Ans : Default Group Types
On Windows NT 4.0 that groups can be either Global or Local, in Windows 2000 this
concepts is expanded. In Windows 2000 the group types are:
(1) Domain Local
(2) Computer Local
(3) Global
(4) Universal.
Domain Local group is one that may have members from any domain in the network.
These groups are only created on Domain Controllers, and can be used to provide
resource access throughout the domain. The Computer Local group is used provides
access to resources on the local machine only, and cannot be createct on a Domain
Coil troller.
Global group is one that combines users who often share network resources use and
access needs. Global groups may contain members from the domain in which the
group was created.
Universal groups are used in multi-domain environment where groups of users
from different domains have similar resource use and access needs. To implement
Universal groups, the network must be running in Native mode, meaning only Windows
2000 computers.
It is also possible to combine groups together, such as Global Groups in Universal
Groups. There may be a resource you are trying to control; in this case a Universal
group will work for controlling access across the network. You may also place
Universal Groups in Domain Local Groups, and control access lo the resource by
placing permissions on the Doornail Local Group.
These groups can be used for controlling access to resources; both allowing and
denying permissions based on your security needs. If you are trying to secure the
computer, user, and network environments, you will use Group Policies, as discussed in
the previous sections.
Group Policies Management
Two of the issues that must be discussed are the options associated with Policy
Inheritance and Overrides. The Group Policy Objects are implemented in the following
order: Local GPO, Site GPO, Domain GPO, and OU GPO. And when there is multiple
GPOs assigned lo an object such as a Domain that the highest GPO on the list takes
priority over the rest of the list. You can change the order of implementation on this list
by simply choosing a GPO and pressing the Up or down button to re-order the list as
you desire. However, you may need to have further control than what the Up and
Down option provides you.
Policy Inheritance
Policy Inheritance is the name of the process of a user or computer inheriting the final
policy configuration from multiple policies, depending on where the object may be in
the Active Directory hierarchy and configured GPOs. To track the policies that may be
implemented as a user logs onto a computer, use the following list: (1) a Computer
Policy is enabled when the computer is first turned on, (2) a User Policy is applied, (3)
when a user logs onto the system, (4) the Local GPO is applied, (4) the site GPO is
applied, (5) the Domain GPO is applied, and (6) the OU GPO is applied.
It is not uncommon for Sites, Domains, and OUs to have more than one GPO
configured. It is also not uncommon then for there to be conflicting settings in
locations throughout the policies
No Override
One of the methods for you to manage a GPO implementation is through the No
Override option arid this option is available on any Site, Domain, or OU GPO. When
this option selected, this option means that none of the policy settings in this GPO can
be overridden. In the event that more than one GPO is set to No Override, the highest
GPO takes priority.
Block Inheritance
The other choice for managing policy implementation is called Block Policy
inheritance and this choice is also available to any Site, Domain, or OU GPO. This
option means that any policy that is higher will not be inherited. Enabling this option will
ensure that the settings of the current GPO will be implemented and not the policies of
a higher priority policy.
Block Inheritance and No Override options must be used with proper care and if used
with incomplete planning can cause serious disruptions to the overall policies that are
implemented throughout the organization.