Windows allows the creation of groups which simplifies permissions assignment for users. This video looks at how to use groups in Windows and also looks at the basics of how to use role based access control, one strategy used to simplify group administrator in a domain.
Each group that is created has a security identifier or SID associated with it. This SID is added to the local access list for the resource that you are controlling access to. A group can be created that does not have a SID that is used for distribution lists. These groups are covered in the next video.
When you place one group inside another group, it is called nesting. Nesting also allows two or more groups to be placed in the same group. This essentially means that administration could be divided between two or more administrators. When administration is separated like this it is often referred to as granular control because each administrator has administrative control over a small part of the whole effects of that group that contains the other groups
Using nesting, you could create groups for the users in New York, Washington and London. Using nesting you could create a group called All_Users in which the groups for each location could be put in. Nesting can also be broken down further. For example you could divide New York users into two groups called NY_Sales and NY_Marketing. These two groups could be placed in NY_Users and this group placed in All_Users. If you wanted to create a group for All_Sales users, you could place all the sales groups from each location in this group. Notice using nesting like this means that a new user only needs to be put into the one group. Once in this group, membership of the other groups like the All_Users and All_Sales group through nesting is also achieved, allowing simple administration.
Role based access control
Role based access control is a strategy of group management generally used in large enterprises. This approach is generally used in companies with more than 500 employees. The approach involves not adding the user or users directly to the resource. In order to grant access, another group is created and assigned permissions to the resource. For example, if you had a share called general you would create two groups called general_share_modify and general_share_read. These would be assigned to the general share and given the required access.
In order to give users access to a resource, groups containing users are added to the groups based on the roles in the organization. For example, if all sales users need modify access, the sales group would be added to general_share_modify. If the marketing group needed read access, the marketing group containing all the marketing users would be added to group general_share_read. If a user were to change departments, for example, from sales to marketing, the user’s account would simply be removed from the sales group and added to the marketing group. When assigning roles to a user, or removing roles, the resource never needs to be modified.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” Microsoft Press, pg 141-144
“Active Directory Users, Computers, and Groups” http://technet.microsoft.com/en-us/library/bb727067.aspx
“Role-based access control“ http://en.wikipedia.org/wiki/Role-based_access_control