Domain Local vs Global Groups

TheMSsForum.com: The Microsoft Software Forum

Can someone explain this confusion for me? I created a global group today
to assign permissions to a resource in a different domain but it wouldn;t
work, I had to use a Domain Local group for that.

Global to me means a far reaching group with more "coverage" than a Domain
Local (local to the domain) so I assumed that to permission objects outside
a domain to use Globals.

Any ideas why the naming sounds arse about face?
Top

Re: Domain Local vs Global Groups by Lazyadmin

Lazyadmin
Mon Jan 05 15:42:03 CST 2004

Here is how i remember it.

Add users to global groups and add global groupd to domain local groups.
Give perms to Domain Local groups.


"Mark Scott" <mark-scott@yonderblue.co.uk> wrote in message
news:ZEiKb.21$iI2.13@news-binary.blueyonder.co.uk...
> Can someone explain this confusion for me? I created a global group
today
> to assign permissions to a resource in a different domain but it wouldn;t
> work, I had to use a Domain Local group for that.
>
> Global to me means a far reaching group with more "coverage" than a Domain
> Local (local to the domain) so I assumed that to permission objects
outside
> a domain to use Globals.
>
> Any ideas why the naming sounds arse about face?
>
>


Top

Re: Domain Local vs Global Groups by Adam

Adam
Mon Jan 05 16:02:09 CST 2004

"Mark Scott" <mark-scott@yonderblue.co.uk> wrote in
news:ZEiKb.21$iI2.13@news-binary.blueyonder.co.uk:

> Can someone explain this confusion for me? I created a global
> group today to assign permissions to a resource in a different
> domain but it wouldn;t work, I had to use a Domain Local group for
> that.
>
> Global to me means a far reaching group with more "coverage" than
> a Domain Local (local to the domain) so I assumed that to
> permission objects outside a domain to use Globals.
>
> Any ideas why the naming sounds arse about face?

Global Groups have global scope within a domain boundary and only
within a domain boundary.

Universal Groups extend past domain boundaries and can be used inside
(and out of) domains. This requires resources by a GC and therefore
using Universal Groups should be used sparingly according to Microsoft.

Domain Local Groups are usually used to assign permissions to groups
and or users to use a specific resource such as a printer or share.
They have scope only within that domain.

HTH,
Adam
Top

Re: Domain Local vs Global Groups by aleinss

aleinss
Tue Jan 06 19:36:19 CST 2004

Adam Leinss <aleinss@toughguy.net> wrote in message news:<Xns9467A31E9AEA1aleinsstoughguynet@toughguy.net>...
> "Mark Scott" <mark-scott@yonderblue.co.uk> wrote in
> news:ZEiKb.21$iI2.13@news-binary.blueyonder.co.uk:
>
> > Can someone explain this confusion for me? I created a global
> > group today to assign permissions to a resource in a different
> > domain but it wouldn;t work, I had to use a Domain Local group for
> > that.
> >
> > Global to me means a far reaching group with more "coverage" than
> > a Domain Local (local to the domain) so I assumed that to
> > permission objects outside a domain to use Globals.
> >
> > Any ideas why the naming sounds arse about face?
>
> Global Groups have global scope within a domain boundary and only
> within a domain boundary.
>
> Universal Groups extend past domain boundaries and can be used inside
> (and out of) domains. This requires resources by a GC and therefore
> using Universal Groups should be used sparingly according to Microsoft.
>
> Domain Local Groups are usually used to assign permissions to groups
> and or users to use a specific resource such as a printer or share.
> They have scope only within that domain.

I should clarify that Universal and Global Groups can be assigned
permissions in any domain. However, Global Groups can only contain
members from within its own domain. Domain Local Groups can only
contain members for its domain and cannot be assigned permissions in
other domains.

Adam
Top

Re: Domain Local vs Global Groups by anonymous

anonymous
Wed Jan 07 12:36:12 CST 2004


/********************************************************
Domain Local Groups can only
contain members for its domain and cannot be assigned permissions in
other domains.
********************************************************/

I think this is not true.

The difference between group is made by two things: membership and scope.


Membership Scope

- DLG User and group from same Forest Same domain

- GG Same Domain Forest

- UG User and group from same Forest Forest

Furthermore the use of DLG depend on the domain's mode: mixed-mode (same as WinNT domain) and native-mode (the DLG is visible (the scope is enlarged also for the member servers and workstations).

Ciao
Leone

Top