Determining Domain Migration Strategies

Previous Topic Next Topic

Examining Windows 2000 Groups

It is essential that you determine how migration to Windows 2000 will affect security policy and your pre–Windows 2000 group structure. Changes to security policy will most likely require restructuring groups.

Windows 2000 supports four types of security groups:

Local Groups

Local groups, which existed in Windows NT, can contain members from anywhere in the forest, in other trusted forests, or in a trusted pre–Windows 2000 domain. However, local groups can only grant resource permissions on the computer on which they exist.

A special case for local groups in Windows NT are those created on a PDC. The replication of the domain SAM among the BDCs resulted in these local groups being shared between the PDC and the BDCs. In mixed mode, local groups behave the same in both Windows NT and Windows 2000. In native mode, local groups on a domain controller become domain local groups, which are described in the next section. Typically, local groups are used to grant specific access to resources on a local computer.

Domain Local Groups

Domain local groups are a new feature of Windows 2000, though similar in concept and use to the local groups created on the PDC in a Windows NT domain.

Domain local groups are only available in native mode domains and can contain members from anywhere in the forest, in trusted forests, or in a trusted pre–Windows 2000 domain. Domain local groups can only grant permissions to resources within the domain in which they exist. Typically, domain local groups are used to gather security principals from across the forest to control access to resources within the domain.

Global Groups

Windows 2000 global groups are effectively the same as Windows NT global groups. Windows 2000 global groups can only contain members from within the domain in which they exist. These groups can be granted permissions to resources in any domain in the forest or in trusted forests.

Universal Groups

Universal groups can contain members from any Windows 2000 domain in the forest, and can be granted permissions in any domain in the forest or in trusted forests. Though universal groups can have members from mixed mode domains in the same forest, members from such domains do not have the universal group added to their access tokens because universal groups are not available in mixed mode. Though you can add users to a universal group, it is recommended that you restrict membership to global groups. Note that universal groups are only available in native mode domains.

You can use universal groups to build groups that perform a common function within an enterprise. An example of this is virtual teams. The membership of such teams in a large company could be nation-wide, or world-wide, and almost certainly forest-wide, with team resources being similarly distributed. In these circumstances, universal groups could be used as a container to hold global groups from each subsidiary or department, with the team resources being protected by a single ACE for the universal group.

Universal groups and their members are listed in the Global Catalog (GC). Though global and domain local groups are also listed in the GC, their members are not. This has implications for GC replication traffic. It is recommended that you use universal groups with care. If your entire network has high-speed connectivity, you can simply use universal groups for all your groups, and benefit from not having to manage global groups and domain local groups. If, however, your network spans wide area networks (WANs), you can improve performance by using global groups and domain local groups.

If you use global groups and domain local groups, you can also designate as universal groups any widely used groups that are seldom changed.

Table 10.6 lists the properties of Windows 2000 groups.

Table 10.6 Windows 2000 Group Properties


Group Type

Membership from

Scope
Available in Mixed Mode?
Local The same forest
Other trusted forests
Trusted pre–Windows 2000 domains
Computer-wide Yes
Domain

Local

The same forest
Other trusted forests
Trusted pre–Windows 2000 domains
The local domain No
Global Local domain Any trusted domain Yes
Universal The same forest Any trusted native mode domain No

Nesting Groups

It is recommended that you limit group size to 5,000 members, because the Active Directory store must be able to be updated in a single transaction. Because group memberships are stored in a single multivalue attribute, a change to the membership requires the whole membership list to be replicated between domain controllers and updated within a single transaction. Microsoft has tested and supports group memberships up to 5,000 members.

However, you can nest groups to increase the effective number of members. Doing this will help reduce traffic caused by replication of group membership changes. Your nesting options depend on whether the domain is in native mode or mixed mode. The following list describes what can be contained in a group that exists in a native-mode domain. These rules are determined by the scope of the group.

Security groups in a mixed-mode domain can contain only the following:

Group Membership Expansion

When a user logs on to a client or makes a network connection to a server, the group membership of the user is expanded as part of building the user access token. Group expansion occurs as follows:

When the user access token is being created, all the group membership information expanded by the domain controller or the resource server is used to identify the user.

Effects of Upgrade on Groups

Upgrading a PDC to Windows 2000 has no immediate effect on groups: Windows NT local groups become Windows 2000 local groups, and Windows NT global groups become Windows 2000 global groups. The real change occurs when you switch the domain to native mode, at which point local groups on the PDC become domain local groups.

© 1985-2000 Microsoft Corporation. All rights reserved.