Upgrading and Repairing Networks (5th Edition)
User Groups Make Managing User Rights Easier
Granting rights to a user can be a tedious task if you have hundreds or thousands of users on your network. The easiest method for granting rights to users in an environment where you have a large user base is to create user groups consisting of users who need the same kind of access to the same resources. You can then grant rights to the groups instead of each user. Users of a group inherit the rights assigned to the group, as well as any additional rights you assign to the user. A user can be a member of more than one group, and thus inherit the rights assigned to each of the groups of which the user is a member. This is an important concept, because many users do not fit neatly into a single group .
Windows NT enables you to use two basic kinds of groups: local groups and global groups. Local groups can be local to a particular computer or can be domain local groups. Global groups are used for grouping users from one domain so that they can be managed as a unit in another domain where the administrator can place the global group into a local group created on that computer for administrative purposes. This is a very important distinction to make. You can literally "export" a global group from one computer to a local group on another computer. This capability again makes an administrator's chore easier. For users who are members of a global group, the administrator of the other computer does not have to grant access to that computer on a one-by-one basis for each user. Instead, a group of users from one computer to another can be imported as a local group, and the administrator of that computer can manage the group when making decisions about rights and permissions. Windows NT computers come with several built-in user groups, which vary depending on the role of the computer in the network. What is important to understand here is that, although NT allows a large number of specific rights to be assigned to users, you can do this on a group basis rather than for individual user accounts if you want to make user management tasks easier. |