group nesting

Discussion in 'MCSE' started by David K, Dec 10, 2003.

  1. David K

    David K Guest

    I finished my first pass through the MCSA core material, and I'm going
    through the exercises and studying unclear material more deeply.
    Here's one question.

    I'm trying to grasp the way universal, global, and domain local groups
    are used. I would think that I understand it except for the nesting.

    I understand why you would want to include global groups in universal
    groups - it makes management of the global groups easier. But why
    would you include universal groups into domain local groups? I have a
    picture of the hierarchy of groups, with universal having the widest
    scope, and the idea that you would include universal groups in domain
    local groups just obliterates my picture.

    I think I just need a good example of when it would be used and what
    would happen if I didn't do it.. Can someone give me one?

    Dave
    David K, Dec 10, 2003
    #1
    1. Advertising

  2. David K

    zeze Guest

    if u have a forest structure in native mode universal group is usefull if
    u dont have frost u don t need to use universal group
    zeze, Dec 10, 2003
    #2
    1. Advertising

  3. David K

    David K Guest

    On Wed, 10 Dec 2003 17:35:57 +0200, "zeze" <>
    wrote:

    >if u have a forest structure in native mode universal group is usefull if
    >u dont have frost u don t need to use universal group


    I understand that much. My question is about the nesting of universal
    and global groups into domain local groups.

    Dave
    David K, Dec 10, 2003
    #3
  4. David K

    Dave Guest

    Adding universal groups to local groups makes management easier.

    Suppose you have multiple domains and users in each of those domains need
    access to a resource, say printer A in domain A.

    You would create global groups in each domain containing the users, put the
    global groups in the universal group ,put the universal group in a domain
    local and assign permissions to the domain local group.



    An example, to assign permissions to all members of "managers" global group
    from each domain to printer A in domain A , you could put the "managers"
    groups in a universal group, add the universal group to a domain local then
    give the domain local group permissions to printer A. This might not seem
    worth the effort initially. But assume you have 10 domains and you now need
    to assign permissions to all "managers" to another resource all you need to
    do is add the domain local group to the resources acl. If you need to
    assign permissions to more resources you begin to save a lot of effort.





    "David K" <> wrote in message
    news:...
    > On Wed, 10 Dec 2003 17:35:57 +0200, "zeze" <>
    > wrote:
    >
    > >if u have a forest structure in native mode universal group is usefull

    if
    > >u dont have frost u don t need to use universal group

    >
    > I understand that much. My question is about the nesting of universal
    > and global groups into domain local groups.
    >
    > Dave
    Dave, Dec 12, 2003
    #4
  5. David K

    David K Guest

    On Wed, 10 Dec 2003 05:41:46 GMT, David K <> wrote:

    >I finished my first pass through the MCSA core material, and I'm going
    >through the exercises and studying unclear material more deeply.
    >Here's one question.


    Funny when you read your own posts and don't realize it's you at
    first. This paragraph of mine is very unclear - I meant that I studied
    my way through the MCSA books once and am going back through the
    material again. Not a big deal, just thought I'd clear it up.

    Dave
    David K, Dec 12, 2003
    #5
  6. David K

    David K Guest

    On Fri, 12 Dec 2003 14:29:46 -0000, "Dave"
    <> wrote:

    >Adding universal groups to local groups makes management easier.
    >
    >Suppose you have multiple domains and users in each of those domains need
    >access to a resource, say printer A in domain A.
    >
    >You would create global groups in each domain containing the users, put the
    >global groups in the universal group ,put the universal group in a domain
    >local and assign permissions to the domain local group.
    >
    >An example, to assign permissions to all members of "managers" global group
    >from each domain to printer A in domain A , you could put the "managers"
    >groups in a universal group, add the universal group to a domain local then
    >give the domain local group permissions to printer A. This might not seem
    >worth the effort initially. But assume you have 10 domains and you now need
    >to assign permissions to all "managers" to another resource all you need to
    >do is add the domain local group to the resources acl. If you need to
    >assign permissions to more resources you begin to save a lot of effort.


    Interesting. Thanks for the explanation.

    So how is that more preferable than adding the universal group to an
    ACL? Since the universal group contains the global groups that need
    access, wouldn't adding the universal group in the ACL do the job? If
    there's another resource, I could just assign the universal group to
    it as well. What's wrong with this? (something is, obviously, but I'm
    not seeing it yet...)

    Dave
    (no relation)
    David K, Dec 12, 2003
    #6
  7. David K

    Dave Guest

    What you say will work OK. I think the recommended practice (which you need
    to remember for exam q's) that states add local groups to acl's of resources
    then add universal groups to local groups makes for better "housekeeping".
    There is probably a technical explanation somewhere but microsoft's
    recommnedations are assign dom local gp's to resources and depending on
    domain type place universal groups containing global groups in the dom local
    gp's.
    Maybe someone will post the technical reason.

    "David K" <> wrote in message
    news:...
    > On Fri, 12 Dec 2003 14:29:46 -0000, "Dave"
    > <> wrote:
    >
    > >Adding universal groups to local groups makes management easier.
    > >
    > >Suppose you have multiple domains and users in each of those domains need
    > >access to a resource, say printer A in domain A.
    > >
    > >You would create global groups in each domain containing the users, put

    the
    > >global groups in the universal group ,put the universal group in a domain
    > >local and assign permissions to the domain local group.
    > >
    > >An example, to assign permissions to all members of "managers" global

    group
    > >from each domain to printer A in domain A , you could put the "managers"
    > >groups in a universal group, add the universal group to a domain local

    then
    > >give the domain local group permissions to printer A. This might not

    seem
    > >worth the effort initially. But assume you have 10 domains and you now

    need
    > >to assign permissions to all "managers" to another resource all you need

    to
    > >do is add the domain local group to the resources acl. If you need to
    > >assign permissions to more resources you begin to save a lot of effort.

    >
    > Interesting. Thanks for the explanation.
    >
    > So how is that more preferable than adding the universal group to an
    > ACL? Since the universal group contains the global groups that need
    > access, wouldn't adding the universal group in the ACL do the job? If
    > there's another resource, I could just assign the universal group to
    > it as well. What's wrong with this? (something is, obviously, but I'm
    > not seeing it yet...)
    >
    > Dave
    > (no relation)
    Dave, Dec 12, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. rmcnutt
    Replies:
    1
    Views:
    11,265
    mcaissie
    Jul 13, 2004
  2. LooseLips
    Replies:
    0
    Views:
    586
    LooseLips
    Aug 3, 2003
  3. philo
    Replies:
    0
    Views:
    603
    philo
    Aug 3, 2003
  4. magnus.prem

    ds0 group and channel group

    magnus.prem, Jul 21, 2006, in forum: Hardware
    Replies:
    0
    Views:
    2,144
    magnus.prem
    Jul 21, 2006
  5. gpw

    div nesting in Firefox

    gpw, Sep 5, 2006, in forum: Firefox
    Replies:
    0
    Views:
    481
Loading...

Share This Page