Welcome to the next free video for the free
Active Directory course. This video looks at the different types of groups that are
available in Active Directory. The choice of which group you use will determine the
availability of that group to other domains and how the group will be replicated throughout
your environment. In this video I will first look at the different
types of groups that are available. Your choice of which group you use will determine what
you will be able to achieve using the group at the domain and forest level. Next I will
look at the difference between distribution and security groups. After this I will look
at how to convert between groups. Converting between groups does allow you to fix some
mistakes if you use the wrong group. Finally I will look at how to create and use these
groups on my Windows Server 2008 R2 Domain Controller. There are 3 different types of groups in Active
Directory. There are also local groups which exist only on the one computer. This takes
the types of groups that Windows supports to 4. The main difference between each group
is which of the other groups can be members of that group. The availability or scope of
each group determines where this group can be used: at the local level, domain level,
forest level or with externally trusted domains. The four types of groups are local, Domain
local, Global and Universal. This may seem like a lot of groups, but when you start working
in large multi domain environments, choosing the right group can give you a lot of advantages.
Let’s start by looking at local groups. A local group is a group that is created on
the local computer. Since the group is stored in the local computer’s security database,
its availability or scope is limited to that computer. Even though the scope of the group
is limited to the local computer it is not limited as to what groups can be put into
a local group. To start with, I will look at how groups work at the domain level. Later
in the video I will look at how these groups work when put in a multi domain environment.
At the domain level, a local group can have users, computers, domain local groups, global
groups, and universal groups added as members. Since the local group scope is limited to
the local computer it was created on, it has limited use when attempting to manage a domain
environment. For this reason, usually another group is put into
a local group or another group is applied directly to the resource that you are managing.
The next group is the domain local group. This group supports all the same membership
as the local group, that is users, computers, other domain local groups, global groups and
universal groups. Given that domain local groups’ membership can be administered at
the domain level these groups are often applied to the local resource rather than using a
local group. As you will see in a moment, domain local
groups can not be used outside the domain that they have been created in. In a multiple
domain environment this offers some additional security to the administrator by design. By
creating a domain local group in your domain you can be assured that the group is not being
used outside your domain. The next group is the global group. Out of all the groups the global group has the smallest
amount of membership allowed. Only users, computers and other global groups can be put
into a global group. The advantage of a global group is that you can use it in any domain
in the forest unlike domain local groups. In the last video I touched a little bit on
role based access control using groups. In a later video I will go into a lot more detail
about group strategy. If role based control is being used, usually a global group will
be created and the users that require access will be placed in this group. This global
group will be placed into a domain local group that is given access to the resource. The last group that I want to look at is the
universal group. The universal group is a special kind of group because it is stored
within the global catalog server. Like the global group it is available to any domain
in the forest. Even though information is stored about the
universal group in the global catalog server, the group itself is still associated with
the domain it was created in. To illustrate this consider this: say two universal groups
called sales are created in the domains ITFree and HighCost. To access these groups you could
use the syntax ITFree\Sales for the universal group located in ITFree. To use the group
in the HighCost domain, the syntax HighCost\Sales could be used. Thus the universal group is
still tied to the domain but the membership details of this group are stored in the global
catalog server. What this means is that if a computer attempts
to use a universal group it needs access to a global catalog server. Since the information
about the universal group is stored in the global catalog server, a Domain Controller
that is not a global catalog server does not have this information. This Domain Controller
can of course contact a global catalog to get this information but if a global catalog
server is not available the membership of the universal group can’t be determined.
For this reason global catalog server placement becomes important if you start using universal
groups. You should also consider before using a universal
group that since group membership is held on the global catalog server this also means
changes to the group will be replicated with the global catalog server replication. If
you your universal group membership changes a lot this means more replication between
global catalog servers in the forest. Lastly if a user is a member of a universal
group they will require a global catalog server to login. If a global catalog server is not
available on the network they will not be able to login.
If you do decide to use universal groups, the group can contain users, computers, global
groups and other universal groups. So far I have only looked at the groups at
a domain level. Let’s now look at what can be added to these groups when the member comes
from another domain in the same forest. Local groups support everything except domain
local groups. Domain local groups can’t be used outside the domain that they were
created in and thus can’t be added to a group in another domain.
Membership for domain local groups once again is the same as local groups. Domain local
groups from another domain can’t be added due to their use being limited to the domain
that they were created in. Of course, if a domain local group was created in the same
domain it could be added. Global groups by design will not allow membership
for groups outside the domain they are in. For this reason you can not add anything to
a global group when the member comes from a different domain.
The membership for a universal group does not change when the member comes from a different
domain from where the universal group was created. Users, computers, Global and Universal
groups can still be added. The last point to consider is what happens
to membership when you have a trusted domain added to the forest. For this example, a trusted
domain is any domain that is outside the forest regardless of what kind of trust it is connected
with. In other words, any domain that is located outside the forest.
Once again local and domain local groups support the same membership requirements. They can
both support users and computers and global groups. Due to domain local group only being
available in the domain that they were created in they are not available in an external domain.
Universal groups can’t be used in this case because they require a global catalog server.
The global catalog server must be one from the forest the universal group was created
in and thus a global catalog server from an external domain can’t be used for the universal
group. These include forests that are connected via a forest trust. Once you leave the forest
the universal group can’t be used. Global group members can’t come from an
external domain because the scope of global groups prevents them from being used outside
the domain that they were created in. Lastly universal groups can’t use a universal
group from an external domain because of the same reason stated before. Universal groups
rely on a global catalog server that is in the same forest as the universal group. Universal
groups simply will not work outside the forest that they were created in.
At present the number of groups and rules that define the scope for these groups may
look a little bit confusing. In a later video I will look at group strategy that can be
used within your organization for these groups. Once you see how this works in a large enterprise
environment you will start to understand why there are so many different options on how
to configure groups and understand a bit better how they work. The next point I would like to cover is the
difference between distribution and security groups. When you create a group you will have
the option to create a distribution group or a security group. A security group can
be assigned to files and folders and other objects in order to grant permissions. A distribution
group in comparison can’t be used with security. Generally distribution groups will be used
by e-mail programs like exchange as mail groups. Each time you add a user to a group, the groups
Sid will need to be added to the security token created when the user logs in. If you
have a lot of groups associated with the one user this makes the security token larger.
Some administrators will use distribution groups where possible to reduce the size of
the security token created when a user logs in. A distribution groups does not use a Sid
and thus it does not get added to the security token.
If you are not sure which group to create, Microsoft recommends creating a security group.
Security groups can also be used by software like exchange as distribution groups. Selecting
a distribution group simply limits the functionality of the group while selecting a security group
support security and the use of the group as distribution group in software like exchange.
If you do make a mistake you can always change the type of group which brings me to the last
point: converting between groups. If you want to change a security group to a distribution
group you can do so at any time. If you convert the group from distribution
to security you are simply allowing that group to be used with security. This should not
create any problems. If you change the group from a security group to a distribution group
this can affect security on your network. If the security group was allowing a user
access to a resource, changing the group to a distribution group will deny them access
to the group. When a security request comes in asking about the group, Active Directory
will respond the same way as if the group had been deleted.
Also another point to consider is if the security group was being used to deny a user access
to a resource, changing the group to a distribution group would give the user access again. This
is because the deny permission assigned to the resource would no longer be effective
and thus would not be stopping the user from getting access to the resource.
The next conversion that you may want to make is between different group scope types. That
is changing between domain local, global and universal. You can change from any scope to
any other scope that you want. If you attempt to change from global to domain local or vice
versa this can’t be done directly. When you attempt to do this the option will be
greyed out. To get around this, change the group to a universal group first and then
change it to the desired group. The point to remember when converting group
scopes is this will also affect the permissions that have been assigned using that group.
If the group was a universal group and you changed it to a domain local group, any permissions
that were assigned to resources outside the current domain will no longer work.
Before you can change a group from one scope to another, the group must meet the new membership
requirement for the new scope. If it does not, an error will be displayed asking you
to correct the problem before the group can be changed. For example, if you changed a
universal group to a global group and the universal group contains another universal
group this operation will fail. Since global groups do not support universal groups as
members, the change will fail and you will get an error message. I will now change to
my domain controller to look at how to create and use groups in Active Directory.
First of all, open Active Directory Users and Computers from the start menu. From here
I will open users. To create a new group under users, right click users and select the option
new group. For the group name I will enter in the name invoice_modify.
Notice that when the group is created the scope of the group can be selected. This can
be domain local, global and universal. On the right hand side you can also select the
group type, either security or distribution. Once the group is created, these options can
be changed later on. Once the group has been created, I next want
to add this group to the sales_staff group. To do this, right click sales_staff and select
add to group. When prompted, enter in the name of the group that you want to add. Notice
that when I attempt to add the Invoice_Modify to the Sales_Staff group I will get an error
message. Since the Invoice_Modify group is a global group and the Sales_Staff group is
a universal group this is not allowed. A global group does not support universal groups as
members. To fix this, I need to change one of the groups to a different type.
If I right click Sales_Staff and open the properties for the group, I can then select
the option global to change this universal group to a global group. As long as all the
other members of the group meet the requirements for a global group, this will work. If they
don’t, Windows will prompt you telling you the group cannot be converted. To try to correct
the problem, you can select the tab, “members.” This will show all the groups, users and computers
that are members of this group. Before changing the type of group, it is a
good idea to understand what effect this may have on the other groups. If I select the
tab, “members of,” this will show the groups which this group is a member of. This
will only show groups that are in the same domain or groups where information about the
group is available via a global catalog server like a universal group. If you want to add
this group to another group, press the button add. In this case I will add this group to
Invoice_modify. Since I have changed this group to a global group I won’t get an error
message this time. If your environment has a lot of different
types of groups it can start to become confusing which group is of which type. Some administrators
will use a standard for naming groups to make it easy to identify what type of group each
group is. If I right click on the sales_staff group
and select rename, I will rename the group so that the group name starts with a g. This
is one way administrators use to identifier global groups from other groups. When renaming
the group it is also a good idea where possible to change the pre-Windows 2000 name so that
it matches the other name. If the names are different this can be very confusing to an
administrator. That’s it for groups in Active Directory.
In the next video I will look at default local groups. When you create users you will want
to give them certain rights and permissions. Microsoft has created a number of default
local groups which match common tasks required by users. In a lot of cases you can give a
user the rights and permissions that they require by putting them in these groups. In
the next video I will look at which groups are available. Thanks for watching this free
video from IT Free Training, just one of the free videos in this free Active Directory
course.
