JSI Tip 2407. Windows 2000 group types and scope usage.
May 21, 2000
Windows NT 4.0 has Global and Local groups, which are considered to be Security groups.
Windows 2000 has two types of groups, Security, which controls access and can be used as e-mail distribution lists, and Distribution, which are used for e-mail distribution and others administrative grouping, but they are not security enabled.
Windows 2000 has 3 scopes, Universal, Global, and Domain Local.
NOTE: In Native-mode domains, group types can be altered, but are fixed at creation in Mixed-mode domains.
Universal groups are only available in Native-mode and can be used anywhere within same forest. They can be nested, have users directly assigned, and can be used with ACLs. Universal groups are stored in the Global Catalog (GC) and incur a replication load. If used on a WAN, they should be relatively static.
Global groups are the primary scope into which users are placed in Mixed-mode domains. Since they are domain-centric, they can not be the only mechanism to restrict/allow access to an object from a different domain, and they do not impose GC replication loads. In Native-mode domains, Global groups can be nested.
Domain Local groups can be used for the direct assignment of access policies on objects that are NOT directly stored in the Active Directory (AD), as parts of the AD are replicated to other domains.
About the Author
You May Also Like