MCITP 70-640: Active Directory different group types available

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Welcome to the next free video for the free Active Directory course. This video looks at the different types of groups that are available in Active Directory. The choice of which group you use will determine the availability of that group to other domains and how the group will be replicated throughout your environment. In this video I will first look at the different types of groups that are available. Your choice of which group you use will determine what you will be able to achieve using the group at the domain and forest level. Next I will look at the difference between distribution and security groups. After this I will look at how to convert between groups. Converting between groups does allow you to fix some mistakes if you use the wrong group. Finally I will look at how to create and use these groups on my Windows Server 2008 R2 Domain Controller. There are 3 different types of groups in Active Directory. There are also local groups which exist only on the one computer. This takes the types of groups that Windows supports to 4. The main difference between each group is which of the other groups can be members of that group. The availability or scope of each group determines where this group can be used: at the local level, domain level, forest level or with externally trusted domains. The four types of groups are local, Domain local, Global and Universal. This may seem like a lot of groups, but when you start working in large multi domain environments, choosing the right group can give you a lot of advantages. Let’s start by looking at local groups. A local group is a group that is created on the local computer. Since the group is stored in the local computer’s security database, its availability or scope is limited to that computer. Even though the scope of the group is limited to the local computer it is not limited as to what groups can be put into a local group. To start with, I will look at how groups work at the domain level. Later in the video I will look at how these groups work when put in a multi domain environment. At the domain level, a local group can have users, computers, domain local groups, global groups, and universal groups added as members. Since the local group scope is limited to the local computer it was created on, it has limited use when attempting to manage a domain environment. For this reason, usually another group is put into a local group or another group is applied directly to the resource that you are managing. The next group is the domain local group. This group supports all the same membership as the local group, that is users, computers, other domain local groups, global groups and universal groups. Given that domain local groups’ membership can be administered at the domain level these groups are often applied to the local resource rather than using a local group. As you will see in a moment, domain local groups can not be used outside the domain that they have been created in. In a multiple domain environment this offers some additional security to the administrator by design. By creating a domain local group in your domain you can be assured that the group is not being used outside your domain. The next group is the global group. Out of all the groups the global group has the smallest amount of membership allowed. Only users, computers and other global groups can be put into a global group. The advantage of a global group is that you can use it in any domain in the forest unlike domain local groups. In the last video I touched a little bit on role based access control using groups. In a later video I will go into a lot more detail about group strategy. If role based control is being used, usually a global group will be created and the users that require access will be placed in this group. This global group will be placed into a domain local group that is given access to the resource. The last group that I want to look at is the universal group. The universal group is a special kind of group because it is stored within the global catalog server. Like the global group it is available to any domain in the forest. Even though information is stored about the universal group in the global catalog server, the group itself is still associated with the domain it was created in. To illustrate this consider this: say two universal groups called sales are created in the domains ITFree and HighCost. To access these groups you could use the syntax ITFree\Sales for the universal group located in ITFree. To use the group in the HighCost domain, the syntax HighCost\Sales could be used. Thus the universal group is still tied to the domain but the membership details of this group are stored in the global catalog server. What this means is that if a computer attempts to use a universal group it needs access to a global catalog server. Since the information about the universal group is stored in the global catalog server, a Domain Controller that is not a global catalog server does not have this information. This Domain Controller can of course contact a global catalog to get this information but if a global catalog server is not available the membership of the universal group can’t be determined. For this reason global catalog server placement becomes important if you start using universal groups. You should also consider before using a universal group that since group membership is held on the global catalog server this also means changes to the group will be replicated with the global catalog server replication. If you your universal group membership changes a lot this means more replication between global catalog servers in the forest. Lastly if a user is a member of a universal group they will require a global catalog server to login. If a global catalog server is not available on the network they will not be able to login. If you do decide to use universal groups, the group can contain users, computers, global groups and other universal groups. So far I have only looked at the groups at a domain level. Let’s now look at what can be added to these groups when the member comes from another domain in the same forest. Local groups support everything except domain local groups. Domain local groups can’t be used outside the domain that they were created in and thus can’t be added to a group in another domain. Membership for domain local groups once again is the same as local groups. Domain local groups from another domain can’t be added due to their use being limited to the domain that they were created in. Of course, if a domain local group was created in the same domain it could be added. Global groups by design will not allow membership for groups outside the domain they are in. For this reason you can not add anything to a global group when the member comes from a different domain. The membership for a universal group does not change when the member comes from a different domain from where the universal group was created. Users, computers, Global and Universal groups can still be added. The last point to consider is what happens to membership when you have a trusted domain added to the forest. For this example, a trusted domain is any domain that is outside the forest regardless of what kind of trust it is connected with. In other words, any domain that is located outside the forest. Once again local and domain local groups support the same membership requirements. They can both support users and computers and global groups. Due to domain local group only being available in the domain that they were created in they are not available in an external domain. Universal groups can’t be used in this case because they require a global catalog server. The global catalog server must be one from the forest the universal group was created in and thus a global catalog server from an external domain can’t be used for the universal group. These include forests that are connected via a forest trust. Once you leave the forest the universal group can’t be used. Global group members can’t come from an external domain because the scope of global groups prevents them from being used outside the domain that they were created in. Lastly universal groups can’t use a universal group from an external domain because of the same reason stated before. Universal groups rely on a global catalog server that is in the same forest as the universal group. Universal groups simply will not work outside the forest that they were created in. At present the number of groups and rules that define the scope for these groups may look a little bit confusing. In a later video I will look at group strategy that can be used within your organization for these groups. Once you see how this works in a large enterprise environment you will start to understand why there are so many different options on how to configure groups and understand a bit better how they work. The next point I would like to cover is the difference between distribution and security groups. When you create a group you will have the option to create a distribution group or a security group. A security group can be assigned to files and folders and other objects in order to grant permissions. A distribution group in comparison can’t be used with security. Generally distribution groups will be used by e-mail programs like exchange as mail groups. Each time you add a user to a group, the groups Sid will need to be added to the security token created when the user logs in. If you have a lot of groups associated with the one user this makes the security token larger. Some administrators will use distribution groups where possible to reduce the size of the security token created when a user logs in. A distribution groups does not use a Sid and thus it does not get added to the security token. If you are not sure which group to create, Microsoft recommends creating a security group. Security groups can also be used by software like exchange as distribution groups. Selecting a distribution group simply limits the functionality of the group while selecting a security group support security and the use of the group as distribution group in software like exchange. If you do make a mistake you can always change the type of group which brings me to the last point: converting between groups. If you want to change a security group to a distribution group you can do so at any time. If you convert the group from distribution to security you are simply allowing that group to be used with security. This should not create any problems. If you change the group from a security group to a distribution group this can affect security on your network. If the security group was allowing a user access to a resource, changing the group to a distribution group will deny them access to the group. When a security request comes in asking about the group, Active Directory will respond the same way as if the group had been deleted. Also another point to consider is if the security group was being used to deny a user access to a resource, changing the group to a distribution group would give the user access again. This is because the deny permission assigned to the resource would no longer be effective and thus would not be stopping the user from getting access to the resource. The next conversion that you may want to make is between different group scope types. That is changing between domain local, global and universal. You can change from any scope to any other scope that you want. If you attempt to change from global to domain local or vice versa this can’t be done directly. When you attempt to do this the option will be greyed out. To get around this, change the group to a universal group first and then change it to the desired group. The point to remember when converting group scopes is this will also affect the permissions that have been assigned using that group. If the group was a universal group and you changed it to a domain local group, any permissions that were assigned to resources outside the current domain will no longer work. Before you can change a group from one scope to another, the group must meet the new membership requirement for the new scope. If it does not, an error will be displayed asking you to correct the problem before the group can be changed. For example, if you changed a universal group to a global group and the universal group contains another universal group this operation will fail. Since global groups do not support universal groups as members, the change will fail and you will get an error message. I will now change to my domain controller to look at how to create and use groups in Active Directory. First of all, open Active Directory Users and Computers from the start menu. From here I will open users. To create a new group under users, right click users and select the option new group. For the group name I will enter in the name invoice_modify. Notice that when the group is created the scope of the group can be selected. This can be domain local, global and universal. On the right hand side you can also select the group type, either security or distribution. Once the group is created, these options can be changed later on. Once the group has been created, I next want to add this group to the sales_staff group. To do this, right click sales_staff and select add to group. When prompted, enter in the name of the group that you want to add. Notice that when I attempt to add the Invoice_Modify to the Sales_Staff group I will get an error message. Since the Invoice_Modify group is a global group and the Sales_Staff group is a universal group this is not allowed. A global group does not support universal groups as members. To fix this, I need to change one of the groups to a different type. If I right click Sales_Staff and open the properties for the group, I can then select the option global to change this universal group to a global group. As long as all the other members of the group meet the requirements for a global group, this will work. If they don’t, Windows will prompt you telling you the group cannot be converted. To try to correct the problem, you can select the tab, “members.” This will show all the groups, users and computers that are members of this group. Before changing the type of group, it is a good idea to understand what effect this may have on the other groups. If I select the tab, “members of,” this will show the groups which this group is a member of. This will only show groups that are in the same domain or groups where information about the group is available via a global catalog server like a universal group. If you want to add this group to another group, press the button add. In this case I will add this group to Invoice_modify. Since I have changed this group to a global group I won’t get an error message this time. If your environment has a lot of different types of groups it can start to become confusing which group is of which type. Some administrators will use a standard for naming groups to make it easy to identify what type of group each group is. If I right click on the sales_staff group and select rename, I will rename the group so that the group name starts with a g. This is one way administrators use to identifier global groups from other groups. When renaming the group it is also a good idea where possible to change the pre-Windows 2000 name so that it matches the other name. If the names are different this can be very confusing to an administrator. That’s it for groups in Active Directory. In the next video I will look at default local groups. When you create users you will want to give them certain rights and permissions. Microsoft has created a number of default local groups which match common tasks required by users. In a lot of cases you can give a user the rights and permissions that they require by putting them in these groups. In the next video I will look at which groups are available. Thanks for watching this free video from IT Free Training, just one of the free videos in this free Active Directory course.
Info
Channel: itfreetraining
Views: 120,436
Rating: undefined out of 5
Keywords: Domain Local, Universal, Global Groups, Groups, Active Directory, 70-640, MCITP, MCTS, ITFreeTrainingKeywords:, ITFreeTraining
Id: aPh8_RB8XEU
Channel Id: undefined
Length: 18min 41sec (1121 seconds)
Published: Sun May 13 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.