264
Networking: A Beginner's Guide
For example, suppose that a group of people, such as an accounting department, has
specific permissions to access 20 different folders on the server. When a new accountant
is hired, do you need to remember or look up all those 20 folders so you can give the
accountant the same permissions as the rest of the department? Or suppose that a user
who has many different permissions changes departments. Do you need to find each
permission so you can make sure he has only the appropriate permissions for his new
department?
To address such problems, network operating systems support the concept of
security groups (or just groups). You first create the group, and then assign all the
appropriate users to it so you can administer their permissions more easily. When
you grant permission to a folder on the server, you do so by giving the group the
network permission. All the members of the group automatically inherit those
permissions. This inheritance makes maintaining network permissions over time
much easier. In fact, you shouldn't try to manage network permissions without
using groups. Otherwise, you might quickly become overwhelmed trying to keep
track of everything, and you're almost certain to make mistakes over time.
Not only can users be members of groups, but groups can be members of other
groups. For instance, suppose that you define a group for each department in your
company. Half those departments are part of a larger division called Research and
Development (R&D) and half are part of Sales, General, and Administration (SG&A).
On your network, some folders are specific to each department, some are specific to
all of R&D or SG&A, and some can be accessed by every user on the network. In such
a situation, you would first create the departmental groups, and then create the R&D
and SG&A groups. Each departmental group would then become a member in either
R&D or SG&A. Finally, you would use the built-in Domain Users group, or another one
you created that represents everyone, and then assign R&D and SG&A to that top-level
group for every user.
Once you've set up your groups, you can grant permissions in the most logical way.
If a resource is just for a specific department, you assign that departmental group to the
resource. If a resource is for R&D or SG&A, you assign those divisions to the resource;
then all the individual departmental groups within that division will inherit permission
to access the resource. If a resource is for everyone, you assign the master, top-level
group to the resource.
Using such hierarchical group levels makes administering permissions even easier,
and this approach is practically necessary for larger networks with hundreds of users.
Creating Groups
You create groups using the Active Directory Users and Computers console. Groups
appear in two of the domain's containers: Builtin and Users.
The built-in groups, shown in Figure 17-9, are fixed. They cannot be deleted or made
members of other groups. The built-in groups have certain important permissions already
assigned to them, and other groups you create can be given membership in the built-in
groups. Similarly, if you want to disable a particular built-in group, you would do so
simply by removing all its member groups.