Global security groups are most often used to organize users who share similar network access requirements. Domain local security groups are most often used to assign permissions to resources. Universal security groups are most often used to assign permissions to related resources in multiple domains.
You should place user accounts into global groups, create a domain local group for a group of resources to be shared in common, place the global groups into the domain local group, and then assign permissions to the domain local group. certification provider(http://www.buyitexam.com)
For global security groups, members come from only the local domain, but they can access resources in any domain.
Global security groups are most often used to organize users who share similar network access requirements. Domain local security groups are most often used to assign permissions to resources. Universal security groups are most often used to assign permissions to related resources in multiple domains.
You should place user accounts into global groups, create a domain local group for a group of resources to be shared in common, place the global groups into the domain local group, and then assign permissions to the domain local group. certification
For domain local security groups, members can come from any domain, but they can access resources only in the local domain.
For universal security groups, members can come from any domain in the forest and they can access resources in any domain in the forest. MCSE Exam(http://www.mcse-70-291.com)
As your organization grows and changes, you might discover groups that you no longer need. Be sure to delete these groups. Deleting unnecessary groups ensures you maintain security so you do not accidentally assign permissions for accessing resources to groups you no longer need. Each group you create has a unique, nonreusable identifier called the security identifier (SID). Windows Server 2003 uses the SID to identify the group and the permissions assigned to it. When you delete a group, Windows Server 2003 does not use the SID for that group again, even if you create a new group with the same name as the group you deleted. Therefore, you cannot restore access to resources by recreating the group. MCSE(http://www.mcse-70-291.com) .
When you delete a group, you delete only the group and the permissions and rights associated with it. Deleting a group does not delete the user accounts that are members of the group.
To delete a group, complete the following steps:
1. Right-click the group, and then click Delete.
2. Click Yes in the Active Directory dialog box.
Off the Record You can use a script to determine a user's group memberships. This is helpful if you'd like to make a logon script dependent upon a user's group membership. The script Chkgrps.vbs on the Supplemental CD-ROM in the 70-294LabsChapter08 folder illustrates how you can use Microsoft Visual Basic Scripting Edition (VBScript) to list a user's group memberships. In the Troubleshooting Lab, you'll learn how to use the Ifmember executable to list group membership.
