JSI Tip 2407. Windows 2000 group types and scope usage.

Jerold Schulman

May 21, 2000

1 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows NT 4.0 has Global and Local groups, which are considered to be Security groups.

Windows 2000 has two types of groups, Security, which controls access and can be used as e-mail distribution lists, and Distribution, which are used for e-mail distribution and others administrative grouping, but they are not security enabled.

Windows 2000 has 3 scopes, Universal, Global, and Domain Local.

NOTE: In Native-mode domains, group types can be altered, but are fixed at creation in Mixed-mode domains.

Universal groups are only available in Native-mode and can be used anywhere within same forest. They can be nested, have users directly assigned, and can be used with ACLs. Universal groups are stored in the Global Catalog (GC) and incur a replication load. If used on a WAN, they should be relatively static.

Global groups are the primary scope into which users are placed in Mixed-mode domains. Since they are domain-centric, they can not be the only mechanism to restrict/allow access to an object from a different domain, and they do not impose GC replication loads. In Native-mode domains, Global groups can be nested.

Domain Local groups can be used for the direct assignment of access policies on objects that are NOT directly stored in the Active Directory (AD), as parts of the AD are replicated to other domains.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like