There are four different types of security groups that can be created in Windows 2000 and Windows Server 2003. These include: local groups, domain local groups, global groups, and universal groups. The different groups can be characterized by their scope. The scope of a group determines how it can be used in the forest and the members it can contain.

The topic of groups is likely to pop up on one of your Microsoft exams as you work towards your certification. You may be asked a question about the different types of groups, about implementing a group strategy, and so on.

One thing you should try to remember when studying this topic is AGDLP. This falls under the topic of implementing a group strategy. If you can make sense of this, you should be well on your way to answering group related questions correctly. For example, if you are presented with a question asking about the type of group strategy to implement, you will more than likely answer it correctly if you remember and follow “AGDLP.”

The recommended strategy for implementing groups is as follows (and those of you who have worked with Windows NT and Windows 2000 will surely be familiar with it).

1. Start by organizing users with common needs or common job functions into global groups.
2. Create domain local groups in each domain to grant access to shared resources.
3. Add the global groups that require access to shared resources to the appropriate domain local groups.
4. Assign the necessary permission to the domain local groups.

So this is where the AGDLP comes in. This stands for adding user Accounts to Global groups, adding the Global groups to Domain Local groups, and then granting Permissions to the Domain Local group. If you can understand this, you will be another step closer to exam success.