Groups and Computers | Group Types in Active Directory 2008

Definition: Active Directory group is a collection of the user account. We create groups for simplify the things.

Create Group in Active Directory:

Creating group in active directory (server 2008) is very simple, open active directory users and groups from administrative tasks. And right click on any OU and click on new then on group. Type the group name. Click on OK and group will appear in that OU.

Create Group in Active Directory

How to add user in group:

Double click on group, go to member tab and add users by clicking add button. Type the user name in text field and click on add button. You can take the help by check name button by typing the half name instead of typing the full name. Also you can click on locations and can add users from different domain by selecting other domains. You can use the advance button to search different users and other objects.

Add users in Groups Active Directory

Similarly you can add a nested group in group by member of tab.


Share Files and Folders to Users and Groups with Different Rights in Active Directory:

Right click on folder and click on “share to specific people” from share with menu, click on add to add user and group with different rights like read only, contributor


Active Directory Group scope:

Group types and Scope in Active Directory

Local Group Scope:

Local Group can have users from one forest, users from different domain from one forest or forest with trust relationship can be member of domain local group.

Global Scope for Group:

Users account from same domain can be member of this type of group. Global group belongs to this domain, it changes not in itself extraterritorial copy, so the global group to allow frequent internal changes (add and delete users, etc.), can take advantage of the global group to grant permissions to access resources in any domain, but generally do not directly to rights management.

Universal Scope:

Universal security group are very flexible, it can accept universal and global group from it domain. Also universal or global group users from other domain in same forest and users from forest which have trust relation with your forest.

The main role of the universal group is used to merge across different domains of the group, Universal groups Universal groups are stored in the global compilation recorded (GC), the generic group of modifications will be copied to the global catalog, a generic set of frequently modify when the invisible increases the overhead of the network, so a universal group design excellent network must not change frequently

Active Directory Groups Types:

The group was divided into two categories: security and distribution groups in Active Directory.

Distributed Group:

The distributed group is used to send an email to all users that are added in that distributed group. The distribution group is purely used to e-mail, if you want to give the financial sector all to send a message that you choose this distribution group.

Security Group:

You can use also send email with security group like distributes group but the difference is that the security group is used to implement Group Policy, for access, for example, you want all of the market sectors have a specific mapping disk or can open a folder.

Forest functional level (FFL) Active Directory:

What is Forest Functional Level:

The forest functional level can be achieved and determined by the level of functional domains in any forest. If in your forest domain controllers have different server OS then Forest functional level (FFL) is the lowest domain function level. For example you have w2k, w2k3 and w2k8 in your forest then forest functional level in case would be the windows 2000 domain function level.

Forest functional level (FFL) Windows 2000:

This forest function level only provide you the basic features of AD, these feature includes Universal Group caching, backups, AD quota feature, Application directory partitions, SIS for system access control lists (SACL) and Global Catalog replication enhancements.

Forest Function Level windows 2003:

All the domains in this forest functional level have windows server 2003. Some important features of FFL w2k3 are:

  • Forest Trust: If you have FFL windows 2003 then you have the ability to create a forest trust between two forests and users in both forests can access each other recourses.
  • Domain Renaming: You can rename domain which is handy in some cases.
  • You have linked value replication in FFL 2003 which sends the only updated changes to its DCs and forests.
  • RODC: You can define RODC in FFL.
  • In FFL 2003 you have Improved Knowledge Consistency Checker (KCC) replication algorithms.
  • Deactivate schema objects: Suppose you have created a schema accidently, now you can delete this schema but you can deactivate this schema in Forest Functional Level 2003.

Forest Function Level windows 2008:

All the domain controllers have windows server 2008 in FFL 2008. This forest function levels have all the features of FFL 2003 plus the DFL features for 2008.

Learn about Domain Functional Level

Domain Functional Level | What are DFL?

When you create a domain (Active Directory), it takes a functional level that determines your level of compatibility with domain controllers. For example when creating a domain from a Windows 2000, functional level is Domain Functional Level Windows 2000 and you do not take advantage of all the new functionalities from this domain functional level.

There are two functional levels that are domain functional level and forest function level.

Domain Functional Levels

In domain factional level the lowest level that you can use windows 2000 server.

Domain Functional Level (DFL): Windows 2000:

In this level you can use the windows 2000 as OS and for domain controller you can also use windows server 2000, windows server 2003 and windows server 2008. In this level you can run and enable only basic active directory services. This DFL for 2000 is now no longer used.

DFL: Windows server 2003:

In this domain functional level you can use windows 2k3 and windows 2k8 for domain controller.

In this functional level Microsoft provide you

  • Domain renaming feature
  • last logon time
  • You can create a forest trust between two Forest as well.
  • W2k3 DFL level provide you redirect feature using this feature you can create user in your desire organizational unit using command prompt. Suppose you have create a user “john” in Marketing OU and marketing OU is in departments OU and domain is you should use the following command.

Dedirusrou-marketing users,ou-departments,dc-w7cloud,dc-com

If you use the net user command to create a user it will simply create user in user’s container in users and groups.

  • In W2k3 DFL you have selective authentication, if you have forest trust between two forests you can only specify the selective user to access the recourses of other forest. Suppose you have two forests and and you have a trusted relation between these two forests, you have a user “viki” on w7cloud. Using selective authentication in windows 2003 domain functional level you can assign the full rights to “viki” user on different systems of forest also you can made retractions on other systems of
  • Authorization manager: Usingdomain functional level windows 2003,an application developer can implement different restrictions on user application.

Domain Functional Level: Windows server 2008:

This functional level includes all the feature of domain functional level w2k3 and also some following extra features:

  • DC for DFL W2k8:For this function level you have to run only window server 2008.
  • DFS and SYSVOL replication:You have DFS and SYSVOL replication services.
  • User Login Attempts:Also keep the last login info with number of password attempts.
  • You have the advance encryption standard (AES) in W2K8 DFL. This is a strong security feature that you have in this DFL.
  • Fine-Grained Password and Account Lockout Policy:  You can implement Fine-Grained Password policy in this functional level and can create multiple password policies and account lock user polices for different users. In windows 2000 and 2003 you don’t have this feature you have to rely on default password policy in those functional levels.

Learn about “Forest Functional Level