Nesting Active Directory Groups

By Dan DiNicolo, August 10th, 2001 Posted in Windows 2000. Subscribe to our RSS Feed

Some of you will remember the group usage strategy outlined by Microsoft for NT 4 domain environments. It suggested that you place user accounts into global groups according to needs, assign permissions to local groups, and then place global groups into local groups, thereby giving users access to resources. This model was often referred to as AGLP:

Accounts (get placed into) Global Groups (which are then placed in) Local Groups (who are ultimately assigned) Permissions

Although there are many different possibilities in terms of assigning permissions, the above method is amongst the most scalable. By the same token, a methodology exists in Windows 2000 that you should follow.

Accounts > Global Groups > Domain Local Groups > Permissions

Note that the model can extend beyond this, however. For example, you can nest global groups (which is useful if you have a few global groups in the same domain who you wish to further organize), or place global groups from different domains into a Universal group. With a Universal group, this would then make the model:

Accounts > Global Groups > Universal > Domain Local Groups > Permissions

The idea is simple – group users with common needs using global groups (or universal if you wish), and then place that group into a domain local group, which is assigned permissions to a resource. This allows many users to have access to the resource, while assigning permissions only once. A name for the new model that you won’t forget? Try AGULP (just remember that the L is for domain local now)

Written by Dan DiNicolo - Visit Website

All Tutorials by Category:

Entire site Copyright © 1999-2007 2000Trainers.com, all rights reserved.
Content on this site may not be copied or reproduced in any way without permission.

IT Showcase