Groups are containers that can contain user and computer objects within them as members. When security permissions are set for a group in the access control list (ACL) on a resource, all members of that group receive those permissions.
Windows Server 2003 has two group types: security and distribution. Security groups are used to assign permissions for access to network resources. Distribution groups are used to combine users for e-mail distribution lists. Security groups can be used as a distribution group, but distribution groups cannot be used as security groups. Proper planning of group structure affects maintenance and scalability, especially in the enterprise environment, in which multiple domains are involved. Tip Although settings for individual security principals—users and computers—can be set by ACLs, those settings are the exception rather than the rule of best administrative practices. If you find that you are setting an inordinate number of exceptions in ACLs for a user within a group, the user’s membership in that group should be reexamined. After this lesson, you will be able to ■ Identify the two types of groups and their proper use ■ Identify the three types of group scope and their proper use ■ Understand the difference between groups and identities Estimated lesson time: 15 minutes Domain Functional Levels In Windows Server 2003, four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. ■ Windows 2000 mixed For supporting Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers ■ Windows 2000 native For supporting Windows 2000 and Windows Server 2003 domain controllers ■ Windows Server 2003 interim For supporting Windows NT 4 and Windows Server 2003 domain controllers ■ Windows Server 2003 For supporting Windows Server 2003 domain controllers Limitations on group properties discussed in this chapter and elsewhere in this book will refer to these domain functional levels.
4-4 Chapter 4 Group Accounts Group Scope
Group scope defines how permissions are assigned to the group members. Windows Server 2003 groups, both security and distribution groups, are classified into one of three group scopes: domain local, global, and universal. Note Although local groups are not considered part of the group scope of Windows Server 2003, they are included for completeness. Local Groups
Local groups (or machine local groups) are used primarily for backward compatibility with Windows NT 4. There are local users and groups on computers running Windows Server 2003 that are configured as member servers. Domain controllers do not use local groups.
■ Local groups can include members from any domain within a forest, from trusted domains in other forests, and from trusted down-level domains.
■ A local group has only machinewide scope; it can grant resource permissions only on the machine on which it exists.
Domain Local Groups
Domain local groups are used primarily to assign access permissions to global groups for local domain resources. Domain local groups:
■ Exist in all mixed, interim and native functional level domains and forests.
■ Are available domainwide only in Windows 2000 native or Windows Server 2003 domain functional level domains. Domain local groups function as a local group on the domain controllers while the domain is in mixed functional level.
■ Can include members from any domain in the forest, from trusted domains in other forests, and from trusted down-level domains.
■ Have domainwide scope in Windows 2000 native and Windows Server 2003 domain functional level domains, and can be used to grant resource permission on any Windows Server 2003 computer within, but not beyond, the domain in which the group exists.
Lesson 1 Understanding Group Types and Scopes 4-5 Global Groups
Global groups are used primarily to provide categorized membership in domain local groups for individual security principals or for direct permission assignment (particularly in the case of a mixed or interim domain functional level domain). Often, global groups are used to collect users or computers in the same domain and share the same job, role, or function. Global groups:
■ Exist in all mixed, interim, and native functional level domains and forests
■ Can only include members from within their domain
■ Can be made a member of machine local or domain local group
■ Can be granted permission in any domain (including trusted domains in other forests and pre–Windows 2003 domains)
■ Can contain other global groups (Windows 2000 native or Windows Server 2003 domain functional level only)
Universal groups are used primarily to grant access to resources in all trusted domains, but universal groups can only be used as a security principal (security group type) in a Windows 2000 native or Windows Server 2003 domain functional level domain.
■ Universal groups can include members from any domain in the forest.
■ In Windows 2000 native or Windows Server 2003 domain functional level, universal groups can be granted permissions in any domain, including domains in other forests with which a trust exists. Tip Universal groups can help you represent and consolidate groups that span domains, and perform common functions across the enterprise. A useful guideline is to designate widely used groups that seldom change as universal groups.
The scope of a group is determined at the time of its creation. However, in a Windows 2000 native or Windows Server 2003 domain functional level domain, domain local and global groups can be converted to universal groups if the groups are not members of other groups of the same scope. For example, a global group that is a member of another global group cannot be converted to a universal group. Table 4-1 summarizes the use of Windows Server 2003 domain groups as security principals (group type: security).
4-6 Chapter 4 Group Accounts Table 4-1 Group Scope and Allowed Objects Group Scope Allowed Objects
Windows 2000 native or Windows Server 2003 functional level domain
Domain Local Computer accounts, users, global groups, and universal groups from any forest or trusted domain. Domain local groups from the same domain. Nested domain local groups in the same domain.
Global Users, computers and global groups from same domain. Nested global (in same domain), domain local, or universal groups.
Universal Universal groups, global groups, users and computers from any domain in the forest. Nested global, domain local, or universal groups.
Windows 2000 mixed or Windows Server 2003 interim functional level domain
Domain Local Computer accounts, users, global groups from any domain. Cannot be nested.
Global Only users and computers from same domain. Cannot be nested.
Universal Not available.
There are also some special groups called special identities, that are managed by the operating system. Special identities cannot be created or deleted; nor can their membership be modified by administrators. Special identities do not appear in the Active Directory Users And Computers snap-in or in any other computer management tool, but can be assigned permissions in an ACL. Table 4-2 details some of the special identities in Windows Server 2003.
Table 4-2 Special Identities and Their Representation
Everyone Represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, that user is automatically added to the Everyone group.
Network Represents users currently accessing a given resource over the network (as opposed to users who access a resource by logging on locally at the computer where the resource is located). Whenever a user accesses a given resource over the network, the user is automatically added to the Network group.
Interactive Represents all users currently logged on to a particular computer and accessing a given resource located on that computer (as opposed to users who access the resource over the network). Whenever a user accesses a given resource on the computer to which they are logged on, the user is automatically added to the Interactive group.
Lesson 1 Understanding Group Types and Scopes 4-7 Table 4-2 Special Identities and Their Representation (Continued) Identity Representation
Dialup The Anonymous Logon group refers to any user who is using network resources, but did not go through the authentication process.
The Authenticated Users group includes all users who are authenticated into the network by using a valid user account. When assigning permissions, you can use the Authenticated Users group in place of the Everyone group to prevent anonymous access to resources.
The Creator Owner group refers to the user who created or took ownership of the resource. For example, if a user created a resource, but the Administrator took ownership of it, then the Creator Owner would be the Administrator.
The Dialup group includes anyone who is connected to the network through a dialup connection. Caution These groups can be assigned permissions to network resources, although caution should be used when assigning some of these groups permissions. Members of these groups are not necessarily users who have been authenticated to the domain. For instance, if you assign full permissions to a share for the Everyone group, users connecting from other domains will have access to the share.
注册－收款工具那么多，为何选择Payoneer？ ｜ 为何申请Payoneer万事达预付卡+欧美日收款银行账号？
Payoneer有卡账户和无卡账户的区别 ｜ Payoneer个人账户注册申请教程 ｜ P卡公司帐户注册教程
Payoneer欧元帐户（虚拟卡） ｜ Payoneer英镑帐户 ｜ Payoneer日元帐户 ｜ 订购实体卡（P卡）
Payoneer卡年费啥时候扣？ ｜ Payoneer卡休眠和激活 ｜ P卡到期后如何更换？ ｜ 如何注销P卡？
官方－Payoneer秉承公正、公开、透明服务 ｜ Payoneer官方最新政策汇总 ｜ 官方客服联系方式
Payoneer官方费用表 ｜ 如何减少Payoneer的手续费？ ｜ 点此免除入账费 ｜ 点此降低提现费
跨境收款服务商拷问篇——Payoneer ｜ Payoneer客户答疑手册（FAQ） ｜ Payoneer手机App
收款－跨境电商/外贸收款方式对比 ｜ Payoneer可以错名收款吗？
Amazon亚马逊卖家设置Payoneer卡收款教程 ｜ Payoneer支持从美国电商平台Newegg收款
CJ联盟设置Payoneer卡收款 ｜ ClickBank联盟设置Payoneer收款 ｜ Amazon联盟设置P卡收款
Payoneer如何从东南亚电商平台Lazada收款 ｜ 如何在Lazada开店？
Payoneer如何从拉美电商平台Linio收款？ ｜ Payoneer绑定非洲电商平台Jumia收款
Payoneer如何从跨境移动电商Wish收款？ ｜ Wish模式正在改变电商格局
Payoneer支持从法国乐天Priceminister收款 ｜ 法国电商平台CDiscount对接Payoneer收款
Payoneer可接受个人与公司信用卡付款（请求付款） ｜ 关于Payoneer卡充值
从PayPal提现到Payoneer卡教程及手续费用 ｜ PayPal无法绑定并转账到Payoneer卡？
提现－从Payoneer卡提现到国内银行账户 ｜ Payoneer无法从Dating联盟收款并限制提现方式
用P卡在中国银行ATM机取款4000元 ｜ 用Payoneer卡在中国建设银行ATM机取款500元