Security identifier (SID). A SID is a code that uniquely identifies a specific user, group, or computer to the Windows 2000 security system. A user's own SID is always attached to the user's access token. When a user is made a member of a group, the SID for that group is also attached to the user's access token
There are 2 types of group in windows Environment.
1. Distribution Group
2. Security Group
Distribution Group:
Distribution groups do not have a SID (Security Identifier) associated with them. For this reason distribution groups can’t be used for security. That is, a distribution group cannot be used to assign permissions to files or objects. Distribution groups are mainly used with e-mail programs like Exchange to send e-mails to groups of people. Since there is no SID associated with the group, when you make a user a member of a distribution group, this does not affect the size of the security token for that user. A security token is created when the user logs in and contains their SID and any SID’s for any security groups of which they are a member.
Security Group:
A security group has a SID and thus can be used for assigning permissions to files or objects. A security group can also be used as a distribution group in e-mail software like Exchange. Thus, the difference between a security group and a distribution group is simply that a security group is security enabled whereas a distribution group is not. If you are not sure which group to create, create a security group since it can do everything a distribution group can do and can also be used in security related operations.
To understand more about groups we need to know about group scope. A group's scope determines the extent to which the group can be nested in other groups or referenced in DACLs (Domain Access control List) on resources in the Active Directory domain or forest
Generally there are 4 types of group scopes:
1. Local Group
2.Domain Local Group
3.Universal Group
4.Global Group
Local Group:
Membership. Local groups can have members from anywhere in the forest, from trusted domains in other forests, and from trusted down-level domains.
Permissions. A local group has only machine-wide scope; that is, it can be used to grant resource permissions only on the machine on which it exists. (Note, however, that local groups created on a domain controller are available on every domain controller in that domain and can be used to grant resource permissions on any domain controller in that domain.)
Domain Local Groups:
Membership. Like local groups, domain local groups can have members from anywhere in the forest, from trusted domains in other forests, and from trusted down-level domains.
Permissions. A domain local group has domain-wide scope; that is, it can be used to grant resource permissions on any Windows 2000 machine within the domain in which it exists (but not beyond its domain
Global Groups:
Membership. Global groups can have members from within their own domain (only).
Permissions. Although a global group is limited to domain-wide scope as far as membership goes, it can be made a member of machine or domain local groups or granted permissions in any domain (including trusting domains in other forests and down-level domains with which a trust relationship exists). That is, groups with global scope can be put into other groups in any trusting domain.
Universal Groups:
Membership. Universal groups can have members from any Windows 2000 domain in the forest.
Permissions. Universal groups can be granted permissions in any domain, including in domains in other forests with which a trust relationship exists.
Reference: https://technet.microsoft.com/en-us/library/bb727067.aspx
There are 2 types of group in windows Environment.
1. Distribution Group
2. Security Group
Distribution Group:
Distribution groups do not have a SID (Security Identifier) associated with them. For this reason distribution groups can’t be used for security. That is, a distribution group cannot be used to assign permissions to files or objects. Distribution groups are mainly used with e-mail programs like Exchange to send e-mails to groups of people. Since there is no SID associated with the group, when you make a user a member of a distribution group, this does not affect the size of the security token for that user. A security token is created when the user logs in and contains their SID and any SID’s for any security groups of which they are a member.
Security Group:
A security group has a SID and thus can be used for assigning permissions to files or objects. A security group can also be used as a distribution group in e-mail software like Exchange. Thus, the difference between a security group and a distribution group is simply that a security group is security enabled whereas a distribution group is not. If you are not sure which group to create, create a security group since it can do everything a distribution group can do and can also be used in security related operations.
To understand more about groups we need to know about group scope. A group's scope determines the extent to which the group can be nested in other groups or referenced in DACLs (Domain Access control List) on resources in the Active Directory domain or forest
Generally there are 4 types of group scopes:
1. Local Group
2.Domain Local Group
3.Universal Group
4.Global Group
Local Group:
Membership. Local groups can have members from anywhere in the forest, from trusted domains in other forests, and from trusted down-level domains.
Permissions. A local group has only machine-wide scope; that is, it can be used to grant resource permissions only on the machine on which it exists. (Note, however, that local groups created on a domain controller are available on every domain controller in that domain and can be used to grant resource permissions on any domain controller in that domain.)
Domain Local Groups:
Membership. Like local groups, domain local groups can have members from anywhere in the forest, from trusted domains in other forests, and from trusted down-level domains.
Permissions. A domain local group has domain-wide scope; that is, it can be used to grant resource permissions on any Windows 2000 machine within the domain in which it exists (but not beyond its domain
Global Groups:
Membership. Global groups can have members from within their own domain (only).
Permissions. Although a global group is limited to domain-wide scope as far as membership goes, it can be made a member of machine or domain local groups or granted permissions in any domain (including trusting domains in other forests and down-level domains with which a trust relationship exists). That is, groups with global scope can be put into other groups in any trusting domain.
Universal Groups:
Membership. Universal groups can have members from any Windows 2000 domain in the forest.
Permissions. Universal groups can be granted permissions in any domain, including in domains in other forests with which a trust relationship exists.
Reference: https://technet.microsoft.com/en-us/library/bb727067.aspx
No comments:
Post a Comment