1TO THOSE NEW TO WORKING WITH WINDOWS SERVER 2003 AND ACTIVE DIREC...

Question

1.1.1to those new to working with Windows Server 2003 and Active Directory.The scope ofthe group identifies the extent to which the group is applied throughout the domain treeor forest.There are three group scopes:■ Universal Groups Universal groups can include other groups and user/com-puter accounts from any domain in the domain tree or forest. Permissions for anydomain in the domain tree or forest can be assigned to universal groups.■ Global Groups Global groups can include other groups and user/computeraccounts from only the domain in which the group is defined. Permissions forany domain in the forest can be assigned to global groups.■ Domain Local Groups Domain local groups can include other groups anduser/computer accounts from Windows Server 2003,Windows 2000 Server, andWindows NT domains. Permissions for only the domain in which the group isdefined can be assigned to domain local groups.Table 1.1 outlines the behavior and usage of the scopes of groups as the domain func-tional level changes.The following guidelines will help the network administrator to makebetter decisions when trying to figure out how to use each group scope:■ Using Domain Local groups■ Using Global groups■ Using Universal groupsEach of these guidelines are discussed in detail in the following sections.Using Domain Local GroupsA Domain Local group should be used to manage access to resources located within a singledomain. Consider the following example on how Domain Local groups can be used: a net-work administrator has a network file share for which they want to configure access for 20user accounts.They manually configure the share permissions to allow each of the 20 useraccounts to have the required access. Later, they need to configure the permissions on asecond network file share for the same 20 user accounts.They now need to perform themanual permissions assignment again for the 20 users.The easier, more accurate and secureway to assign the permissions needed would be to create a Domain Local group and assign itthe required permissions on the file shares. After doing this, the administrator could create aGlobal group and place the 20 user accounts into that Global group. Adding the Global groupto the Domain Local group results in all 20 users inheriting the Domain Local group’sassigned permissions, which therefore allows them to gain access to the two file shares.This https://traloihay.netTable 1.1  Group Scope Behaviors versus Domain Functional LevelDomain Local Domain Status Behavior Universal Group Global Group GroupWindows Server Group membership Members can include Members can in- Members can 2003 or Windows user accounts, com- clude used accounts, include user 2000 native puter accounts, and computer accounts, accounts, globalother Universal groups and other Global accounts, computer from any domain. groups from the groups, and Uni-domain. versal groups from the same domain.Windows 2000 Group membership Universal groups can- Members can in- Members can mixed not be created. clude user and include user computer accounts accounts, computer from the same accounts, andGlobal 7 271_70-292_01.qxd 8/21/03 12:40 PM Page 7domain. groups from any domain.Windows Server Group nesting Can be added to other Can be added to Can be added to2003 or Windows groups. other groups. other Domain Local 2000 native groups.Windows Server Group permissions Can be assigned permis-Can be assigned Can be assigned per-2003 or Windows sions in any domain. permissions in any missions only in the 2000 native domain. same domain.Windows Server Group scope changes Can be changed to Can be changed to Can be changed to 2003 or Windows Global groups as long Universal groups as Universal groups as 2000 native as no group members long as the group long as no groupare other Universal is not a member of members are othergroups. Can be any other Global Domain Local converted to Domain Group. groups.Local Groups with norestrictions.Windows 2000 Group scope changes Not allowed. Not allowed. Not allowed.mixed

1TO THOSE NEW TO WORKING WITH WINDOWS SERVER 2003 AND ACTIVE DIREC...

1.1.1

to those new to working with Windows Server 2003 and Active Directory.The scope of

the group identifies the extent to which the group is applied throughout the domain tree

or forest.There are three group scopes:

Universal Groups Universal groups can include other groups and user/com-

puter accounts from any domain in the domain tree or forest. Permissions for any

domain in the domain tree or forest can be assigned to universal groups.

Global Groups Global groups can include other groups and user/computer

accounts from only the domain in which the group is defined. Permissions for

any domain in the forest can be assigned to global groups.

Domain Local Groups Domain local groups can include other groups and

user/computer accounts from Windows Server 2003,Windows 2000 Server, and

Windows NT domains. Permissions for only the domain in which the group is

defined can be assigned to domain local groups.

Table 1.1 outlines the behavior and usage of the scopes of groups as the domain func-

tional level changes.The following guidelines will help the network administrator to make

better decisions when trying to figure out how to use each group scope:

Using Domain Local groups

Using Global groups

Using Universal groups

Each of these guidelines are discussed in detail in the following sections.

Using Domain Local Groups

A Domain Local group should be used to manage access to resources located within a single

domain. Consider the following example on how Domain Local groups can be used: a net-

work administrator has a network file share for which they want to configure access for 20

user accounts.They manually configure the share permissions to allow each of the 20 user

accounts to have the required access. Later, they need to configure the permissions on a

second network file share for the same 20 user accounts.They now need to perform the

manual permissions assignment again for the 20 users.The easier, more accurate and secure

way to assign the permissions needed would be to create a Domain Local group and assign it

the required permissions on the file shares. After doing this, the administrator could create a

Global group and place the 20 user accounts into that Global group. Adding the Global group

to the Domain Local group results in all 20 users inheriting the Domain Local group’s

assigned permissions, which therefore allows them to gain access to the two file shares.This

https://traloihay.net

Table 1.1 Group Scope Behaviors versus Domain Functional Level

Domain Local

Domain Status Behavior Universal Group Global Group Group

Windows Server Group membership Members can include Members can in- Members can

2003 or Windows user accounts, com- clude used accounts, include user

2000 native puter accounts, and computer accounts, accounts, global

other Universal groups and other Global accounts, computer

from any domain. groups from the groups, and Uni-

domain. versal groups from

the same domain.

Windows 2000 Group membership Universal groups can- Members can in- Members can

mixed not be created. clude user and include user

computer accounts accounts, computer

from the same accounts, and

Global

domain. groups from any

domain.

Windows Server Group nesting Can be added to other Can be added to Can be added to

2003 or Windows groups. other groups. other Domain Local

2000 native groups.

Windows Server Group permissions Can be assigned permis-Can be assigned Can be assigned per-

2003 or Windows sions in any domain. permissions in any missions only in the

2000 native domain. same domain.

Windows Server Group scope changes Can be changed to Can be changed to Can be changed to

2003 or Windows Global groups as long Universal groups as Universal groups as

2000 native as no group members long as the group long as no group

are other Universal is not a member of members are other

groups. Can be any other Global Domain Local

converted to Domain Group. groups.

Local Groups with no

restrictions.

Windows 2000 Group scope changes Not allowed. Not allowed. Not allowed.

mixed

Bạn đang xem 1. - MCSA MCSE EXAM 70 292 STUDY GUIDE PHẦN 1 PPTX