User and Group Management

For effective user and group management, Microsoft suggests that you place user accounts into global groups, which you then place into local groups; you assign local groups permissions to access resources. Although this basic organizational concept remains in Windows 2000, Microsoft has made some changes with the introduction of group type and group scope. This week, I look at these changes and how they affect group management.

You use the Active Directory Users and Computers snap-in to create groups in Win2K. When you create a new group, notice that in addition to the group name, you can choose one of two group types and three different group scopes, as Figure 1 shows.

Group Types: Security or Distribution
In NT 4.0, all groups are security groups. You use security groups to manage access to shared resources (i.e., the groups that you assign permissions to). You also use security groups to assign individual [?]user rights. However, in Win2K, you control user rights with Group Policy, which security groups filter (for more information about using security groups to filter Group Policy, see Implementing Group Policy.

Distribution groups are new to Win2K. Distribution groups don't play a role in security but instead function as email distribution lists for AD-aware email applications such as Exchange 2000. Both security and distribution groups can have a scope of Domain Local, Global, or Universal, depending on domain mode.

Domain Mode and Group Scopes
Win2K's default domain mode is Mixed Mode, which lets Win2K domain controllers and NT BDCs coexist. When you have upgraded all your BDCs to Win2K domain controllers, you can then switch to Native Mode. This step makes Universal groups available and lets you nest groups. To change from Mixed to Native mode, open Active Directory Users and Computers, right-click your domain, chose Properties, and, on the General tab, click Change Mode. Table 1 details the capabilities that Domain Local, Global, and Universal scopes allow in both Mixed and Native modes.

Group Strategies
Universal groups don’t provide an advantage in a single-domain environment, so your group strategy for Win2K doesn't change much from NT 4.0’s user and group management. If you are in a native-mode single domain, you can nest global groups in situations where multiple departments need similar access to resources.

In a multidomain environment, universal groups become beneficial because they can have as members global groups from any domain in the forest. You can then assign the universal group permission to a resource directly, or you can add it to the appropriate local groups. You may add user accounts directly to universal groups, but you should use global groups instead because individual members of domain local and global groups aren't listed in the Global Catalog (GC), but members of the universal groups are. Adding individual users to universal groups can cause GC replication traffic when universal group membership changes.

Understanding group strategies and how to implement them can be challenging, and just enough has changed in Win2K to make you have to stop and think. For most companies, however, this migration offers a great opportunity to learn from what they did wrong in NT 4.0 and design a more manageable group implementation.