| Platform SDK: Active Directory, ADSI, and Directory Services |
Groups are Active Directory™ or local computer objects that can contain users, contacts, computers, and other groups. Groups can be used to do the following:
Groups can be used for security purposes (such as access control and policy) or they can be used for grouping purposes (such as distribution lists). Specify whether a group is used for security purposes when you create the group.
When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a group rather than to the individual users. The permissions are assigned once to the group, instead of several times to each individual user. This helps simplify the maintenance and administration of a network.
To control access to a frequently used resource, create a group that will contain users that require that type of access, add one or more ACEs to set the access for that group on the security descriptor for the resource, and then add any users who require that type of access to the resource as members of the group. For more information about setting access on directory objects, see Controlling Access to Active Directory Objects. For more information about setting access on other objects in Windows® 2000, see Access Control.
When a user is made a member of a group, that user is given all the rights and permissions granted to the group. However, if the user is already logged on, the rights of the newly assigned group will not take effect until he/she logs off and logs on again.
Contacts in a group can be sent e-mail, but cannot be assigned rights and permissions. Although a contact can be added to a security group as well as to a distribution group, contacts cannot be used to assign rights and permissions.
Groups are distinct from organizational units (OUs). OUs are useful for creating a hierarchy for administrative delegation or setting group policy. Groups are used for granting access and creating distribution lists.
Groups and organizational units also differ in regard to the domain boundaries to which they are applied. You can create groups to contain users, computers, or shared resources on a local server, a single domain, or multiple domains in a forest. Organizational units represent a collection of objects (including group objects) only within the context of a single domain.
In Windows® 2000, domains can operate in two different modes:
A domain must be in native mode to use the following Windows 2000 group features:
Mixed mode supports all types of distribution groups (including Universal) and nesting of distribution groups. Mixed mode should only be used to support Windows NT 4.0 domain controllers during the migration process. A domain tree or forest can contain both mixed-mode and native-mode domains.
Before creating or converting groups that require native mode, your application should check the operation mode of the domain.
In Windows 2000, groups can contain other groups. This is called nesting. Nesting is supported only for distribution groups in domains running in mixed mode. A domain must be in native mode to nest security groups (as well as distribution groups).
Nesting can be an efficient way to handle large memberships as well as delegate management of group membership. For example, the top group could be a universal group that contains only global groups. The domain administrators of the domains containing those global groups can manage the membership within their own domains. The enterprise administrator can simply manage the global group membership of the universal group (that is, adding and removing global groups) and let the domain administrators handle the membership requests from users in their own domain.