Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

ARCHIVED: In Windows NT, what are the differences between local and global groups?

Note: For security and support reasons, UITS recommends using Windows 2000 Professional or Windows XP Professional, rather than NT Workstation 4.0, on Indiana University's network. Microsoft retired both mainstream and extended support for this version in June 2004, which means security updates are no longer being developed. For more information, see Microsoft's Windows Desktop Product Lifecycle Guidelines page at:

http://support.microsoft.com/?LN=en-us&pr=lifecycle

Local groups

On a Windows NT workstation or stand-alone server, local groups can be created to provide users with rights and permissions for resources, such as files or printers, located on that computer. Local groups can contain both individual user accounts and global groups. (Local groups cannot include other local groups.) On a Primary Domain Controller, however, local groups can be assigned resources on any domain controller in the domain. For example, if you create a local group called "Database Users" on a Primary Domain Controller, that group along with its membership will also be present on any other domain controller within the same domain.

Global groups

Global groups are group accounts on the domain level used to organize domain users. They can include only user accounts in the same domain. Global groups cannot contain local groups or other global groups and are not assigned to local resources. Assigning resources is done by placing global groups within local groups on Windows NT workstations or stand-alone servers. The benefit of using global groups is that you can, on the domain level, assign users to a global group, and add the entire group to a local group already on a local computer. In other words, an administrator can change the "Domain Users" global group (e.g., when a new hire comes in), yet that administrator will not have to reset any permissions on a local workstation or server.

In Windows NT Server, local and global groups are created using User Manager for Domains. In Windows NT Workstation, local groups are created using User Manager. Global groups cannot be created in NT Workstation.

When a Windows NT workstation or stand-alone server becomes a member of a domain, that domain's primary global groups (the Users group and the Administrators group) are automatically added to the local groups of the computer that joins the domain. For example, if Windows NT workstation FOO joins domain BAR, the global group "Domain Admins" will be added to the local group called "Administrators" on computer FOO. This is done by design, but is not necessary. Any users with administrative rights over that computer can remove any such global groups (assuming, of course, that they have adequate rights and permissions to begin with).

This is document aedz in domain all.
Last modified on November 01, 2008.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.