Global Scope

Discussion in 'MCSE' started by luke.us@gmail.com, Jun 11, 2005.

  1. Guest

    Hello there. I need someone to explain the differences between Domain
    Local, Global and Universal Groups. I pick up concepts very quickly,
    but this one just has me at a loss. I have read three separate study
    guides and still cannot understand global scope.

    The article I am in front of right now reads;

    " ... The easier, more accurate and secure way to assign the
    permissions needed would be to create a Domain Local group and assign
    it the required permissions on the file shares. "

    Which I completely understand. Very straight forward, if it ended
    there...

    " After doing this, the administrator could create a Global group and
    place the 20 user accounts into that Global group. Adding the Global
    group to the Domain Local group results in all 20 users inheriting the
    Domain Local group's assigned permissions ... "

    What? Why would you do that? Surely you would simply assign the users
    to the Domain Local group, as outlined in the first paragraph. Why does
    the Global group even come into play?

    I really need some help on this one.

    Thanks,

    Luke O'Connell
     
    , Jun 11, 2005
    #1
    1. Advertising

  2. wrote:
    > Hello there. I need someone to explain the differences between Domain
    > Local, Global and Universal Groups. I pick up concepts very quickly,
    > but this one just has me at a loss. I have read three separate study
    > guides and still cannot understand global scope.
    >
    > The article I am in front of right now reads;
    >
    > " ... The easier, more accurate and secure way to assign the
    > permissions needed would be to create a Domain Local group and assign
    > it the required permissions on the file shares. "
    >
    > Which I completely understand. Very straight forward, if it ended
    > there...
    >
    > " After doing this, the administrator could create a Global group and
    > place the 20 user accounts into that Global group. Adding the Global
    > group to the Domain Local group results in all 20 users inheriting the
    > Domain Local group's assigned permissions ... "
    >
    > What? Why would you do that? Surely you would simply assign the users
    > to the Domain Local group, as outlined in the first paragraph. Why does
    > the Global group even come into play?
    >
    > I really need some help on this one.
    >
    > Thanks,
    >
    > Luke O'Connell
    >
    >


    this all depends on the size of your environment. as an administrator
    you always want to assign permissions to groups rather than users. It is
    easier to add one global group to a domain local group than adding 5000
    users to a domain local group. Now it is true that you have to add the
    users to the global groups, but say you have 1000 domain local groups
    that need the users assigned to them, it is much easier to use global
    groups rather than adding each user to each group. It is all about
    organization and ease of administration.

    again this all depends on the environment. if you have 10 - 20 users you
    can just add then to the domain local, but remember Microsoft is
    targeting large networks on exam 70-290, a user range of 250 - 5000.

    an easy way to help with this is to remember domain local groups are for
    assign rights to resources, and global groups are for assigning rights
    to users. you should always whenever possible assign rights to groups
    rather then users. this makes administration much easier.

    hope this helps
     
    Eric Eastridge, Jun 11, 2005
    #2
    1. Advertising

  3. TSH Guest

    On Sat, 11 Jun 2005 01:29:05 -0400, Eric Eastridge wrote:

    > wrote:
    >> Hello there. I need someone to explain the differences between Domain
    >> Local, Global and Universal Groups. I pick up concepts very quickly,
    >> but this one just has me at a loss. I have read three separate study
    >> guides and still cannot understand global scope.
    >>

    >
    > an easy way to help with this is to remember domain local groups are for
    > assign rights to resources, and global groups are for assigning rights
    > to users. you should always whenever possible assign rights to groups
    > rather then users. this makes administration much easier.
    >
    > hope this helps



    And on top of that, best practice is to use global groups to grant access
    to resource in another domain. e.g. if users in domain B need access to
    resource in domain A, you would create global group with users from domain
    B, and then add that group to domain local group in domain A that has
    access right to that resource ... it is much "cleaner" solution than to
    include every domain B users to ACL (or domain local group that has access)
    of that resource ...
     
    TSH, Jun 11, 2005
    #3
  4. Guest

    Thank you both so much for clearing up global scope for me. For some
    reason it wouldn't quite click. Sometimes you've just got to ask,
    because nothing beats plain, human responses. Thanks again.
     
    , Jun 11, 2005
    #4
  5. Guest

    The way I try to describe it is to explain the group types, where they
    are used and who they can contain. If you can envisage a matrix of
    group names, where used and members contained - it would look something
    like this:

    Name Members from Use IN
    Universal All ALL
    Global Home All
    Dom Local All Local
    Local Local system Local System

    That is to say, a universal group can contain members from anywhere in
    the forest, use on any ACL in the forest. Global Groups contain
    members from the domain in which it's defined, but can be uses
    anywhere. Domain Local Groups can contain members from any domain, but
    are only used within the forest. Loccal users/groups are machine very
    local (machine local).

    Two other points:

    1. In theory at least, you could just use Global Groups on ACLs.
    However in a multidomain forest, this might result in a longer acl
    (multiple global groups). To shorten the ACL, MS recomment you next GGs
    inside a DL, and just use the DL. That way, you get sids for both the
    GG and DL in your token, but the ACL is short (only the DL).

    2. In a single domain, there main group types are effectively the same.


    HTH
     
    , Jun 14, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kcsteele

    changing group scope

    kcsteele, Apr 7, 2006, in forum: MCSE
    Replies:
    2
    Views:
    4,223
    kcsteele
    Apr 11, 2006
  2. Replies:
    4
    Views:
    55,160
    gsingle
    Jul 14, 2006
  3. Hoffa
    Replies:
    0
    Views:
    711
    Hoffa
    Oct 25, 2006
  4. Hoffa
    Replies:
    1
    Views:
    1,555
    Walter Roberson
    Oct 25, 2006
  5. Pete J
    Replies:
    0
    Views:
    618
    Pete J
    Jun 30, 2005
Loading...

Share This Page