Background Information for Designing a Resource Authorization Strategy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before you design your resource authorization strategy, it is important that you understand security group types and scope, domain and forest functional levels, group nesting, and trust relationships between domains and forests.

Security Groups

Security groups are used to combine user accounts, computer accounts, and other groups of accounts into manageable units. Rights or permissions are then assigned to the security groups, rather than to individual accounts. Security groups are classified according to scope. In the Microsoft® Windows® Server 2003 operating system, these scopes include:

• Local

• Domain local

• Global

• Universal

It is important that you understand group scopes and how these groups can be used before you design your resource authorization strategy.

For more information about group scope and group usage, see the following topics in Help and Support Center for Windows Server 2003:

• Group types

• Group scope

• Understanding Local Users and Groups

• Where groups can be created

• Nesting groups

• Accessing resources across domains

For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set search options. Under Help Topics, select the Search in title only checkbox.

Domain and Forest Functional Levels

The security group options that are available depend on the domain and forest functional levels at which your organization is operating. For example, if your domain is operating at the Microsoft® Windows® 2000 mixed functional level, then you can only add global groups to local groups. However, if your domain is operating at the Windows Server 2003 functional level, you can nest global groups within other global groups, giving you much greater flexibility in managing your security groups.

If your forest is operating at the Windows Server 2003 functional level, you can also enable trusts across forests. These two-way trusts enable you to authorize users to access resources across forests. You can also enable external trusts between single domains in different forests.

For more information about domain and forest functional levels, group nesting, domain trusts, and trusts across forests, see the following topics in Help and Support Center for Windows Server 2003:

• Domain and forest functionality

• Nesting groups

• Understanding Trusts

Terms and Definitions

It is important to be familiar with the following terms as you design your resource authorization strategy.

Account Group   An account group is a security group whose members are user or computer accounts, all of which require the same permissions for a resource.

Resource Group   A resource group is a security group that has been added to the access control list (ACL) of a resource and granted a specific set of access permissions.

Principle of Least Access   The principle of least access states that users must have access to the software, data, and devices required to perform their daily duties, but must not have access to local or network resources that are not required for their job tasks. This minimizes potential security risks.