Windows 2008 uses group

First, the type of group Active Directory and two types of groups: security group and distribution group 1, security group: has a security identity (SID), can give its authorized users access to local resources Or network resources. You can authorize access to resources as well as bulk emails. 2, the distribution group: there is no security identity, can not authorize access to resources, can only be used to send emails. (Access resources and mass email to determine) Second, the scope of the group Active Directory in the Active Directory is divided into local domain groups, global groups and universal groups according to the scope of authorization, the purpose of these groups will be introduced separately below. 1. Local domain group The local domain group represents the creation of a resource access permission purpose for the access of a certain resource. For example, there is a laser printer at the location where you can create a “laser user” local domain group and then use that printer. In the future, which user or global group needs to use the printer, adding the user or group directly to the “laser printer user” is equivalent to authorizing the printer. You can create a “public space visitor” local domain group for the “public space” folder on the server, and then grant the “public space visitor” read and write access to “public space”. 2. The global group global group represents the user account of the same user identity. The purpose is to merge user accounts with similar job responsibilities. You can only add users and groups from this domain to a global group. Users in other domains cannot be merged in multiple domains. 3. The universal group and the global group have the same function, and the purpose is to merge users according to the user's duties. Unlike a global group, it is capable of merging domain user accounts in other domains in a multi-domain environment. For example, you can add manager accounts from two domains to a common group. In a multi-domain environment, you can authorize it in any domain. Third, use the group's policy in the domain environment to add user accounts (User Acounts) to the global group (Global Group), the user accounts are combined. Access to a resource will be granted to the Domain local group. The process of authorization becomes the process of adding a Global Group to the Domain Local Group. Summary: The policy of using groups in a single domain is the A-G-DL-P policy. If there are not many user accounts in the domain, you can directly authorize users or global groups to access a resource. If there are more user accounts, it is best to use the recommended A-G-DL-P strategy for clear conditioning. The policy for using groups in a multi-domain environment is the AGU-DL-P policy, U stands for (Universal Group), adding the user account to the global group of the domain, and then adding the global group of each domain to the universal bandage, the universal group Add to the local domain group. Authorize the local group.