MCSE Designing a Windows Server 2003 Active Directory and Network Infrastructure: Exam 70-297 Study Guide

We have discussed the concept of delegation several times throughout this chapter, but up to this point we have not really discussed how delegation can be accomplished. In this section, we will see how you can use group membership to provide different types of delegation. Next, we will see how you can use roles to control administration and application access.
Delegation using groups is generally divided in to two classes: data access groups and administrative access groups. In the following sections, we will analyze and compare the use of groups for administrative and data purposes.
Data access groups are used in conjunction with DACLs to regulate users access to resources in Active Directory. The DACL contains access control entries (ACEs) that determine the users access to a given object.
Windows Server 2003 includes three types of security groups to provide data access control:
Domain local groups
Global groups
Universal groups
Domain local groups are placed within the DACLs to provide permissions. Domain local groups can have the following members: accounts, universal groups, and global groups, all from any domain if the domain functional level is set to Windows 2000 Native Mode or higher. These groups can also have other domain local groups from within the same domain as members. Domain local groups, as their name implies, are local to the particular domain where they are created.
| Test Day Tip | The... |