Creating a Hierarchy of Nested Security Groups
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Nested groups allow you to provide company-wide or department-wide access to resources with minimum maintenance. Placing every team account group into a single company-wide resource group is not an effective solution because it requires the creation and maintenance of a large number of membership links. To use nested groups, administrators create a series of account groups that represent the managerial divisions of the company.
The top account group might be called "All Employees," and would be attached to a resource group that gives access to resources and shared directories.
The next level might contain account groups that represent major divisions of the company. Each group at this level is a member of All Employees, and is attached to a resource group giving access to shares and other resources appropriate to the division it represents.
Within a division, the next level of account groups might represent departments. Shared resources for the department might include project schedules, meeting schedules, vacation schedules, or any network information appropriate to the whole department. The department account groups are all members of the division account group.
Within a department, the management structure can be organized into security groups to any required level of specificity. These might be team account groups, and might represent leaf nodes in the organization’s hierarchical tree.
With this group hierarchy in place, you can give a new employee instant access to the resources of the team, the department, the division, and the company as a whole by placing him or her in a team account group. This system supports the principle of least access because the new employee cannot view the resources of adjacent teams, other departments, or other divisions.
Figure 15.4 shows an example of the nested security group hierarchy for the Avionics Division group of an organization; the vertical arrows represent group membership.
Figure 15.4 Nested Account Group Hierarchy
.gif "Nested Account Group Hierarchy")