Get started Bring yourself up to speed with our introductory content.

Security groups

This excerpt from Chapter 5 of "The definitive guide to Windows 2000 security" explains how groups are enhanced and used in Windows 2000.

 Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.

Security groups

Not unlike NT 4.0, Windows 2000 allows you to organize users and other domain objects into groups for easy administration of access permissions. Windows 2000 enhances the groups provided by NT 4.0 in three important ways:

  • Windows 2000 adds distribution groups to the native OS.
  • Windows 2000 adds new group scopes that correlate to AD implementation.
  • Windows 2000 allows group nesting.

Additional distribution groups
There are two types of distribution groups in Windows 2000: distribution and security. A distribution group isn't a security principal and has no corresponding SID. Members of a distribution group cannot be used in ACLs. Distribution groups exist solely for sending bulk e-mail and are mentioned here just for completeness.

A security group is a security principal and thus has a SID. Through ACLs, members of a security group can be granted access to resources. In addition, ACLs allow administrators to assign the same security permissions to large numbers of users in one operation. This ability ensures consistent security permissions across all members of a group. Using security groups to assign permissions means that access control on resources remains fairly static and easy to control and audit. Users who need access are added or removed from the appropriate security groups as needed, and the ACLs on resources don't change very often.

You can mail-enable security groups by adding a Simple Mail Transfer Protocol (SMTP) address, thus letting security groups also function as distribution groups. Additionally, Exchange 2000 (E2K) controls access to public folders using AD security groups. The addition of distribution groups and the ability to mail-enable security groups allows AD to become the single repository for group membership across the enterprise. Unfortunately, using AD groups for e-mail distribution lists requires an AD-enabled mail server such as E2K.

Additional group scopes
There are four group scopes in Windows 2000: computer local, domain local, global, and universal.

Computer local groups -- Grant access on local computers without granting access across an entire domain. If the computer participates in a domain, the computer local group may contain user accounts and global groups from its own domain and trusted domains. The group object is stored on the local computer and isn't present in AD.

Domain local groups -- Grant access to resources in a domain. A domain local group can contain membership from universal groups, global groups, and accounts from any domain in the AD forest. If the domain is in native mode, a domain local group can also contain other domain local groups from its own domain. A domain local group can be used only to assign rights and permissions in the domain containing the group. The group object is present in the Global Catalog (GC), although the membership isn't published to the GC.

Global groups -- Combine users who share a common access profile. A global group can contain membership from user accounts from the same domain. If the domain is in native mode, global groups can also contain global groups from the same domain. Global groups can be used in any domain in a forest, and they provide a mechanism for creating sets of users from inside a domain that are available for use both in and outside the domain. If a global group isn't a member of any other global group, it can be converted to a universal group in a native-mode domain. The group object is present in the GC, although the membership isn't published to the GC.

Universal groups -- Grant access to similar groups of accounts defined in multiple domains and can be used anywhere in the forest. A universal group can contain members from any domain in a forest and can include other universal groups, global groups, and accounts from any domain in the forest. While universal groups of type distribution can be used in mixed-mode domains, universal groups of type security can be used only in native-mode domains. A universal group cannot be converted to any other group scope, and the group object and membership is published in the GC.

Nesting Groups
The final enhancement in relation to groups is that Windows 2000 allows nesting of groups within groups. Full functionality of nesting is only available in native-mode domains, so there are some restrictions, as I've noted above, on nesting groups in a mixed-mode domain.


When attempting to create a new group in a mixed-mode domain, Windows 2000 by default configures the group as type security with domain local scope. A new group in a native-mode domain is configured by default as type security with global group scope. In addition, in mixed-mode domains, you cannot modify a group's scope after creating it.


Click for the next excerpt in this series: ACLs

Click for the book excerpt series or get the full e-book.

Dig Deeper on Windows Server storage management