Group types Two distinct types of groups exist, and they reflect two different ways of look- ing at what a group is for: ⻬ Security groups: Most groups are security groups, which extend access rights only to members of the group. For example, if you want to allow a group of users to access your high-speed color laser printer, you can create a group called ColorPrintUsers. Then, you can grant permission to use the printer to the ColorPrintUsers group. Finally, you can add individual users to the ColorPrintUsers group. ⻬ Distribution groups: Distribution groups aren’t used as much as secu- rity groups. They are designed as a way to send e-mail to a group of users by specifying the group as the recipient. Group scope Three distinct group scopes exist: ⻬ Domain local: A group with domain local scope can have members from any domain. However, the group can be granted permissions only from the domain in which the group is defined. ⻬ Global: A group with global scope can have members only from the domain in which the group is defined. However, the group can be granted permissions in any domain in the forest. A forest is a high-level grouping of domains. ⻬ Universal scope: Groups with universal scope are available in all domains that belong to the same forest. As you can probably guess, universal scope groups are usually found only on very large networks. One common way to use domain local and global groups is like this: ⻬ Use domain local groups to assign access rights for network resources. For example, to control access to a high-speed color printer, create a domain local group for the printer. Grant the group access to the printer, but don’t add any users to the group. ⻬ Use global groups to associate users with common network access needs. For example, create a global group for users who need to access color printers. Then, add each user who needs access to a color printer mem- bership in the group. ⻬ Finally, add the global group to the domain local group. Doing so extends printer access to all members of the global group. This technique gives you the most flexibility when your network grows. 261

Chapter 19: Windows Server 2003