As an Assistant Admin (AA), you can use DRA and ExA to manage groups and modify group properties. Groups allow you to give specific permissions to a defined set of user accounts. Groups let you control which data and resources a user account can access in any domain.
You can manage groups of any type and scope. For example, you can nest groups, allowing one group can inherit permissions from another group. You can also effectively control group memberships across domains by adding groups from trusted domains to other groups in the managed domain and by managing temporary group assignments.
Groups can contain the following objects:
User Accounts (UA)
Contacts (CON)
Computers (CPT)
Global Groups (GG)
Local Groups (LG)
Universal Groups (UG)
Foreign Security Principals (FSP)
Depending on your network environment, groups can only contain certain objects. The following table indicates what type of objects a group can contain when groups are in the same domain or in a trusted domain, mixed mode or native mode domain environment.
|
Local Groups |
Global Groups |
Universal Groups |
|||
---|---|---|---|---|---|---|
Domain |
Same |
Trusted |
Same |
Trusted |
Same |
Trusted |
Mixed Mode |
UA CON CPT GG LG UG FSP |
UA CON CPT GG UG FSP |
UA CON CPT FSP |
None |
UA CON CPT GG FSP |
UA CON CPT GG LG FSP |
Native Mode |
UA CON CPT GG LG UG FSP |
UA CON CPT GG UG FSP |
UA CON CPT GG FSP |
None |
UA CON CPT GG UG FSP |
UA CON CPT GG UG FSP |
In mixed mode and native mode domains, you can create the following group types:
Let you assign rights and permissions to a collection of members and manage their permissions collectively. Each security group is assigned a Security Identifier (SID).
Let you identify a set of user accounts and contacts to use as an Exchange distribution list. Distribution groups are not assigned SIDs.
In mixed or native mode domains, you can define the group scope as domain local, global, or universal. With group type and scope combined in mixed mode domains, you can create groups with several different types and scopes, including the following groups:
Domain local security groups
Domain local distribution groups
Global security groups
Global distribution groups
Universal distribution groups
You can use universal security groups only in native mode domains.
A mixed mode domain has some limitations on the use of group types and scopes. For example, you can create universal distribution groups, but you cannot create universal security groups. You can only nest distribution groups in a mixed mode domain. Once you create a group, you cannot change the type or scope or convert the group to another type or scope.
In a native mode domain, groups are more flexible than in mixed mode domains. You can use universal groups for security or distribution. You can nest any type of group in a universal group. You can freely convert groups between security and distribution group scopes. You can convert global and domain local groups to universal group types with a few exceptions.
The following table compares some aspects of group scope in mixed mode domains and in Microsoft Windows native mode domains.
Group Scope |
Mixed Mode Domains |
Microsoft Windows Native Mode Domains |
---|---|---|
Domain Local |
Groups can contain user accounts and global groups from any domain. You can include these groups only in other domain local groups and permission lists in the same domain. |
Groups can contain user accounts, global groups, and universal groups from any domain, as well as domain local groups from the same domain. You can convert domain local groups that do not contain other domain local groups to universal groups. |
Global |
Groups can contain user accounts from the same domain and any domain can reference a domain that trusts the domain in which it was created. You can assign a global group permissions for anywhere in the network. Global groups cannot contain other groups. |
Groups can contain the same objects as in mixed mode domains, except global groups can contain other global groups from the same domain. You can convert global groups that are not a member of any other global groups to universal groups. |
Universal |
You can only create universal distribution groups in a mixed mode domain. |
Groups can contain members from any domain in the forest. Universal groups can appear in ACLs anywhere in the forest, and can contain other universal groups, global groups, and user accounts. |
Temporary group assignments allow you to manage group memberships for users who only need group membership for a specific time period. This section guides you through administering temporary group assignments in the Account and Resource Management console. With the appropriate powers, you can perform tasks such as creating new temporary group assignments or removing expired temporary group assignments. You can perform these tasks only on the primary Administration server. The Tasks menu indicates which tasks you can perform when you select single or multiple temporary group assignments.