Sunday, April 8, 2012

Active Directory: Global and Universal Groups



Active Directory is a network directory created by Microsoft. It is mainly used for the Windows domain servers and systems. Like all other directories, Active Directory also follows a hierarchy of security groups. They are as follows:

Domain - A collection of security principals that share a central database (in this case, the active directory). It is a set of rules of authentication by which each entity will be identified by. 

  • Universal Groups - Mostly used to grant permissions to multiple domains for the usage of resources in a Forest. They can:
      • Can allow members from any domain in the Forest
      • Can add Global groups of any domain from the same Forest as the Universal Group
      • Can allow other Universal Groups of the same Forest. (meaning, a Universal group can give permissions to another universal group, as a whole. But the other Universal group must belong to the same Forest)
      • Can be converted to 
        • domain local or 
        • Global group (as long as its not a member of another Universal Group)

  • Global Groups - Allows management of users within the same domain.  
      • Can grant permissions to users of the same 'Parent Group' 
      • Can add Global groups of the same domain as the same 'Parent group'
      • Can be converted to an Universal group as long as it not a member of another Global Group

  • Local Groups -Allows management of resources on a computer. 
    • Domain Local: this can be created on a domain controller.
      • Cannot be members of any other group
      • Can  grant permission to users, Global groups and Universal groups of ANY DOMAIN from the Same Forest.
      • Can be converted to an Universal Group (as long as no other domain local groups exist as members)
    • Machine Local : security scope is limited to that machine. Can include any user/group from the same Forest.

Domain - A collection of security principals that share a central database (in this case, the active directory). It is a set of rules of authentication by which each entity will be identified by. 


To understand them better you can view the whole security groups as a Venn Diagram. Think of the Forest as the Universal Set, and everything will fall in place.





No comments:

Post a Comment