cakirfatih
asked on
Domain Local group vs Global group
Hi,
I came accross this text on MS web site about using groups in AD
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/95107162-47eb-4891-832f-0c0b15b7c858.mspx
When to use groups with domain local scope
Groups with domain local scope help you define and manage access to resources within a single domain. These groups can have as their members:
• Groups with global scope
• Groups with universal scope
• Accounts
• Other groups with domain local scope
• A mixture of any of the above
For example, to give five users access to a particular printer, you could add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you would again have to specify all five accounts in the permissions list for the new printer.
With a little planning, you can simplify this routine administrative task by creating a group with domain local scope and assigning it permission to access the printer. Put the five user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the five users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer.
--------------------------
Why can't i just use a Gloabal group with five users and assign it Printer permissions.
It says i have to add the Global group to Domain local group and assign permissions on it.
thanks
I came accross this text on MS web site about using groups in AD
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/95107162-47eb-4891-832f-0c0b15b7c858.mspx
When to use groups with domain local scope
Groups with domain local scope help you define and manage access to resources within a single domain. These groups can have as their members:
• Groups with global scope
• Groups with universal scope
• Accounts
• Other groups with domain local scope
• A mixture of any of the above
For example, to give five users access to a particular printer, you could add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you would again have to specify all five accounts in the permissions list for the new printer.
With a little planning, you can simplify this routine administrative task by creating a group with domain local scope and assigning it permission to access the printer. Put the five user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the five users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer.
--------------------------
Why can't i just use a Gloabal group with five users and assign it Printer permissions.
It says i have to add the Global group to Domain local group and assign permissions on it.
thanks
ASKER
Would you give an example of making the administration easier? just to confort my hearth:)
thanks
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another thing you'll be thanking yourself for is when three years from now when your company goes public and you have to comply with Sarbanes Oxley regulations regarding network security. You will be able to say with confidence, "I can know by looking at the resource (actually, the security group that has permissions to the resource) which users have what permissions to the resource. Here's why - because each resource has a security group for each different kind of permission. Global Groups full of users are added to those Domain Local groups for permissions."
You (or the next admin after you're gone) will know and be in complete control of who's got what access to what resource. It's a beautiful thing.
On the other hand, if you just apply permissions willy-nilly, after some time you'll end up with a morass of resources and permissions, and no understanding of how it all works. You will not be able to tell any auditors or management that you are in control of this fairly basic level of security. And that makes people cry.
You (or the next admin after you're gone) will know and be in complete control of who's got what access to what resource. It's a beautiful thing.
On the other hand, if you just apply permissions willy-nilly, after some time you'll end up with a morass of resources and permissions, and no understanding of how it all works. You will not be able to tell any auditors or management that you are in control of this fairly basic level of security. And that makes people cry.
Oh and after the crying is over, management will tell you that you have to get it together, and you'll decide that what you need to do is use A-G-DL-P like Mitch describes. But that will be a long and tedious task, and the audit is in a month. So you'll dig around online to find a tool that will scan the network and report on resources and their permissions - and you'll find one! And it's eight thousand dollars! And management refuses to spend any money on IT, because they view IT as a cost center, a necessary evil. Even though it's a financial services company, where handling information is all the company does. They'll tell you that you'll just have to do the whole thing manually (even though you point out to them that the salary they pay you over the time it will take to do it manually is way more than eight thousand dollars; they don't care about that, because your salary is already in the budget, and they're getting you pretty cheap anyway).
Now you will know what crying is. They'll start calling you Ringo. ("I've got blisters on my fingers!")
Now you will know what crying is. They'll start calling you Ringo. ("I've got blisters on my fingers!")
Hope this helps!
Mitch