mvvinod
asked on
Understanding domain local, global and universal groups
Hi all,
I've read the difference several times between domain local, global and universal groups...i know we all have...but i'm still unclear about the actual differences and when to use which group..
Anyone providing me difference between these from security and distribution group perspective or provide link to document that explains the difference with situation will get the points....
Thank you all,
Vinod.
I've read the difference several times between domain local, global and universal groups...i know we all have...but i'm still unclear about the actual differences and when to use which group..
Anyone providing me difference between these from security and distribution group perspective or provide link to document that explains the difference with situation will get the points....
Thank you all,
Vinod.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great document....explain all clearly...
But i still have 2 questions...
If domain local can include users,global and univ groups from any domain and can set permission in the created domain, why in the document they are recommending global group instead of domain local. The reason for global is given that they have single domain and dont have need for universal group. But in that case, they dont even need global group right???? Or am i missing something ???
Also how does distribution group come into the picture of these group types ??
Thanks!
Vinod.
But i still have 2 questions...
If domain local can include users,global and univ groups from any domain and can set permission in the created domain, why in the document they are recommending global group instead of domain local. The reason for global is given that they have single domain and dont have need for universal group. But in that case, they dont even need global group right???? Or am i missing something ???
Also how does distribution group come into the picture of these group types ??
Thanks!
Vinod.
Hi,
Domain local groups are available only with in the scope of the domain to which they belong but can have mebmer objects from any domain across the forest.
But, Global groups can only have members from the same domain and are available forest wide. With windows 2003 you can nest global groups.
So you can assign permission to a global group defined in a different domain in the current domain bit that cannot be done with the domain local group. For example, say you have to domains a.com & b.com and say you want to allow 500 users in b.com to print to a printer locatd in a.com. then you can accomplish it in ways
1st - create a domain local group in a.com and add one by one all 500 users of b.com to this group and allow printing for the domain local group just created.
alternatively
2nd - Create a global group in b.com and add the groups in b.com which contain the 500 users. Then either directly allow printing for this global group in b.com in the printer or create a domain local group in a.com and add the global group in b.com to the domain local group in a.com and enable printing for the domain local group in a.com
Rajat.
Domain local groups are available only with in the scope of the domain to which they belong but can have mebmer objects from any domain across the forest.
But, Global groups can only have members from the same domain and are available forest wide. With windows 2003 you can nest global groups.
So you can assign permission to a global group defined in a different domain in the current domain bit that cannot be done with the domain local group. For example, say you have to domains a.com & b.com and say you want to allow 500 users in b.com to print to a printer locatd in a.com. then you can accomplish it in ways
1st - create a domain local group in a.com and add one by one all 500 users of b.com to this group and allow printing for the domain local group just created.
alternatively
2nd - Create a global group in b.com and add the groups in b.com which contain the 500 users. Then either directly allow printing for this global group in b.com in the printer or create a domain local group in a.com and add the global group in b.com to the domain local group in a.com and enable printing for the domain local group in a.com
Rajat.
ASKER
Does anybody have any links or explanation as to difference between groups when it comes to distribution groups ?????
Vinod.
Vinod.
Distribution groups are purely for email
ASKER
I understand that...But what is the difference in global, universal distribution group etc ??
Vinod.
Vinod.
same as security groups
Local Group - can contain members from any domain, can only be assigned permissions in the domain
Global Group - can only contain members from the domain, can be assigned permissions anywhere in the forest
Universal Group - can contain members from anywhere in the forest, can be assigned permissions anywhere in the forest
Local Group - can contain members from any domain, can only be assigned permissions in the domain
Global Group - can only contain members from the domain, can be assigned permissions anywhere in the forest
Universal Group - can contain members from anywhere in the forest, can be assigned permissions anywhere in the forest
ASKER
Since its a distribution group, where does the assign permission come into picture from your above statement ????
Vinod.
Vinod.
i dont quite understand your question.....
ASKER
In the previous post you said that "can contain members from any domain, can only be ASSIGNED PERMISSION in the domain".
How can you use the distribution group to assign permission ????
Vinod.
How can you use the distribution group to assign permission ????
Vinod.
ah i see i see, i honestly dont know with that, i didnt think that you could assign permissions to a dissy group, confuses me just as much at the moment, trying to learn as i go with this Q :)
cheers mate - sorry i couldnt make it clearer :)
Global security groups are your Domain Groups which are created with the installation of AD (as you would know :) ) these groups when operating at native mode are able to be nested into other groups etc within your domain environment
Universal groups are one step higher and provide the ability of group nesting interdomain and forests. If you have trusts configured between domains etc, you can nest a universla group in domain a, into either a universal group or a global group within Domain B. However you cannot nest a global group from Domain A into Domain B
I am sure there are other useful points out there about groups also, but these are some of the important ones,
Cheers mate