Plan Remote Access Policy Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can manage remote access authorization by user or by group. By using the Active Directory Users and Computers snap-in, you can create groups to which specific IAS remote access policies are applied, allowing you to grant different types of remote access to different groups. The functional level of the domain impacts the type of group that you can use.

In Windows Server 2003 domains or Windows 2000 native-mode domains, you can use universal and global groups as follows:

• Universal groups can include groups and accounts from any Windows Server 2003 or Windows 2000 domain in the domain tree or forest and can be granted permissions in any domain in the domain tree or forest.

• Global groups can include groups and accounts only from the domain in which the group is defined and can be granted permissions in any domain in the forest.

In Windows Server 2003 interim domains or Windows 2000 mixed-mode domains, you can use only global groups. Domain local groups cannot be used because they are created in a single domain, are visible only in that domain, and can be assigned permissions only to resources within that domain.

For more information about remote access policies, see "Remote Access Policies" in Help and Support Center for Windows Server 2003.

For more information about functional levels, see "Domain and forest functionality" in Help and Support Center for Windows Server 2003.