One issue that often confronts system administrators is regulating user access to networked resources. Some examples of networked resources can include computing systems, peripherals (e.g., printers), documents, mailboxes, calendars, applications, folders, directories, files, and firewall services. Resource access regulation can be a monumental task in computer networks having thousands of users and even more resources. Even networks in a smaller organization may have many resources that can be difficult to manage access for as users needs change or as users leave or join the organization.
In general, there are two ways to grant a user access to a resource. First, a user can be granted direct access to the resource. Second, a user can be assigned to a group that has access to the particular resource. Groups can be collections of user accounts, computer accounts, and/or other group accounts. Granting access to users through groups is preferred because managing relatively few groups can be easier than managing relatively many individuals. Group access can be managed through a directory service, such as the Active Directory™ service provided by MICROSOFT.
In Active Directory, for example, three types of groups are available for granting users with access to resources. These groups include universal groups, global groups, and domain local groups. Universal groups can allow user membership across an Active Directory forest, which often includes most or all systems in an organization. Universal groups are often used by smaller organizations that have few users. Global groups, on the other hand, allow user membership from domains, which can be subunits in an organization. Domain local groups are often assigned permission to local resources, such as printers. In certain organizations, such as medium and larger organizations, group and domain local groups instead of universal groups are used to grant resource access. Typically, such access includes creating a domain local group and assigning it permission to access a resource, adding users to a global group, and then nesting (e.g., adding) this global group with the domain local group to grant those users access to the resource.