Microsoft will undoubtedly test your knowledge on group accounts including everything from group nesting, group types, and group scopes. You’ll be expected to know what can be converted to what and under what circumstances, with no really easy way of remembering.

Another area you’ll need to be sharp in is group scopes. You need to be very familiar with what type of accounts each type of security group can contain. So let’s take a look at the types of security groups in Windows 2000 and Windows Server 2003.

Local groups are created to assign rights and permissions to resources on a local computer only. For example, if you create a local group on a member server, that group can only be used on that computer; you cannot use the group to assign permissions to resources on another member server. So belonging to a local group means you have permissions on that computer only. Local groups are not limited to only having local accounts as members. Once a local group is created it can contain local user accounts, domain user accounts, computer accounts, and global groups. You cannot, however, do the reverse and add a local group to a global group. The important thing to remember about local groups is the same as local accounts; they can only be created on client computers or member servers or stand-alone servers. Local groups can be created using the Local Users and Groups option within the Computer Management snap-in. The Groups folder will list all the built-in local groups as well as any that you have created.

Global groups are most often used to organize user and computer accounts, sometimes based on departments or business functions. A global group can only contain members from the domain in which it was created. For example, if you create a global group called Marketing in the BAYSIDE domain, the marketing group can only contain accounts from within this domain. Once a global group is created, it can cross domains and be granted permissions to network resources located in other domains in the forest.

Domain local groups are used to grant permissions to resources within a domain. In terms of scope, they can contain accounts from any domain in the forest. The thing to remember about domain local groups is that they can only be used to assign permissions to resources within the domain that the group is created. So let’s take a look at an example to make some sense of this and demonstrate the scope of a domain local group.

Let’s say you have four domains within a single forest: BAYSIDE, USBAYSIDE, EUBAYSIDE, and CABAYSIDE. USBAYSIDE has a customer service database that all customer service reps need access to. You create global groups in each domain for the customer service reps and create a domain local group in USBAYSIDE. To give reps access to the database simply add the global groups to the domain local group after you’ve assigned the group the appropriate permission to the database. Now if CABAYSIDE also has a database, you cannot use the domain local group that was created in USBAYSIDE. Another domain local group must be created within the CABAYSIDE domain.