![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0011195556426843.jpg\")
\nFigure A: <\/strong>Windows allows you to create a few different types of groups<\/p>\n
If you look at the dialog box shown above, you will notice that the Group Scope area provides you with the option of creating a domain local, global, or universal group.\u00a0There is also a fourth type of group that is not shown here, it is simply called a local group.<\/p>\n
Local Groups<\/h2>\n
Local groups are groups that are specific to individual computer. As you know by now, local computers can contain user accounts that are completely separate from those accounts that belong to the domain that the computer is connected to.\u00a0These are known as a local user accounts, and they are only accessible from the computer on which they reside.\u00a0Furthermore, local user accounts can only exist on workstations and on member servers.\u00a0Domain controllers do not allow for the existence of local user accounts.<\/p>\n
With this in mind that should come as no surprise that local groups are simply groups that are specific to a particular member server or workstation.\u00a0A local group is often used to manage local user accounts. For example, the local Administrators group allows you to designate which users are administrators over the local machine.<\/p>\n
Although a local group can only be used to secure resources residing on the local machine, it doesn’t mean that the group’s membership must be limited to local users.\u00a0While a local group can, and usually does, contain local users, it can also contain domain users.\u00a0Furthermore, local groups can also contain other groups that reside at the domain level.\u00a0For example, you could make a universal group a member of a local group, and the universal group\u2019s members will basically become members of the local group.\u00a0In fact, a local group can contain local users, domain users, domain local groups, global groups, and universal groups.<\/p>\n
There are two caveats that you need to be aware of though.\u00a0First, as you might have noticed, a local group cannot contain another local group.\u00a0It would seem that you should be able to drop one group into another, but you can\u2019t.\u00a0Someone at Microsoft once told me that the reason for this is to prevent a situation in which two local groups become members of each other.<\/p>\n
The other caveat that you need to be aware of is that local groups can only contain domain users and domain level groups if the machine containing the local group is a member of the domain.\u00a0Otherwise, local groups can only contain local users.<\/p>\n
Domain Local Groups<\/h2>\n
Given what you’ve just learned about local groups, the idea of a domain local group probably sounds contradictory.\u00a0The reason why domain local groups exist though, is because domain controllers do not contain a local account database.\u00a0This means that there are no such things as local users or local groups on a domain controller.\u00a0Even so, domain controllers have local resources that need to be managed.\u00a0This is where domain local groups come into play.<\/p>\n
When you install Windows Server 2003 onto a computer, the machine typically begins life as either a standalone server or as a member server.\u00a0In either case, local user accounts and local groups are created during the installation process.\u00a0Now suppose that you wanted to convert the machine into a domain controller.\u00a0When you run DCPROMO, the local groups and local user accounts are converted into domain local groups and domain user accounts.<\/p>\n
It is important to keep in mind that all of the domain controllers within a domain share a common user account database.\u00a0This means that if you add a user to a domain local group on one domain controller, the user will be a member of that domain local group on every domain controller in the entire domain.<\/p>\n
The most important thing to keep in mind about domain local groups is that there are two different types.\u00a0As I mentioned, when DCPROMO is run, the local groups are converted to domain local groups.\u00a0Any domain local groups that are created by running DCPROMO are placed into the Builtin folder in the Active Directory Users and Computers console, as shown in Figure B.<\/p>\n
The reason why this is important to know is because there are some restrictions imposed on these particular domain local groups.\u00a0These groups cannot be moved or deleted.\u00a0Likewise, if you cannot make these groups members of other domain local groups.<\/p>\n These restrictions do not apply to domain local groups that you create though.\u00a0Domain local groups that you create typically began life in the Users container.\u00a0From there, you are free to move or delete them to your heart\u2019s content.<\/p>\n I have to be perfectly frank and tell you though that in all the years I have been working with Windows Server, I have yet to find a good argument for creating domain local groups.\u00a0In fact, domain local groups are basically identical to global groups, except that they are restricted to an individual domain.<\/p>\n Global groups are by far the most commonly used type of group.\u00a0In most cases, a global group simply acts as a collection of Active Directory user accounts.\u00a0The interesting thing about global groups\u00a0is that they can be placed inside of each other.\u00a0You can make one global group a member of another global group, so long as both global groups exist within the same domain.<\/p>\n Keep in mind, the global groups can only contain Active Directory resource.\u00a0You cannot place a local user account or a local group into a global group.\u00a0You can however, add a global group to a local group.\u00a0In fact, doing so is the most common way of granting domain users permissions to resources stored on a local computer. For example, suppose that you wanted to give the managers in your company administrative rights to their workstations (not that I recommend doing that, this is just an example). To do so, you could create a global group called Managers, and place each of the manager\u2019s domain user accounts into it. You could then add the Managers group to the workstation\u2019s local Administrators group, thus making the managers administrators on those workstations.<\/p>\n In this article, I’ve explained that Windows supports the use of four different types of security groups.\u00a0So far, I have explained the differences between local, domain local, and global groups.\u00a0In the next part of this article series, I will continue the discussion by discussing universal groups.\u00a0I will then go on to discuss the concept of group nesting<\/p>\n","protected":false},"excerpt":{"rendered":" The various types of security groups that Windows allows you to create. In the previous article, I showed you how to create security groups in Windows Server 2003. When I walked you through the process though, you might have noticed that Windows allows you to create a few different types of groups, as shown in […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-437","post","type-post","status-publish","format-standard","hentry","category-networking-stuff"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=437"}],"version-history":[{"count":4,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/437\/revisions"}],"predecessor-version":[{"id":2662,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/437\/revisions\/2662"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0021195556427062.jpg\")
\nFigure B: <\/strong>Domain local groups created by DCPROMO reside in the Builtin container<\/p>\nGlobal Groups<\/h2>\n