The diagram below presents an example of group hierarchy.
Six machines are registered on the management server:
1 – the international sales manager’s laptop (Windows Vista)
2 – the server that holds the corporate database and the shared document storage (Windows Server 2008)
3, 4, 5, 6 – the salesmen’s machines (Windows XP) from the “Sales department” AD organization unit.
An example of group hierarchy
The backup policy on the server has to differ from that on the workstations. The administrator creates the G1 dynamic group that contains machines with the server operating systems, and applies a backup policy to the group. Any server, that is added to the network and registered on the management server, will appear in this group and the policy will be applied to it automatically.
To protect the salesmen’s workstations with a different policy, the administrator creates the G2 dynamic group using the AD OU criterion. Any change in the OU membership of a machine will be reflected in the G2 membership. The appropriate policy will be applied to the new OU members and revoked from machines deleted from the OU.
The international sales manager’s laptop is not included in the OU but it has some of the data the sales machines have. To back up this data, the administrator has to add the laptop to G2 “by force”. This can be done by creating a static group (G3) and moving the static group into the dynamic one. The policy applied to the parent group (G2) will be applied to the child group (G3), but members of G3 are not considered as members of G2 and so its dynamic nature is considered intact.
In real life, the administrator would most likely prefer to protect the manager’s machine by applying the policy directly to the machine, without including it in any group, so this case is just an illustration of nesting different types of groups. With multiple group members, nesting of the groups comes in handy.