Global Group - contains a number of user accounts from one domain that are grouped together under one group account name. A global group can contain only user accounts from the domain where the global group is created. Once a global group is created, it can be granted permissions and rights in its own domain, on workstations or member servers, or in trusting domains.

Local Group - contains user and global group accounts from one or more domains grouped together under one group account name, specific to the local computer or if on a domain controller, specific to all the domain controllers as they share a security database.

A user profile contains all user-definable settings for the work environment of a computer running Windows NT, including display settings and network connections. All user-specific settings are automatically saved into the Profiles folder within the system root folder.

Ntuser.dat file - is the registry portion of the user profile.

Policy Editor - System policies enable you to control the user-definable settings in Windows NT and Windows 95 user profiles as well as system configuration settings. On computers running Windows NT Workstation or Windows NT Server, the contents of the user profile are taken from the user protion of the Windows NT Registry.

Using System Policy Editor, you create a file called NTConfig.pol that contains settings for users (user profiles) and computers (logons and network access settings). To enable a uniform policy for all network computers running Windows NT Server or Windows NT Workstation, you save this file to the Net logon folder in the system root folder of the PDC.

Full synchronization - Full synchronization occurs when the PDC sends its entire directory services database to a BDC. Full synchronization always occurs when bringing a new BDC online. However, full synchronization of the directory services database is not necessary when there is a change in PDC data.

Partial synchronization - Partial synchronization occurs when the PDC sends only the changes in the directory services database that have occurred since the last synchronization. The PDC keeps track of the synchronization level of each BDC which allows the PDC to control the rate of partial synchronization.

Caution Care must be taken in setting the registry value. If the ReplicationGovernor is set too low, synchronization may never complete. A value of zero will cause Net Logon to never synchronize, and the directory database can become completely out of synchronization. Setting the value below 25 is not recommended.

One-Way trust relationship - accounts in one domain can be given permission to access resources in another domain. This is typically used in networks where user accounts must be centrally managed in one domain, but resources require distributed control.

Two-Way trust relationship - When the domains are joined by two one-way trusts, it is known as a two-way trust relationship. Accounts and resources are administered in each domain but can be given permission to access resources in the other domain.