Grouping Users with Similar Needs

Administrators typically group users according to the network access their jobs require. For example, most accountants working at a certain level will probably need access to the same servers, directories, and files. By using group accounts, administrators can simultaneously grant rights and permissions to multiple users. Other users can be added to an existing group account at any time, instantly gaining the rights and permissions granted to the group account.

There can be two types of group accounts:

• A global group consists of several user accounts from one domain, which are grouped together under an account name. A global group can contain user accounts from only a single domain : the domain in which the global group was created. Global signifies that the group can be granted rights and permissions to use resources in multiple (global) domains. A global group can contain only user accounts (not other groups). A global group cannot be created on a computer running Windows NT Workstation or on a computer set up as a member server.

For more information about member servers see "Windows NT Server Domains" later in this chapter.

• A local group can include user accounts and global groups from one or more domains, grouped together under one account name. Users and global groups from outside the local domain can be added to the local group only if they belong to a trusted domain. Local signifies that the group can be granted rights and permissions to use resources in only a single (local) domain. A local group can contain users and global groups, but it cannot contain other local groups.

When working with groups, use these guidelines:

• It is best to grant rights and permissions to local groups and to use the global group as the method of adding users to the local groups.

Global groups are the best method for simultaneously adding many users to another domain. The necessary rights and permissions are provided by the local group to which the global groups are added.

• Global groups are the most efficient way to add users to local groups.
• Global groups can be added to local groups in the same domain or in trusting domains, or to computers running Windows NT Workstation or Windows NT Server as a member server in either the same domain or a trusting domain.

Windows NT Server has built-in both local and global user groups. For more information about built-in groups, see "Working with User and Group Accounts" in the Microsoft Windows NT Server 4.0 Concepts and Planning Guide.