About Group!(ZT)

转载 2005年05月11日 22:18:00

About Group 

Windows 2000 supports four types of security groups:

·                     Local

·                     Domain local

·                     Global

·                     Universal

Local Groups

Local groups, which existed in Windows NT, can contain members from anywhere in the forest, in other trusted forests, or in a trusted pre–Windows 2000 domain. However, local groups can only grant resource permissions on the computer on which they exist.

A special case for local groups in Windows NT are those created on a PDC. The replication of the domain SAM among the BDCs resulted in these local groups being shared between the PDC and the BDCs. In mixed mode, local groups behave the same in both Windows NT and Windows 2000. In native mode, local groups on a domain controller become domain local groups, which are described in the next section. Typically, local groups are used to grant specific access to resources on a local computer.

Domain Local Groups

Domain local groups are a new feature of Windows 2000, though similar in concept and use to the local groups created on the PDC in a Windows NT domain.

Domain local groups are only(It seems wrong???????????????????) available in native mode domains and can contain members from anywhere in the forest, in trusted forests, or in a trusted pre–Windows 2000 domain. Domain local groups can only grant permissions to resources within the domain in which they exist. Typically, domain local groups are used to gather security principals from across the forest to control access to resources within the domain.

Global Groups

Windows 2000 global groups are effectively the same as Windows NT global groups. Windows 2000 global groups can only contain members from within the domain in which they exist. These groups can be granted permissions to resources in any domain in the forest or in trusted forests.

Universal Groups

Universal groups can contain members from any Windows 2000 domain in the forest, and can be granted permissions in any domain in the forest or in trusted forests. Though universal groups can have members from mixed mode domains in the same forest, members from such domains do not have the universal group added to their access tokens because universal groups are not available in mixed mode. Though you can add users to a universal group, it is recommended that you restrict membership to global groups. Note that universal groups are only available in native mode domains.

You can use universal groups to build groups that perform a common function within an enterprise. An example of this is virtual teams. The membership of such teams in a large company could be nation-wide, or world-wide, and almost certainly forest-wide, with team resources being similarly distributed. In these circumstances, universal groups could be used as a container to hold global groups from each subsidiary or department, with the team resources being protected by a single ACE for the universal group.

Universal groups and their members are listed in the Global Catalog (GC). Though global and domain local groups are also listed in the GC, their members are not. This has implications for GC replication traffic. It is recommended that you use universal groups with care. If your entire network has high-speed connectivity, you can simply use universal groups for all your groups, and benefit from not having to manage global groups and domain local groups. If, however, your network spans wide area networks (WANs), you can improve performance by using global groups and domain local groups.

If you use global groups and domain local groups, you can also designate as universal groups any widely used groups that are seldom changed.

Table 10.6 lists the properties of Windows 2000 groups.

Table 10.6 Windows 2000 Group Properties


Group Type


Membership from


Scope

Available in Mixed Mode?

Local

The same forest
Other trusted forests
Trusted pre–Windows 2000 domains

Computer-wide

Yes

Domain

Local

The same forest
Other trusted forests
Trusted pre–Windows 2000 domains

The local domain

No

Global

Local domain

Any trusted domain

Yes

Universal

The same forest

Any trusted native mode domain

No

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Nesting Groups

It is recommended that you limit group size to 5,000 members, because the Active Directory store must be able to be updated in a single transaction. Because group memberships are stored in a single multivalue attribute, a change to the membership requires the whole membership list to be replicated between domain controllers and updated within a single transaction. Microsoft has tested and supports group memberships up to 5,000 members.

However, you can nest groups to increase the effective number of members. Doing this will help reduce traffic caused by replication of group membership changes. Your nesting options depend on whether the domain is in native mode or mixed mode. The following list describes what can be contained in a group that exists in a native-mode domain. These rules are determined by the scope of the group.

·                     Universal groups can contain user accounts, computer accounts, universal groups, and global groups from any domain.

·                     Global groups can contain user accounts and computer accounts from the same domain, and global groups from the same domain.

·                     Domain local groups can contain user accounts, computer accounts, universal groups, and global groups from any domain. They can also contain other domain local groups from within the same domain.

Security groups in a mixed-mode domain can contain only the following:

·                     Local groups that can contain global groups and user accounts from trusted domains.

·                     Global groups that can contain only user accounts.

Group Membership Expansion

When a user logs on to a client or makes a network connection to a server, the group membership of the user is expanded as part of building the user access token. Group expansion occurs as follows:

·                     During interactive logon to a client, the client contacts the domain controller to verify user credentials and obtain a Kerberos TGT. The domain controller expands the list of all group memberships for the user for the following group types:

·                                Universal groups defined anywhere in the forest

·                                Global groups

·                                Domain local groups for the same domain as the user account.

These group lists are included in the TGT as authorization data.

·                     When the client initiates a network connection to a server, if the server is located in a different domain than the user account, a cross-domain referral is used to get a service ticket from the KDC of the server. When the service ticket is issued, group expansion adds the domain local groups of which the user is a member to the domain of the server. These groups are added to authorization data in the service ticket along with the group list in the TGT. If the server is in the same domain as the user account, the domain local groups are already available in the TGT from the initial interactive logon.

·                     When the client connects to the server, expansion of the local groups occurs if the user account, or one of the groups of which the user is a member, is also a member of any local groups on the server.

When the user access token is being created, all the group membership information expanded by the domain controller or the resource server is used to identify the user.

Effects of Upgrade on Groups

Upgrading a PDC to Windows 2000 has no immediate effect on groups: Windows NT local groups become Windows 2000 local groups, and Windows NT global groups become Windows 2000 global groups. The real change occurs when you switch the domain to native mode, at which point local groups on the PDC become domain local groups.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Group CapabilityUniversal scopeGlobal scopeDomain local scope
Native Mode MembershipAccounts from any domain, as well as groups from any domain regardless of scope.Only accounts from the same domain and global groups from the same domain.Accounts, global groups, and universal groups from any domain; domain local groups from the same domain only.
Mixed Mode Membership.Can't be created in mixed-mode domains.Only account from the same domain.Accounts and global groups from any domain.
Member ofCan be put into other groups and assigned permissions in any domain.Can be put into other groups and assigned permissions in any domain.Can be put into other domain local groups and assigned permissions only in the same domain.
Scope ConversionCannot be converted to any other group scope.Can be converted to universal scope, provided it is not a member of any other group having global scope.Can be converted to universal scope, provided it does not have as its member another group having domain local scope.

 

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Changing group scope

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level set to Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003:

Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.

Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.

Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.

Universal to domain local. No restrictions for this operation.

Groups on client computers and stand-alone servers

Some group features, such as universal groups, group nesting, and the distinction between security groups and distribution groups, are available only on Active Directory domain controllers and member servers. Group accounts on Windows 2000 Professional, Windows XP Professional, Windows 2000 Server, and stand-alone servers running Windows Server 2003 work the same way as in Windows NT 4.0:

Only local groups can be created locally on the computer.

A local group created on one of these computers can be assigned permissions only on that one computer

mysql_mode error about [group by]

mysql数据库的中有一个环境变量sql_mode,定义了mysql应该支持的sql语法,数据校验等!我们可以通过以下方式查看当前数据库使用的sql_mode(我用的是MySQLWorkBench):...

About 应用程序组(Group)

这个组创建了应用扩展和其关联应用程序都可以访问、共享的容器。打开Xcode中每一个对象的Capabilities窗格,并激活App Groups。 然后对共享组提供唯一标识符。请务必对Finder S...

斑马zt410中文库

  • 2017年07月17日 13:13
  • 595KB
  • 下载

zt云流量HTML响应式模板

  • 2017年01月18日 13:40
  • 2.24MB
  • 下载

[ZT] SQL 列转行

好东西,转一下,嘿嘿。 * 普通行列转换 (爱新觉罗.毓华 2007-11-18于海南三亚) 假设有张学生成绩表(tb)如下: Name Subject Result 张三 语文  74 张三 数学...

ZT短信平台接口开发文档

  • 2015年11月16日 15:24
  • 537KB
  • 下载

漏洞利用_BadIRET_分析(zt)

  • 2015年09月15日 13:31
  • 427KB
  • 下载

【转】zt 四个开源商业智能平台(openI,JasperSoft,SpagoBI,pentaho)比较

四个开源商业智能平台(openI,JasperSoft,SpagoBI,pentaho)比较 http://www.javaeye.com/topic/71565 四个开源商业智能平台比较(二) ht...
  • loike
  • loike
  • 2011年02月19日 12:24
  • 461
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:About Group!(ZT)
举报原因:
原因补充:

(最多只允许输入30个字)