Global Scope

TheMSsForum.com: The Microsoft Software Forum

Hello there. I need someone to explain the differences between Domain
Local, Global and Universal Groups. I pick up concepts very quickly,
but this one just has me at a loss. I have read three separate study
guides and still cannot understand global scope.

The article I am in front of right now reads;

" ... The easier, more accurate and secure way to assign the
permissions needed would be to create a Domain Local group and assign
it the required permissions on the file shares. "

Which I completely understand. Very straight forward, if it ended
there...

" After doing this, the administrator could create a Global group and
place the 20 user accounts into that Global group. Adding the Global
group to the Domain Local group results in all 20 users inheriting the
Domain Local group's assigned permissions ... "

What? Why would you do that? Surely you would simply assign the users
to the Domain Local group, as outlined in the first paragraph. Why does
the Global group even come into play?

I really need some help on this one.

Thanks,

Luke O'Connell
luke.us@gmail.com
Top

Re: Global Scope by Eric

Eric
Sat Jun 11 00:23:46 CDT 2005

luke.us@gmail.com wrote:
> Hello there. I need someone to explain the differences between Domain
> Local, Global and Universal Groups. I pick up concepts very quickly,
> but this one just has me at a loss. I have read three separate study
> guides and still cannot understand global scope.
>
> The article I am in front of right now reads;
>
> " ... The easier, more accurate and secure way to assign the
> permissions needed would be to create a Domain Local group and assign
> it the required permissions on the file shares. "
>
> Which I completely understand. Very straight forward, if it ended
> there...
>
> " After doing this, the administrator could create a Global group and
> place the 20 user accounts into that Global group. Adding the Global
> group to the Domain Local group results in all 20 users inheriting the
> Domain Local group's assigned permissions ... "
>
> What? Why would you do that? Surely you would simply assign the users
> to the Domain Local group, as outlined in the first paragraph. Why does
> the Global group even come into play?
>
> I really need some help on this one.
>
> Thanks,
>
> Luke O'Connell
> luke.us@gmail.com
>

this all depends on the size of your environment. as an administrator
you always want to assign permissions to groups rather than users. It is
easier to add one global group to a domain local group than adding 5000
users to a domain local group. Now it is true that you have to add the
users to the global groups, but say you have 1000 domain local groups
that need the users assigned to them, it is much easier to use global
groups rather than adding each user to each group. It is all about
organization and ease of administration.

again this all depends on the environment. if you have 10 - 20 users you
can just add then to the domain local, but remember Microsoft is
targeting large networks on exam 70-290, a user range of 250 - 5000.

an easy way to help with this is to remember domain local groups are for
assign rights to resources, and global groups are for assigning rights
to users. you should always whenever possible assign rights to groups
rather then users. this makes administration much easier.

hope this helps
Top

Re: Global Scope by TSH

TSH
Sat Jun 11 05:00:41 CDT 2005

On Sat, 11 Jun 2005 01:29:05 -0400, Eric Eastridge wrote:

> luke.us@gmail.com wrote:
>> Hello there. I need someone to explain the differences between Domain
>> Local, Global and Universal Groups. I pick up concepts very quickly,
>> but this one just has me at a loss. I have read three separate study
>> guides and still cannot understand global scope.
>>
>
> an easy way to help with this is to remember domain local groups are for
> assign rights to resources, and global groups are for assigning rights
> to users. you should always whenever possible assign rights to groups
> rather then users. this makes administration much easier.
>
> hope this helps


And on top of that, best practice is to use global groups to grant access
to resource in another domain. e.g. if users in domain B need access to
resource in domain A, you would create global group with users from domain
B, and then add that group to domain local group in domain A that has
access right to that resource ... it is much "cleaner" solution than to
include every domain B users to ACL (or domain local group that has access)
of that resource ...
Top

Re: Global Scope by luke

luke
Sat Jun 11 08:41:07 CDT 2005

Thank you both so much for clearing up global scope for me. For some
reason it wouldn't quite click. Sometimes you've just got to ask,
because nothing beats plain, human responses. Thanks again.

Top

Re: Global Scope by doctordns

doctordns
Tue Jun 14 17:49:47 CDT 2005

The way I try to describe it is to explain the group types, where they
are used and who they can contain. If you can envisage a matrix of
group names, where used and members contained - it would look something
like this:

Name Members from Use IN
Universal All ALL
Global Home All
Dom Local All Local
Local Local system Local System

That is to say, a universal group can contain members from anywhere in
the forest, use on any ACL in the forest. Global Groups contain
members from the domain in which it's defined, but can be uses
anywhere. Domain Local Groups can contain members from any domain, but
are only used within the forest. Loccal users/groups are machine very
local (machine local).

Two other points:

1. In theory at least, you could just use Global Groups on ACLs.
However in a multidomain forest, this might result in a longer acl
(multiple global groups). To shorten the ACL, MS recomment you next GGs
inside a DL, and just use the DL. That way, you get sids for both the
GG and DL in your token, but the ACL is short (only the DL).

2. In a single domain, there main group types are effectively the same.


HTH

Top