To simplify administration of user accounts which have similar resource needs, the administrator can categorize the user accounts into groups, which makes granting access rights and resource permissions easier. Instead of performing many individual actions to grant certain rights or permissions, the administrator can perform a single action that gives a group that right or permission to all the present and future members of that group. Group accounts are also stored in the SAM. The size of a group account may vary, based on the number of user accounts associated with the group. A good rule of thumb is that each group account requires 4K in the SAM.
Windows NT Server provides built-in local groups, and the ability to create custom global groups. Adding a user to a predefined group provides the user with all the access rights and privileges of that group. Changing access rights is a simple task; changing the rights of the group will automatically change the rights of all group members. Administrators should use built-in groups whenever possible.
For a complete discussion of groups, see Chapter 3, "How Network Security Works, in the Windows NT Server Concepts and Planning Guide.
Local groups define permissions to resources only within the domain in which the local group exists. Hence, the term "local" defines the scope of the resource permissions granted to users within the group. Local groups may contain users and global groups from the local domain (but not other local groups), as well as users and global groups from trusted domains. However, a local group can only be assigned permissions and rights in its home domain.
Not only are local groups an effective way of collectively assigning user rights and permissions for a set of users within the home domain, but they can be used to gather together numerous global groups and users from other domains. This allows an administrator to change access to domain resources globally with a single modification to the local group permissions.
The best group strategy to implement in the multiple master domain model is to create local groups in the resource domains. Those local groups will hold the global groups from the account domains.
Global groups can be thought of as groups that can be used in other domains. In fact, global groups, since they have no user rights associated with them, are powerless until they are assigned to a local group or to a user right. Note that global groups defined in a domain can be "exported" to Windows NT Workstations in that domain. Windows NT Workstations support local groups and can, therefore, make use of global groups defined in either the Workstation's own domain or from other domains.
A global group may only contain user accounts that are locally defined in the domain in which the global group exists. By using trust relationships, users within a global group can access resources outside of their locally defined domain. Global groups are quite suitable, therefore, for large, multi-domain networks. Global groups can provide an inclusive list of all user accounts within a domain that require a particular type of access to resources that exist within another domain.
An administrator will have to create multiple global groups (in each master domain) to accommodate all the users in the network. It might help to distribute the users among the master domains according to organization within the company rather than alphabetically.
A domain consists of user accounts, machine accounts, and group accounts, both built-in and custom. Each of these objects occupies space in the SAM file. The practical limit for the size of the SAM file depends on the type of computer processor and amount of memory available in the machine being used to administer the domain. Microsoft has successfully tested SAM files in excess of 40MB and recommends 40MB as the upper limit (larger SAM files may take several minutes to load into memory for administration purposes). Different types of objects require different amounts of space in the SAM file:
Object | Space Used |
user account | 1K |
machine account | 0.5K |
group account | 4K |
For a single domain, here are some examples of how objects might be distributed:
| User Accounts (1K per account) | Machine Accounts (0.5K per account) | Group Accounts (4K per account) |
Total | |
1 workstation per user | 2,000 | 2,000 | 30 | 3.12 MB | |
2 workstations per user | 5,000 | 10,000 | 100 | 10.4 MB | |
2 users per workstation | 10,000 | 5,000 | 150 | 13.1 MB | |
1 workstation per user | 25,000 | 25,000 | 200 | 38.3 MB | |
1 workstation per user | 26,000 | 26,000 | 250 | 40 MB | |
1 workstation per user | 40,000 | 0 | 0 | 40 MB |
Note that these numbers can be applied to domains that comprise a single master and multiple master domain.