TABLE OF CONTENTS We have discussed the concept of delegation several times throughout this chapter, but up to this point we have not really discussed how delegation can be accomplished. In this section, we will see how you can use group membership to provide different types of delegation. Next, we will see how you can use roles to control administration and application access.
Delegation using groups is generally divided in to two classes: data access groups and administrative access groups. In the following sections, we will analyze and compare the use of groups for administrative and data purposes.
Data access groups are used in conjunction with DACLs to regulate users' access to resources in Active Directory. The DACL contains access control entries (ACEs) that determine the users' access to a given object.
Windows Server 2003 includes three types of security groups to provide data access control:
Domain local groups
Global groups
Universal groups
| Tip | The most important aspect of networking to most users is that they can access the resources that they need. Once that goal is accomplished, the next major concern for most users is the speed with which they can access resources. Providing the lowest latency, fastest service possible is reflective of proper design and tuning. Make sure you know a few methods for tuning the network performance (scheduling replication traffic, setting costs, or disabling unneeded settings such as user or machine configurations in GPOs). |
Domain local groups are placed within...
