A Windows Server 2008 group can have any of three distinct scopes, which determines what domains the group's members can belong to. A group is a special type of account that represents a set of users who have common network access needs. Three distinct scopes exist:
Domain local: A group with domain local scope can have members from any domain. However, the group can be granted permissions only from the domain in which the group is defined.
Global: A group with global scope can have members only from the domain in which the group is defined. However, the group can be granted permissions in any domain in the forest.
Universal scope: Groups with universal scope are available in all domains that belong to the same forest.
As you can probably guess, universal scope groups are usually found only on very large networks.
One common way you can use domain local and global groups is as follows:
Use domain local groups to assign access rights for network resources.
For example, to control access to a high-speed color printer, create a domain local group for the printer. Grant the group access to the printer, but don’t add any users to the group.
Use global groups to associate users with common network access needs.
For example, create a global group for users who need to access color printers. Then, add each user who needs access to a color printer membership to the group.
Finally, add the global group to the domain local group.
That way, access to the printer is extended to all members of the global group.
This technique gives you the most flexibility when your network grows.
dummies
Source:http://www.dummies.com/how-to/content/network-administration-windows-user-group-scope.html
No comments:
Post a Comment