A security group is an Active Directory object that contains users or other security groups/ distribution groups. There are three kinds of security groups you can configure in the Active Directory—domain local groups, global groups, and universal groups—and each one serves a slightly different purpose in the Windows networking environment.
Security groups are used as a way of collecting together user accounts that require equal- access permissions to resources under the direct control of the Windows domain. If a user account were to be allocated explicit permissions to access individual resources, such as files and folders, every user on the system would need to be added individually to every controlled aspect of the file system. This is entirely possible to achieve using Windows NTFS permissions, but the administrative overhead of such as model would be wholly unworkable. To address this, security groups are nested in such a way as to minimize the administration overhead and maintain an overall control of the underlying file store’s security.
To see a list of the security groups configured by default on your SBS 2003 server, it’s best to use the Advanced Management interface rather than the Standard Management interface because the MMC snap-in for Active Directory Users and Groups offers more information and an immediate view of the security group type and its description.
■Note
The Microsoft Management Console (MMC)is a convenient management interface that uses items known as snap-ins.Snap-insperform a variety of system management functions and come as discrete management interfaces that have been written to a standard. This allows them to be snapped in to the MMC. Using this facility, you can add as many snap-ins as you need to do your most commonly encountered tasks, creating your own tailored management toolbox.To see the security groups installed in SBS 2003:
1. Click Start ➤Server Management.
2. In the left-hand menu, expand Advanced Management.
3. Expand Active Directory Users and Computers.
4. Expand the subtree pertaining to your system’s DNS name.
5. Highlight the Users container.
If you order the list in the right-hand window by clicking Type, you’ll see all the users and security groups listed in order of type.
To understand security groups in the context of SBS 2003, you must remember that SBS 2003 always uses the facilities of Windows Server 2003 as the underlying operating system—so in this case, all user management, group management, permissions, and rights are handled by Windows Server 2003. This means that the Windows Server 2003 domain architecture (which applies to enterprise systems that have multiple domains and multiple forests) is used here to supply a single SBS 2003 domain in a single Active Directory forest. Okay, so you’ve got that:
Now I’ll explain exactly what each security group is used for, and you’ll see from each description that the concepts shown here apply more to large systems with many domains and forests rather than the 1/1 architecture of SBS 2003:
• Domain local groups: Domain local groups are used to directly apply permissions to
objects within a domain. Following the best practice for assigning permissions, a domain local group would contain global groups either from the local domain or con- nected domains and it’s this security group that would be directly applied to a network object such as a printer, folder, file, or Active Directory object. Domain local groups cannot be added to security groups in other domains or other security groups within the local domain. They can be applied only directly to objects.
• Global groups: Global groups are domain-wide security groups that normally contain
users or other global groups from the local domain. This means a user account might be added to a global group called Domain Users, and then that global group might in turn be added to a domain local group called Printer Users. Permissions are inherited from the resultant set of permissions derived from all security group memberships.
• Universal groups: Universal groups are only really of any use in a multidomain environ-
ment, but in the case of SBS 2003 they are of little consequence. Many of the default security groups created during the SBS 2003 installation are universal groups, but these should be treated exactly as you would a domain global group.
When you are assigning permissions to objects on your network, you would use security groups—for example, when you want only a select few of your users to access the color laser printer, because most users don’t need color hard copies and the color cartridges are too expensive to grant everyone full access.
As a more general example, take a look at Figure 5-2. In this case, User A is a member of the built-in global security group Domain Users, which is in turn a member of the domain local group Printer Access. The access control list for the printer has an entry that grants the Print permission to the Printer Access domain local group. From now on, any user who is a member of Domain Users is, by inference, allowed to use the printer.
Figure 5-2.Nested security groups ease the management burden. SBS 2003 Domain
Domain Users Security
Group
Is a member of... Is a member of...
Printer Access Printer Access Local Group Domain Users User A User A