1.1.1
to those new to working with Windows Server 2003 and Active Directory.The scope of
the group identifies the extent to which the group is applied throughout the domain tree
or forest.There are three group scopes:
■
Universal Groups Universal groups can include other groups and user/com-
puter accounts from any domain in the domain tree or forest. Permissions for any
domain in the domain tree or forest can be assigned to universal groups.
■
Global Groups Global groups can include other groups and user/computer
accounts from only the domain in which the group is defined. Permissions for
any domain in the forest can be assigned to global groups.
■
Domain Local Groups Domain local groups can include other groups and
user/computer accounts from Windows Server 2003,Windows 2000 Server, and
Windows NT domains. Permissions for only the domain in which the group is
defined can be assigned to domain local groups.
Table 1.1 outlines the behavior and usage of the scopes of groups as the domain func-
tional level changes.The following guidelines will help the network administrator to make
better decisions when trying to figure out how to use each group scope:
■
Using Domain Local groups
■
Using Global groups
■
Using Universal groups
Each of these guidelines are discussed in detail in the following sections.
Using Domain Local Groups
A Domain Local group should be used to manage access to resources located within a single
domain. Consider the following example on how Domain Local groups can be used: a net-
work administrator has a network file share for which they want to configure access for 20
user accounts.They manually configure the share permissions to allow each of the 20 user
accounts to have the required access. Later, they need to configure the permissions on a
second network file share for the same 20 user accounts.They now need to perform the
manual permissions assignment again for the 20 users.The easier, more accurate and secure
way to assign the permissions needed would be to create a Domain Local group and assign it
the required permissions on the file shares. After doing this, the administrator could create a
Global group and place the 20 user accounts into that Global group. Adding the Global group
to the Domain Local group results in all 20 users inheriting the Domain Local group’s
assigned permissions, which therefore allows them to gain access to the two file shares.This
https://traloihay.net
Table 1.1 Group Scope Behaviors versus Domain Functional Level
Domain Local
Domain Status Behavior Universal Group Global Group Group
Windows Server Group membership Members can include Members can in- Members can
2003 or Windows user accounts, com- clude used accounts, include user
2000 native puter accounts, and computer accounts, accounts, global
other Universal groups and other Global accounts, computer
from any domain. groups from the groups, and Uni-
domain. versal groups from
the same domain.
Windows 2000 Group membership Universal groups can- Members can in- Members can
mixed not be created. clude user and include user
computer accounts accounts, computer
from the same accounts, and
Global
7 271_70-292_01.qxd 8/21/03 12:40 PM Page 7
domain. groups from any
domain.
Windows Server Group nesting Can be added to other Can be added to Can be added to
2003 or Windows groups. other groups. other Domain Local
2000 native groups.
Windows Server Group permissions Can be assigned permis-Can be assigned Can be assigned per-
2003 or Windows sions in any domain. permissions in any missions only in the
2000 native domain. same domain.
Windows Server Group scope changes Can be changed to Can be changed to Can be changed to
2003 or Windows Global groups as long Universal groups as Universal groups as
2000 native as no group members long as the group long as no group
are other Universal is not a member of members are other
groups. Can be any other Global Domain Local
converted to Domain Group. groups.
Local Groups with no
restrictions.
Windows 2000 Group scope changes Not allowed. Not allowed. Not allowed.
mixed
Bạn đang xem 1. - MCSA MCSE EXAM 70 292 STUDY GUIDE PHẦN 1 PPTX