General discussion

Locked

Active Directory 2003 Group Scope Help!

By mldenman ·
Would someone PLEASE explain to me the pros vs. cons of using domain local vs. domain global scope within a Windows 2003 Active Directory domain??? I have heard many takes and read a few items as well. I am hoping someone from within the EXPERT community can give REAL WORLD advantages vs. disadvantages of the scope types. THANKS MD.

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Active Directory 2003 Gro ...

The real difference between a domain local and global group is that domain local groups can ONLY be used on ACL's on objects contained in the domain it is located in. This can be an issue if the resource is in another domain.

So are you planning multiple domains with user accounts all in one domain and resoruces in another? If so, you cannot use domain local groups.

Universal groups can appear in ACLs anywhere in the forest, and can contain other universal groups, global groups, and users from anywhere in the forest.

Thus:

If all your users and resources are all in ONE domain, then use domain local.

If your user accounts are in ONLY one domain and resources are in another, then use domain global.

If your user accounts and resources are in multiple domains, you will need a mix of Universal and Domain Global Groups.

A good overview of Active Directory groups can be found here:

http://kb.iu.edu/data/ahrl.html

Collapse -

by mldenman In reply to

Poster rated this answer.

Collapse -

by CG IT In reply to Active Directory 2003 Gro ...

BFilmfan has it. To go further, in designing groups, there is the A-G-DL-P A=Users G=Global Groups DL=domain local P= permissions.

Simply put, you add users to a global group you then add that global group to the domain local group and assign permissions to an object to the domain local group. Far less admin overhead in troubleshooting permission problems and as BFilmfan pointed out allows multi-domain access.

Collapse -

by mldenman In reply to

Poster rated this answer.

Collapse -

by mldenman In reply to Active Directory 2003 Gro ...

OK. This is what I have understood also. Now for BFilmMan and/or CG IT......in your professional opinions is it best to use Global over Domain Local scope? I also understand these group scopes have differing effects upon replication traffic (so maybe that would be a reason)? The structure currently is 1 domain with users, groups, and resources mixed within. However, very shortly the company will be adding more domains. Thanks again!

Collapse -

by mldenman In reply to Active Directory 2003 Gro ...

Point value changed by question poster.

Collapse -

by CG IT In reply to Active Directory 2003 Gro ...

Universal Groups for multiple domains.

A-G-U-DL-P a= users G= Global Groups U=universal groups DL=domain local groups p=permissions.

Same principle for single domain except you put Global Groups into universal groups, place the universal group into the domain local group and assign permissions to the domain local group.

Collapse -

by mldenman In reply to

Poster rated this answer.

Collapse -

by mldenman In reply to Active Directory 2003 Gro ...

This question was closed by the author

Collapse -

Chk this out

by dashydevang In reply to Active Directory 2003 Gro ...
Back to Networks Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums