70-282 Exam Cram: Group Scopes [Microsoft Small Business Specialist Primer book excerpt]

Hiya folks – I am the publisher of the Microsoft Small Business Specialist Primer book and I like to hold virtual book readings. BTW – my SBS 2008 book is here….cheers….harrybbbb

Group Scopes

At this point we are going to add to the mix by defining the scopes of each group and how they can interact with each other. This is an important part of securing Windows Server 2003:

·                                          Domain local.

·                                          Built-in local.

·                                          Global.

·                                          Universal.

The Domain local group can be used for assigning permissions within the local domain only. A domain local group can contain user accounts and global and universal groups from any domain and other domain local groups from the same domain. A domain local group:

·                       Can be changed to a universal group only if it does not have other domain local groups as its members.

·                       Is listed in the global catalog, but the memberships are not.

Built-in local groups have domain local permissions. They cannot be created or deleted, just modified. Often they are included in the domain local groups.

Global groups can contain accounts and other global groups from the same domain in Windows 2003 server and Windows 2000 server in native mode. The global group can be used for assigning permissions throughout the entire forest. A global group can only contain user accounts and global groups from the same domain the global group is in.

·                       A global group can be changed to a universal group if it is not a member of another global group.

·                       Is listed in the global catalog, but the memberships are not.


Chapter 6Securing Windows Small Business Server 2003

A Universal group in Windows 2003 server and Windows 2000 server in native mode can be used for assigning permissions throughout the entire forest. A universal group can contain user accounts, computer accounts, and global and universal groups from any domain in the forest. Opposite to domain local and global groups, universal groups are replicated to every global catalog in the entire forest.

·                       A universal group can be changed to a domain local group at any time.

·                       A universal group can be changed to a global group only if it does not have other universal groups as its members.

·                       A universal group can be listed in all global catalogs in all domains across the forest.

The underlying idea is to place a user account into the proper group so you have to manage the user account only once, and by association of group membership, inherits the proper permissions assigned to all resources on the domain.

All security groups in SBS have universal group membership by default when they are created, which means they can be placed into any domain local group. In reality, we only need domain local groups and global groups, because SBS will never be replicating to another domain. The day may come when you transition into a Windows Server 2003 solution. (See Chapter 9 on expanding networks). Placing users into appropriate groups and applying proper group strategies allows the administration of a domain with the least amount of effort.

cheers….harrybbbb

Harry Brelsford, CEO at SMB Nation (www.smbnation.com)

MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)

PS – my Small Business Server 2008 (SBS 2008) book is now here!

Advertisements

Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s