The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for a Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click to purchase, check out the complete book excerpt series or go straight to the practice exam if you think you're ready to be tested.
Designing an appropriate group strategy for accessing resources
As a general rule, you need to avoid assigning permissions to individual users for each of the resources that they use. Instead, assign permissions to groups of users. In the long term, this method saves you time and makes troubleshooting permissions much easier. The type of groups that you can use to assign permissions depends upon whether the user accounts are located on a computer or in the Active Directory of a domain. For domain accounts, your choice of groups also depends on the functional level of the domain. In most cases, with accounts located on a single computer in a workgroup, you simply place the user account into a Local group that exists only on that computer and give the local group permissions for the resource. In this way, the user account gains the permissions by being a member of the Local group. You can remember this method by the letter sequence of A L P, which translates to "Accounts go into Local groups and then the Local groups get Permissions."
Assigning permissions for domain accounts in Active Directory is more complicated. First, the types of groups you can use depend on the functional level of the domain. Second, the strategy that you use in regard to groups depends on what you want to isolate and how you want to manage the groups. With domain accounts, in general, you can remember the sequence of A G U DL P, which translates to "Accounts go into Global groups, Global groups go into Universal groups, Universal groups go into Domain Local groups and the Domain Local groups get the Permissions." Figure 6.3 illustrates this concept.
Figure 6.3 The acronym A G U DL P applies to domain account group permission assignments.
Let's take a closer look at all of the types of groups that we can use and how and when we use them. You need to be familiar with the following domain group types:
- Global groups
- Domain local groups
- Universal groups
Global groups are created in Active Directory of one domain but can be placed into Domain Local groups in any domain or into a Universal group. Global groups can contain users from the domain in which they are created. They can also contain other global groups if the domain is in at least Windows 2000 native mode functional level. This is called nesting global groups.
Domain local groups
Domain local groups are created in the Active Directory of one domain and control access to a resource that is contained in that domain. Domain local groups can contain users, but this is not recommended by Microsoft. Instead, Domain local groups should contain only global groups from any domain in an Active Directory forest and universal groups if there are some domains that are in at least Windows 2000 native mode functional level.
Universal groups can only be created on a domain controller that is in at least Windows 2000 native mode functional level. Universal groups are created in Active Directory but are not specific to any domain. Universal groups can, therefore, contain members from any domain and can be used to give access to a resource in any domain. Users can be members of universal groups, but this is not recommended by Microsoft. Instead, Universal group membership should be restricted to global groups and other universal groups.
Click for the next excerpt in this series: Designing a permission structure for directory service objects