Learn AD in 15 Minutes a Week: Active Directory Groups Page 2
Domain Local Groups in a Mixed Mode Domain can contain users, global groups and universal groups from any domain in the forest. In Native Mode, they can also contain domain local groups from their own domain as well as be a member of another domain local group from within its own domain.
Security Domain Local Groups can be assigned permissions for any resource in the domain where the domain local group resides.
Security Global Groups organize domain user objects across domains. Distribution Global Groups would allow the non-security-related function (e.g., e-mail) for group members across domains.
Global Groups in a Mixed Mode Domain can contain user accounts from the group's local domain. In Native Mode they can contain other global groups (called Group Nesting) from the local domain.
Global Groups in a Mixed Mode Domain can be members of Domain local groups in any domain in the forest. In Native Mode they can be a member of another global (nested in another Global Group) in its own domain.
Security Global Groups can be assigned permissions for all of the domains in the forest.
Security Universal Groups are used to group users and grant permissions across an entire forest.
Distribution Universal Groups allow the non-security-related function (e.g., e-mail) for group members across the entire forest.
A Windows 2000 domain must be in native mode to create Universal Security Groups. In Mixed Mode only Universal Distribution Groups are available.
Universal Groups can contain user accounts, global groups and universal groups from any domain in the forest and can be a member of Domain local groups and other universal groups in any domain in the forest.
Universal Groups can be assigned permissions for all domains in the forest and should be used to nest global groups so that permissions can be more easily assigned to related resources in multiple domains. Individual users should not be added singly to universal groups, and you should keep membership changes in Universal Groups to a minimum, as these changes must be replicated throughout the forest.
When setting up access to any server it is important to remember that:
- Authentication determines the identity of a user
- Permissions determine what a valid user can access once authenticated