As with organizational unit design, it is best to simplify your group structure to avoid unnecessary administrative overhead. Establishing a set policy on how to deal with groups and which groups can be created will help to manage large groups of users more effectively and help troubleshoot security more effectively.
Best Practice for Groups
Group use can be simplified by remembering a simple formula: Use domain local groups to control access to resources and use global groups to organize similar groups of users. When this is done, the global groups created are then applied to the domain local groups as members, allowing those users permissions to those resources and limiting the effect that replication has on an environment.
To illustrate this type of use, consider the example shown in Figure 6.11. Users in the Marketing and Finance departments need access to the same shared printer on the network. Two global groups named Marketing and Finance, respectively, were created and all user accounts from each respective group were added. A single domain local group called Printer1 was created and granted sole access to the shared printer. The Marketing and Finance groups were then added as members of the Printer1 group. This simple formula works on a much larger scale as well and has been found to be best practice for effective use of groups without major replication concerns.
Figure 6.11 Nested groups sharing common resources.
The concept of the universal group is also coming of age in Windows .NET Server 2003. Now that the replication issue has been solved through incremental membership replication, it is more likely that this form of group will be possible in an environment. When necessary, a universal group can take the place of global groups or can potentially include global groups as members. Universal groups are most useful in consolidating group membership across domain boundaries, and this should be their primary function if utilized in Windows .NET Server 2003.
Even though universal groups can exist only in Native mode domains, they can theoretically include members from other Mixed mode domains in a forest. This is not recommended, however, because it makes troubleshooting access problems much more difficult. Since members from other domains cannot have a SID of the universal group added to their access token, a Mixed mode domain object is added as a link in a universal group, not as a direct object.
Establishing Group Naming Standards
As with all objects in Active Directory, a group should be easily identifiable so that there is less ambiguity for both end users and administrators. Consequently, it is important to establish some form of naming convention for all groups to have and to communicate those naming conventions to the administrators who will create those groups. Using such conventions will help to alleviate headaches involved with determining what a certain group is used for, who owns it, and similar issues.
Groups can be nested, or included as members in other groups, to easily add multiple members of known groups as members of other groups. This added flexibility reduces the total number of groups necessary and helps to reduce administrative overhead.
While in Windows NT Mixed or Interim modes, like groups cannot be nested. For example, when not in Native mode, a domain local group cannot be nested in another domain local group, and a global group cannot be nested in a separate global group.
Distribution Group Design
If required by your organization, distribution groups can be set up to allow for SMTP mail to be sent to multiple recipients. Bear in mind that these groups do not have SIDs associated with them and consequently cannot be used for security permission assignments. In reality, it is rare that distribution groups will be designed in an organization that is not running Exchange 2000. However, understanding their role and potential is important in determining proper group design.
While still in Mixed or Interim mode with NT BDCs, universal security groups are not available. However, universal distribution groups are available in this mode and can be used to include members from any domain in the forest.