Global Groups, Domain Local Groups and Universal Groups

[BigDook]

Hi all

Am trying to get my understanding right here in relation to groups. Does this sound right?


3 domains (all W2K3) all trusted etc.

Domain1
--------
Users = Fred and Bob
Share on Server1 = Share1
GlobalGroup = GG1

Domain2
--------
Users = Mary and Ted
Share on Server2 = Share2
DomainLocalGroup = DLG2

Domain3
--------
Users = Mike and Rich
Share on Server3 = Share3
UniversalGroup = UG3



GG1 can ONLY contain Fred and Bob. As they are all in the same domain, and GlobalGroups can only contain members from the domain it exists in.
GG1 can allow access to ANY share on all 3 domains, as they can allow access to resources on ANY domain.

DLG2 can contain ALL users from all 3 domains, as DomainLocalGroups can contain members from ANY domain.
DLG2 can however only allow access to Share2 as they can only allow access to resourcres on the domain it exists in.

UG3 can contain ALL users from all 3 domains, as UniversalGroups can contain members from ANY domain.
UG3 can allow access to ANY share on all 3 domains, as they can allow access to resources on ANY domain.


Sound right? Thanks

[Triton.Deep]

Yep, that is right.

Just taking it a step further, when looking at group scopes like that the tendency is to ask the question: Why not just use universal groups all the time??

Well, there are a bunch of reasons for that, here's the two I can think of off the top of my head:

• In a multi-domain forest you generally have boundaries of authorities that sometimes make it a touchy subject to give membership change control to very many admins....which leads into part II
  
• In a multi-domain forest, those boundaries of authority are all to often tied to geographic regions (Corp office to Branch office for example) which are defined by WAN links almost always.

Man, I take way to many words to say this. Sorry about that, but what I'm getting around to is that you can address both of those issues by using GlobalGroups for members, and then nesting them in Universal Groups. Doing that distributes membership managment to whomever controls the GlobalGroups according to your domain/authority breakdown AND it means less replication accross your WAN links by making your UniversalGroup membership largly static.

I hope that came out alright. In a nutshell, you should nest global groups in universal groups when you need groups of users or computers from multiple domains.

Hope that helps some.

J.

[BigDook]

Triton. Thats awesome mate, thanks. Am just trying to get my understanding right.

And to follow on from my first question, in terms of Groups and Groups

GlobalGroups can have users, computers and global groups from the SAME domain as members?

DomainLocalGroups can have users, computers, global groups and univesral groups from ANY domain as members. And also DomainLocal groups in the SAME domain as members?

UniversalGroups can have users, computers, global groups and universal groups from ANY domain as members?



If thats right, then how come you can't have domain local groups as members of universal groups in ANY domain too?



Cheers for the help mate.

[Triton.Deep]

Quote:

If thats right, then how come you can't have domain local groups as members of universal groups in ANY domain too?

Man, I wrote such a nice big post for this, lost it when I tried to install the spell check control from this page. My fault, I know better than to not save during that sort of thing.

The short answer in my opinion is that you are confusing the purpose of what each one is for.

Domainlocal is intended for granting access to someone for something else. Ideally: Globalgroup1 would be granted access to some FileShare1 using Domainlocalgroup1. Domain local groups were designed from the beginning to be the last point of contact with some resource. Printers or what have you.

Globalgroups are intended for cross domain collaborative instances and to help maintain an efficient replication topology. If you have a group of people in DomainA that need access to resource in DomainB, then you add Globalgroup1 from DomainA to DomainLocalgroup1 in DomainB.

Universal groups are intended for cross domain collaborative efforts that require users from more than one domain. If you have a group of people from DomainA and DomainB that need access to resources in DomainC, then add Globalgroup1 from DomainA & Globalgroup2 from DomainB to the domainlocal group in DomainC.

Of course, that is best practice guidance. You could just add all users to a universal group and then apply that universal group directly to the resource and blam. Done. However; that sometimes is unmanageable for the reasons I outlined in my first post.

Anyways, I hope that makes more sense. Your question fights the design of it all, domainlocal groups can't be part of universal groups because that is not there function and it is enforced in code by Microsoft.

Hope that helps,

J.

PS: Read this, espeically the parts about when to use what towards the bottom:

http://technet.microsoft.com/en-us/l...92(WS.10).aspx

[BigDook]

Ahhh heaps of thanks Triton. I've got the MS Press Books, and a MCSE In A Nutshell book too, and have read a bit about the "best practice" is to use the DLG's like that, but it's good to read it in scenarios.

Yeah, sounds like i don't need to learn how todo it in real life setups for now, rather how MS suggest you do it.


And that TechNet article is awesome, printing off as we speak.

[Tinus1959]

Quote:

Originally Posted by BigDook

Hi all

Am trying to get my understanding right here in relation to groups. Does this sound right?


3 domains (all W2K3) all trusted etc.

Domain1
--------
Users = Fred and Bob
Share on Server1 = Share1
GlobalGroup = GG1

Domain2
--------
Users = Mary and Ted
Share on Server2 = Share2
DomainLocalGroup = DLG2

Domain3
--------
Users = Mike and Rich
Share on Server3 = Share3
UniversalGroup = UG3



GG1 can ONLY contain Fred and Bob. As they are all in the same domain, and GlobalGroups can only contain members from the domain it exists in.
GG1 can allow access to ANY share on all 3 domains, as they can allow access to resources on ANY domain.

DLG2 can contain ALL users from all 3 domains, as DomainLocalGroups can contain members from ANY domain.
DLG2 can however only allow access to Share2 as they can only allow access to resourcres on the domain it exists in.

UG3 can contain ALL users from all 3 domains, as UniversalGroups can contain members from ANY domain.
UG3 can allow access to ANY share on all 3 domains, as they can allow access to resources on ANY domain.


Sound right? Thanks

I would change " can allow access" in "can be allowed access". A group does not allow anything. You grand rights to a group, so all people in that group gain these rights. For the rest it is OK.

[Tinus1959]

Quote:

Originally Posted by Triton.Deep

Yep, that is right.

Just taking it a step further, when looking at group scopes like that the tendency is to ask the question: Why not just use universal groups all the time??

Well, there are a bunch of reasons for that, here's the two I can think of off the top of my head:

• In a multi-domain forest you generally have boundaries of authorities that sometimes make it a touchy subject to give membership change control to very many admins....which leads into part II
• In a multi-domain forest, those boundaries of authority are all to often tied to geographic regions (Corp office to Branch office for example) which are defined by WAN links almost always.

Man, I take way to many words to say this. Sorry about that, but what I'm getting around to is that you can address both of those issues by using GlobalGroups for members, and then nesting them in Universal Groups. Doing that distributes membership managment to whomever controls the GlobalGroups according to your domain/authority breakdown AND it means less replication accross your WAN links by making your UniversalGroup membership largly static.

I hope that came out alright. In a nutshell, you should nest global groups in universal groups when you need groups of users or computers from multiple domains.

Hope that helps some.

J.

Most important reason NOT to use universal groups is because UG's are replicated by the Global Catalog. Because every member in a UG most be up to date in every domain in the forest. The Global Cat is the most logical place to keep track of those users. So every change in the membership of a UG as well as any change in the user itself has a direct effect of the replication to update the GC on every domain. This could result in lots of network trafic.

[Tinus1959]

Quote:

Originally Posted by BigDook

Triton. Thats awesome mate, thanks. Am just trying to get my understanding right.

And to follow on from my first question, in terms of Groups and Groups

GlobalGroups can have users, computers and global groups from the SAME domain as members?

DomainLocalGroups can have users, computers, global groups and univesral groups from ANY domain as members. And also DomainLocal groups in the SAME domain as members?

UniversalGroups can have users, computers, global groups and universal groups from ANY domain as members?



If thats right, then how come you can't have domain local groups as members of universal groups in ANY domain too?



Cheers for the help mate.

I always try to get this concept clear by using an analogy in the real world.
Let us say we have three cities with a football club in every city. The teams are the global groups. And surely we dont want a guy from LA playing in NYC . So the global group from LA has only players from LA. The field is a local resource and two teams gain the right to play on that field. The local group is connected to the field. So we have a local group with the right to play on the field on sunday between 14:00 and 16:00. On the LA field surely the NYC team can play. It makes no sence to put the field in the global group. That would be the same as moving the physical field from LA to NYC.
The unuversal group is the national team. It can contain players from different teams and may play on all fields.