You'll use Windows 2000 user groups—specifically security groups—frequently to manage your enterprise. Groups provide a way to manage permissions and rights for users en masse, instead of dealing with users one at a time (a horrible thought if you have thousands of users).
Permissions are rules that you associate with objects such as folders, files, or printers. These rules define which users can access those objects and what the users can do when they access the objects. For example, permissions for a folder might include reading, modifying, and creating files in the folder. Permissions for a printer might include deleting jobs (including jobs that belong to other users), changing configuration options, and installing drivers. Rights are rules that define the actions users can perform, such as backing up a computer or shutting down a system.
Try to think of the process of populating groups as assigning users to the groups, rather than thinking of the groups as containing users. (You can also assign computers to groups, but this column centers on user groups.) Taking this perspective on groups will help you understand the notion that a user can be a member of more than one group. You can also assign groups to other groups, creating nested groups.
Types of Groups
Win2K supports two primary types of groups: security and distribution. You use security groups to configure permissions and rights for the users who are members of the group. According to Microsoft, you use distribution groups only for email; these groups have the same purpose as distribution lists (DLs) that you create in your email address books. (You can use a security group as a DL, but you can't use a distribution group to assign permissions and rights.)
In Win2K, security groups exist for both local computers (Local groups) and the domain (Global groups)—the same approach you find in Windows NT. (For information about groups in NT, see Michael D. Reilly, Getting Started with NT, "Windows NT Group Strategies," August 1998.) However, Win2K adds another type of security group called a Universal group. Universal groups encompass the enterprise; they're forestwide. (A forest is a collection of one or more Win2K domains that share a global catalog of Active Directory—AD—objects and that are linked through two-way trusts.) Universal groups can exist only in Win2K domains running in native mode, which means that all the domain controllers (DCs) across the enterprise have been migrated to Win2K.
Builtin and Predefined Groups
Win2K automatically establishes several groups, called builtin groups, when you install the OS. To see the builtin groups for any computer that isn't a DC, open the local Microsoft Management Console (MMC) Computer Management snap-in. (Right-click My Computer, and choose Manage from the shortcut menu.) Expand the Local Users and Groups container, and select Groups to display the local builtin groups in the right pane. Figure 1, page 156, shows the builtin groups for Win2K Server and Win2K Professional. (Win2K Advanced Server includes additional builtin groups for assigning permissions and rights for Web services.)
When you configure a server as a DC, local users and groups are inaccessible because DCs are designed for domain management, and the local users and groups are no longer manageable objects. The local Computer Management snap-in superimposes a red X over the Local Users and Groups container; clicking that container produces an error message explaining that this snap-in can't be used on a DC.
DCs have both builtin and predefined groups. To see those groups:
- Open the MMC Active Directory Users and Computers snap-in under Programs, Administrative Tools.
- Select the Builtin object in the left pane to display the builtin groups. The description column provides information about the permissions and rights attached to each group.
- Select the Users object in the left pane to see the predefined groups, which share the display in the right pane with the domain users list, as Figure 2 shows. (Notice that some of the predefined groups are for computers instead of users.)
Adding Users to Groups
Every user in the domain is automatically a member of the builtin Users group and the predefined Domain Users group. When you want to increase rights or permissions for certain users, assign those users to the appropriate group. For example, you might want to give certain users the right to configure printers. The Print Operators builtin group provides that right, so add those users to that group. You can add a user to a group in two ways:
- Use the Member Of tab on the user's Properties dialog box.
- Use the Members tab on the group's Properties dialog box.
Obviously, if you want to add multiple users to a group, using the group's Properties dialog box is faster than using each individual's Properties dialog box. However, the process is the same regardless of the dialog box you use. Double-click the user's or group's listing to open the Properties dialog box, then go to the appropriate tab. Click Add to open the selection dialog box that Figure 3 shows, make your selection, click Add, click OK to close the dialog box, then click OK to apply the selection.
Adding a group to another group that has more permissions and rights is a quick way to increase the permissions of all the users in the first group. For example, if you want to let all users configure printers, the easiest way to upgrade everyone's permissions is to add the Domain Users group to the Print Operators group. To do so, open the Print Operators group's Properties dialog box and go to the Members tab. Click Add to open the list of groups that you can add to the Print Operators group, select Domain Users, then click Add to complete the addition. Click OK twice to close the dialog boxes.
Win2K has a variety of rules about which types of groups you can add to other types of groups, and the rules depend on whether you're running in mixed or native mode. If your AD encompasses a multiple-domain forest, even more rules about nesting are in effect. To simplify the process—so that you don't need to know all the rules—when you add groups to groups, the OS enforces the rules automatically by displaying only those groups that match the rules.
Most administrators create groups to assign rights and permissions that depend on users' locations or responsibilities within the enterprise. For example, to simplify the process of configuring permissions for the folders that contain the accounting software, you can create a group for the members of your accounting department. Then, you can assign permissions to one group instead of to a long list of individual users.
To create a group, right-click the Users object in the Active Directory Users and Computers snap-in, and choose New, Group from the shortcut menu to open the New Object-Group dialog box. Enter a name for the new group in the Group Name text box. Then, select the group scope (i.e., Domain Local or Global). Domain Local groups can contain users and groups from the current domain; if your enterprise is running in native mode, Domain Local groups can also contain Global and Universal groups from other domains. You can use this scope to grant permissions in only the current domain. Global groups can contain users and Global groups from the current domain. You can use this scope to grant permissions in any domain in the forest. (The dialog box also offers both group types: Security and Distribution. You can create either type.)
After you click OK, Win2K adds the group to the list of users and groups. Press F5 to refresh the listing so that the new group moves to its proper alphabetical location in the list.
To add users to your new group, right-click the group's listing and choose Properties from the shortcut menu. (Double-clicking a group opens its Properties dialog box only when Win2K created the group.) Go to the Members tab, and click Add. Select the users you want to assign to the group, and click Add again. Click OK twice to save your work.
Using Groups to Set Permissions
You can use groups to quickly set permissions for multiple users. For example, suppose you want to set permissions for the folder that contains your company's accounting software. Assuming you created a group for the members of the accounting department, giving that group permissions on the software folder is a simple task.
Open the folder's Properties dialog box, and go to the Security tab. Click Add, select the accounting department group, and assign the appropriate permissions (usually Full Control). If you have some reason to assign different permissions to certain members of a group, you can click Add, select those users, and assign different permissions. If you often need to assign different permissions in this way, consider creating multiple groups. For example, you might want to create two groups for your accounting department: AccntgHigh (for members to whom you want to give full permissions when you're configuring folders) and AccntgLow (for members for whom you want to limit permissions when you're configuring folders).
Groups make controlling users easier. The more users you have, the more groups you'll probably want to create so that you can take advantage of the features that groups offer. If you create and use groups correctly, you'll avoid the need to deal with individual users—a terrific time-saver in a large enterprise.