
- Implementing Mandatory User Profiles
- Managing User Data
- Using Offline Files
- Configuring Offline Files on Clients
- Maintaining User Accounts
- Moving User Accounts
- Resetting a User's Domain Password
- Creating a User Account Password Backup
- Managing Groups
- Understanding the Scopes of Groups
- Creating a Group
- Creating group accounts at the command line
- Modifying Groups
- Managing Computer Accounts
- Moving a Computer Account
- Configuring Properties of Computer Accounts
- Troubleshooting Computer Accounts