Group membership and nesting in Windows 2000 and 2003 Active Directory domains used to confuse the heck out of me. I still have to keep a reference chart around to figure it out sometimes. For example, if a Global Group is so global, why can’t I add global users to it? Why does it only accept local users?
My biggest problem was that I was thinking of groups in terms of members, when I should have been thinking in terms of resources. A global group is global because it can access global resources, not because it contains global users. It is the global face of local users. Likewise, a Domain Local Group can access local resources. It’s the local face of global users. See diagram 1 for a graphical representation of what kinds of groups can be nested in other groups.
In order to simplify administration of resources, you should use Global Groups to represent groups of users and Domain Local Groups to represent resources. Look at diagram 2 to see what I mean.
For groups of users who need to access resources across multiple domains in a more complex Active Directory Forest, you might want to substitute Universal Groups for Global Groups.
Diagram 1: Group Nesting
Diagram 2: Users to Resources
Please leave me a note letting me know if this article was helpful. Username: Guest. Password: Guest.
Technorati Tags: active directory, windows, groups, group membership, group nesting, windows 2000, windows 2003
Very Helpful…thanks J.
-Shawn
Your diagrams are very well thought out.
Thanks