Active Directory Group Scope and group type

 

Reprinted: http://hi.baidu.com/chin/blog/item/543ce5dd3eea79ef77c63862.html

 

Active Directory consists of security groups and distribution groups. A Security Group assigns permissions to shared resources. A Distribution Group does not have security functions and is only applicable to emails.ProgramSo the distribution group is not described much. The scope and functions of security groups in Active Directory will be analyzed below. A group generally has its own scope to determine the application scope of the Group in the tree or forest. There are three different groups in Active Directory: general, global, and local. The corresponding group is divided into three different general groups, global groups and local domain groups (there was no general scope before Windows2003, windows Server 2003 is used as the basis ). General group: A group that combines the advantages of a global group and a local domain group. It can contain any account, global group, and general group in the forest and cannot belong to a global group, it can be created only in Win2000 local mode or later. Global Group: global groups can be used in the forest at will, which means global groups can be used to grant the permission to access resources in any domain, however, its members can only be accounts of the same domain and global group (in Win2000 local mode or later). in hybrid mode, the members can only be accounts of the same domain. Local domain group: it is usually used to grant access permissions to resources in the current domain. Members include accounts in the forest, global groups, and general groups (no general group in hybrid mode ). How can we use these three groups in a specific environment? Let's talk about the features of these three groups: A general group is used to merge groups across different domains. Because a general group is stored in a Global Catalog (GC), modifications to the general group are copied to the Global Catalog, when a general group is frequently modified, the overhead of the network is increased. Therefore, the general group in a well-designed network must not be changed frequently. Therefore, the account is added to a group with a global scope and these groups are nested in a group with a general scope. In this way, when people change frequently, they only modify the global group, while the general group remains unchanged. The global group belongs to the local domain, and its modifications are not replicated outside its own domain. Therefore, the global group allows frequent internal modifications (such as adding and Deleting Users ), although the global group can be used to grant the permission to access resources in any domain, it is generally not used for permission management. The local domain group can be added to other local region groups and only assign permissions in the same domain. Therefore, the local domain group is completely restricted in the local domain. Therefore, for a multi-domain environment, because the local region group cannot be evaluated by other domains, the local domain group should not be used to assign permissions to objects in Active Directory. It is precisely because of this feature that it can only allocate resources because resources are not mobile (printers in one domain cannot run to another domain ). Based on the features of the above three groups, we can clearly provide several principles: A → G then P there is only one domain and few users in the forest, and no other domains are prepared to join the forest. A → DL zhangp only has one domain and few users in the forest, and other domains are not prepared to be added to the forest, and the domain does not have a Member Server of NT4.0. A → G → DL ← p the entire forest contains one or more domains, and you need to add domains in the future. A → G → u → DL sans P contains multiple domains that require administrators to centrally manage global groups. A → G → L ← P upgrade NT4.0 to win2003 A (account): User Account G (Global Group): Global Group DL (Domain Local Group): Domain Local Group L (Local Group): Local Group P (permission): License Therefore, it can be said that the main role of a global group is to plan based on the organizational structure and administrative structure; the role of a local group is to plan based on resources. The main function of a general group is to connect the organizational structure, administrative structure, and resource planning. It can be well explained with a saying: "People are grouped by group, and things are clustered by class ". A global group is used to divide people, and a local domain group is used to divide resources, that is, objects. A general group groups people and resources.