Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Network basics: Part 14 - Security groups
Brien M. Posey
In the previous article, I have shown you how to create a secure group in Windows Server 2003. When you introduce such things, you've probably noticed that Windows will allow you to create several different types of groups as well. shown in Figure A. Indeed, each of these types of groups has a specific purpose. In this article, we will show you what each type of group is used for.
Network basics: Part 14 - Security groups Picture 1
Figure A: Windows allows you to create a number of different types of groups.
If you look at the dialog box shown above, you will see that the Group Scope area provides several options for creating domain local groups, global, or universal. There is also a fourth group type not shown here, it is simply called a local group.
Local Group
Local groups are separate groups for each computer. You will know about it right now, local computers may consist of multiple user accounts that are completely independent of the domain that the computer domain is connected to. They are known as local user accounts, and they are only accessible from the computer they reside on. In addition, local user accounts can only exist on workstations and on member servers. Domain controllers do not allow local user accounts to exist. Keeping in mind these issues, it should come as no surprise that these groups are simply separate groups for each member server or workstation. A local group is often used to manage local user accounts. For example, the local Administrators group allows you to specify which user is an administrator on the local computer.
Although local groups can only be used to secure the residing of resources on the local computer, that does not mean that group members are restricted to these local users. While a local group can and often includes local users, it also includes domain users. Furthermore local groups can also include other groups residing at the domain level. For example, you can give a universal group a member of the local group, universal group members will basically become members of the local group. In fact, a local group can include local users, domain users, domain local groups, global groups and universal groups.
There are two caveats here that you need to know. First, as you may notice, a local group cannot contain another local group. You seem to feel able to drop one group into another group, but you can't do that with the local group. Some members at Microsoft once explained the reason for this problem is to prevent a situation where two local groups become members of each other.
Another issue that you need to know is that local groups can only include domain users and domain level groups if the computer including a local group is a member of the domain. In contrast, local groups can only include local users.
Domain Local Groups
Different from what you have just read about local groups, the idea of domain local groups seems completely opposite. The reason why domain local groups exist is because domain controllers do not have local account databases. This means that there are no other such things when local users or local groups are on a domain controller. Even domain controllers have local resources that need to be managed. This is where domain local groups play its role.
When you install Windows Server 2003 on a computer, the computer will start as an independent server or a member server, for example. In both cases, local and local user accounts are created during the installation process. Now your goal is to want to convert a machine to a domain controller. When you run DCPROMO, local groups and local user accounts are converted to domain local groups and domain user accounts.
Here you need to know that all domain controllers within a domain share a user account database together. This means that if you add a user to a domain local group on a domain controller, this user will be a member of the domain group local on all domain controllers in the entire domain.
The most important thing you should note here about domain local groups is that there are two different types. As we mentioned, when DCPROMO is run, local groups are converted into domain local groups. Any domain local groups created by running DCPROMO are located in the Builtin folder in the Active Directory Users and Computers console, see Figure B.
Network basics: Part 14 - Security groups Picture 2
Figure B: Domain local groups created by DCPROMO reside in Builtin container
This issue is quite important because there are some restrictions imposed on some domain local groups. These restricted groups cannot be moved or deleted. In other words, you cannot create these groups as members of other domain local groups.
These restrictions do not apply to domain local groups that you create. Domain local groups that you will now exist in the Users section. From there, you are free to move or delete them to your liking.
We have already told you all about working with Windows Server, we have yet to find a good topic for creating domain local groups. In fact, these groups are essentially the same as global groups, except that they are restricted to a specific domain.
Global Groups
Global groups are the most commonly used group type. In most cases, the global group simply works as a collection of Active Directory user accounts. What we need to care about these groups is that they can be put together. You can create a global group of members of another global group, as long as both groups exist within the same domain.
It should be noted that these global groups can only have Active Directory resources. Therefore, you cannot locate an internal user account or local group in it. However, you can still add this global group to a local group. In fact doing so is the most commonly used way of granting domain users permissions so they can manipulate the resources stored on the local computer. For example, for the purpose you want for managers in your company to have administrator rights to their workstations (remember that this is just an example, not a word of advice to you) do like that). To do that, you can create a global group called Managers and place each domain user account of the person you want to work with. You can then add the Managers group to the client's local Administrators group, that way you have your managers get administrator rights on those workstations.
Conclude
In this article, we explained that Windows supports the use of four different types of security groups. Also, we introduced the differences between local, domain local and global groups. In the next part of this series, I will continue the discussion of universal groups.
Isabella HumphreyYou should read it
- How to Write a Conclusion
- How to Start a Conclusion Paragraph
- Network basics: Part 13 - Creating groups
- Network basics: Part 19 - Sharing level terms
- Network basics: Part 12 - User account management
- Network basics: Part 9 - Information about Active Directory
- The software will be killed by Vista SP1.
- Instructions on how to pack traditional, beautiful square cakes for Tet
- Network basics: Part 1 - Network hardware devices
- Overview of Windows XP Service Pack 3
- What is the 'Windows Feature Experience Pack' on Windows 10?
- What is the ending of the dinosaur game T-Rex on Chrome?
Maybe you are interested
Windows 11 is about to support content search in local video and audio files
Learn about LocalSend: An AirDrop-like app for transferring files between devices wirelessly
Microsoft Excel users can now run Python code locally on their PC
11 tips to open Local Group Policy Editor on Windows
How are Cloud Download and Local Reinstall different?
Microsoft will soon require users to switch from local accounts to Microsoft accounts on Windows 10
Build VPN server
10 issues to know about controlling remote workstations
Preparing for the company network
Enhance security for Wi-Fi networks
10 reasons why IPsec VPN failed
Deploy Data Protection Manager 2007 (Part 3)