Networking Basics: Part 15 - Universal Groups & Group Nesting

In the previous part of this series, we introduced the concept of using groups to manage network access, followed by allowing permissions directly to users. We have also explained

Brien M. Posey

In the previous part of this series, we introduced the concept of using groups to manage network access, followed by allowing permissions directly to users. We also explained that Windows Server 2003 supports a number of other types of groups and that each of those types of groups has its own advantages and disadvantages.

In that article, we talked about local groups , domain local groups and global groups . You can easily manage the entire network by using only these types of groups. However, there are many types of groups that Windows Server 2003 supports such as universal group .

If some of you are not sure about local groups, domain local groups, and global groups, then the initial universal groups will seem like an answer to your inquiry. Universal groups are essentially groups that are not subject to restrictions applied to other types of groups. For example, in the previous article, I mentioned that you cannot put an internal group or a domain local group into another local group. However, you can put a universal group into a local group. These principles apply to other types of groups that do not apply to universal groups.

Clearly, this problem raises many questions about why you should use the remaining groups if they have limitations that universal groups can overcome.

One of the main reasons there are so many different types of groups because Windows Server is a product that evolves gradually. Universal group groups were introduced in Windows 2000 Server, along with Active Directory . Previous versions of Windows Server (formerly known as Windows NT Server) supported the use of groups, but universal groups were still not available when these versions prevailed. When Microsoft released Windows 2000 Server, they wanted to continue supporting other types of groups as they maintained compatibility with previous versions of Windows NT. Similarly, Windows Server 2003 also supports pre-existing group types for compatibility reasons.

The truth is that universal groups did not exist during the Windows NT Server era, which meant that Windows NT did not support these groups. This has caused some problems if you have a certain Windows NT server in your system.

Windows 2000 Server is a marked improvement over Windows NT Server, some new features will only work on the network without the Windows NT Server domain controllers. To solve this problem, Microsoft created a concept of native mode . We will talk more about native mode later, but its basic idea is that when Windows 2000 Server is initially installed it will work in a mode called mixed mode . This mode is fully compatible with Windows NT, but many Windows 2000 features cannot be used until you remove Windows NT domain controllers and switch to native mode. Although the term is somewhat different, it is also the basic concepts that apply to Windows Server 2003.

Universal group is one of the features that only works if your domain controllers are operating in Native Mode of Windows 2000 Server or higher. That is why you cannot use universal groups in any situation.

Even if all of your servers are running on Windows Server 2003 operating systems, and your forest is fully native, using universal groups in most cases is still a bad idea.

As mentioned earlier in this series, we introduce you to the concept of global catalog servers . Global catalog server servers are domain controllers that are assigned the task of keeping track of all objects in the forest. Typically, every Active Directory location has its own copy of the global catalog, which means that at any time a global catalog server is updated, the updated information must be replicated. for these servers.

When you create a universal group, both the group name and the group membership list are written to global catalog servers. This means that when creating multiple universal group groups, the global catalog servers will bulge. As the global catalog gets bigger, the amount of time it takes to copy the global catalog from one global catalog server to another increases the global catalog server. If not checked, this can lead to network performance problems.

In this case, you may be wondering whether the rest of the groups doesn't handle the load on the global catalog. For example, global group groups are listed in the global catalog, but their membership list is not available. Therefore, the basic principle of Microsoft is to completely "OK" to create universal groups, but you should use them sparingly.

Group Nesting

A final concept related to the group that we want to introduce to you is Nesting . The simplest way to explain this group is to compare it with Russian dolls. These dolls are designed so they can be placed inside each other larger. The youngest will be placed on the smallest one except for it and so on, we will put all the small dolls in a big one. The idea of ​​placing this object inside another similar object is called nesting .

There are many different reasons for making these nesting groups. One of the most common reasons is the compatibility of resources with offices. For example, a company starts creating groups for each department. They can create the main Download group, Market group, IT group . Next they will put the user into the group to match the departments that users have done. The next step in the process will be to create groups that match the different resources you need to agree to allow access. For example, if you already know that someone in the finance department needs to access an account application, you can create a group that allows access to the application and then put the finance group into that group. You don't have to nest groups, but doing so sometimes allows easy work in your organization, while still saving the amount of work in progress. In the case of the previous example, you do not have to manually set each individual user account into the group for the account application, but instead you just need to reuse the existing group.

Note that not all groups can be nested into another group. The table below lists the types of groups that can be nested:

Group type

Can be nested in Local groups

Can be nested within Domain Local group

Can be nested in Global group

Can be nested in Universal group

Local

Is not

Is not

Is not

Is not

Local Domain

Have

Yes (if the same domain)

Is not

Is not

Global

Have

Have

Yes (if the same domain)

Have

Universal

Have

Have

Is not

Have

Note :

If Windows is used in Windows 2000's mixed mode, you will have the following limitations:

• Cannot create Universal groups groups
• Domain local groups only contain global groups
• Global group groups do not contain other groups

Conclude

In this article, I have shown you some advantages of nesting one group into another. Along with that we also introduced some possible situations to apply this. The next part of this series will probably introduce you to the principle that the Windows operating system performs network connectivity, and invite you to read.

 

5 ★ | 1 Vote