Directory Services: Design, Implementation, and Management
A guide to understanding and implementing a variety of directory services.
TABLE OF CONTENTS Directory Services: Design, Implementation, and Management
1.9: Groups
1.9 Groups
Windows NT 4.0 supports groups, a convenient way to bring one or more users together under a common heading. Windows 2000 introduces two types of general-purpose groups: security groups and distribution lists. Security groups contain security principals and are used for access control. Conceptually, they are similar in use and function to Windows NT 4.0 groups. Distribution lists are similar to the distribution lists currently in use by Exchange Server. Windows 2000 also introduces four group scopes with special behavior: universal groups, global groups, domain local groups, and local groups.
1.9.1 Universal groups
Universal groups are available throughout the forest. They may contain other universal or global groups or users from the current domain or any trusted domain. Because this type of group may contain objects located anywhere in the forest, they are expensive to use in terms of performance when used in Access Control Lists (ACLs). Authorization still requires authentication performed by the domain in which the user belongs.
Universal groups are published in GCs; however, when used as distribution lists, replicating them locally to users via GCs provides applications such as Exchange with a convenient, powerful, and simple way to implement global address list.
The implication of publishing universal groups in GCs affects the authentication process. During the authentication process a DC will contact a GC to verify the membership of the users in the universal groups. This means that DCs require GCs to add the SID of universal groups in the token or ticket of...
Copyright Butterworth-Heinemann 2002 under license agreement with Books24x7
