Windows 2003 Active Diretory (v)-Planning and building a group

In a nutshell, a group is considered a logical unit that can contain a set of user accounts or other groups, and when we assign permissions to a group, any object that joins the group has the permissions that the group has.

A group within a domain, like a user account, also has a unique SID, which can be granted permission to an object (account or group), which we call security policy. Note that a group that can assign permissions is also known as a security group, and a distribution group that cannot assign permissions.

The following group of scopes is known: regardless of which group has its scope, is the "use scope" assigned to the group. 1, it can be used to assign permissions at the domain or forest resources. 2, can be placed in the domain or other groups in the forest. 3. Ability to include users and groups from a domain or forest.

31 There are three groups of scopes:

1, local domain: the use of the scope is the group, called the local domain group.

The local domain group can contain three types of Members: 1 user accounts for any domain. 2 global groups for any domain. 3. If the functional level is set to WINDOWS2003 pure mode or Windows SERVER2003 mode, you can also include universal groups of any domain and local local groups of the same domain. This may be somewhat confusing with the local domain group defined above. The above refers to the use of scope, refers to the scope of the permission is limited to the same domain resources. That is, they can only enjoy the local resources. Note: If the group contains other groups (other domain regions, universal Domain Universal groups), it is called nesting of groups. The local domain group is limited to accessing resources from the same domains and cannot access resources from other domains. In practice, we will organize users who belong to the same department into global groups and then join the global group in the local domain group.

Let's make a distinction between the local group and the native domain group: There are no group scopes for stand-alone servers or member servers outside the WIN2000/XP and domain controllers, they are local groups only. The permissions are limited to the local computer. Only native resources can be assigned to local groups. If the client is joined to a domain with a stand-alone server, the local group can include the local user account outside, you can also include: 1 domain user accounts in the same domain, 2, local local groups with the same domain, and global groups for the entire forest, but generally we do not use local groups, and the domain is used to manage resources within the domain.

2. Global: When assigning permissions, the scope can involve forests, but can only contain other accounts or groups of the same domain. is called a global group. Global groups can contain two types of members: 1, user accounts with the same domain, 2, if the domain functional level is set to WINSOWS2000 pure mode or Windows SERVER 2003 mode, you can include other global groups for the same domain.

The scope of the global group's permissions is the entire forest, that is, we can assign access to a domain resource to global groups in fields such as B, C, D, but in practice it is best to include global groups in the local domain group rather than assigning permissions directly to global groups.

Application: Use local domain Group and global group to manage single domain. Its planning method is called "AGDLP". Here's an example: Add a user account that requires the same permissions to the same universal group, such as adding products to the product department's employees, and accounting department employees to join the Accountings global group. To join the global group in the local domain, add products and accountsings to printers this local domain group. Assigns access rights to resources within a domain to the local domain group. For example, if you assign a printer's access rights to the printers local domain group, then prouducts and accountings can use the printer. The use of delete and join is the right to assign or not, very convenient.