Solved

Domain Environment

Posted on 2003-11-05
11
895 Views
Last Modified: 2012-06-21
What is the advantage and disadvantage of using universal groups in a multi-domain environment?
0
Comment
Question by:musheer
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 9692051
No advantages.

BIG disadvantage of having to keep up with different types of groups.

If you want a rational environment, try Novell Directory Services. Runs atop Windoze, Linux, Solaris...and NetWare.
0
 
LVL 4

Expert Comment

by:Netelligen
ID: 9692098
Nice helpful answer there PsiCop.  Novell sure is kickin' some butt in market share, eh?

Anyway, musheer, as far as I understand it, a global group is specific to a domain while a universal group spans multiple domains in the active directory.  Universal Groups apply to distribution group types (vs. security groups) and allow membership from multiple domains.

Hope this helps.

Netelligen
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9692134
Ummm, Netelligen, that's not quite right. Universal groups are not limited to the distribution scope; they are also security groups. Thier primary use is to create group membership in multiple domains, where you may need to add members from several domains into 1 group, and then add that group as a security container for resources on any domain computer.
0
 
LVL 1

Accepted Solution

by:
zafar_ayub earned 250 total points
ID: 9692293
Hi;
Universal group is security group and is user for assigning rights or permission on user for all over forest

Advantages:
•      When you add any user in universal group, its grant permission to all over forest, as well as accessible all in forests (any domain controller, child domain, or DNS).
•      When you add user in this group, it will be possible to access resources on any domain (member of domain local group).  

Disadvantages:
•      I think when some if you want to prevent user to access other domains (If user is member of universal group)….its quite typical.
•      From network neighborhood, user is able to view all over forest.

0
 
LVL 20

Expert Comment

by:ikm7176
ID: 9692894
Windows 2000 supports both types of Windows NT groups and adds e-mail functionality to these groups. A major change in Windows 2000 group design is that groups can function as either security groups (as they do in Windows NT) or distribution groups (groups that are mail-enabled). All Windows 2000 groups can function as one or both of these types, but for a group to assign users permissions to access resources, it must be a security group.

Domain Local Domain local groups in Windows 2000 function the same as they do in Windows NT, except that in Windows 2000 you can have distribution groups as well as security groups. Groups with domain local scope have the following attributes:
• In a native-mode domain, groups can contain user accounts, global groups, and universal groups from any domain in the forest, as well as domain local groups from the same domain.
• In a mixed-mode domain, groups can contain user accounts and global groups from any domain.
• You can grant permissions to domain local groups only for objects in the domain in which the domain local group exists. You cannot grant permissions to network resources and public folders in other domains.
• You can convert a group to a universal group when it exists in a native-mode domain, provided there is not another domain local group nested inside.
 • The group object is listed in the global catalog, but the group membership is not.
 • Microsoft Outlook® users in other domains cannot view the full membership.
• Group membership must be retrieved on demand if expansion takes place in a remote domain.

 Domain global groups limit membership to the local domain in which the group resides, but they have global scope. Global groups can be referenced in ACLs on resources in any domain. Global groups permit one level of nesting. This means you can have global groups as members of a parent global group, but only if the member global groups do not have any global groups as members. Global groups have the following attributes:
• Global groups in native-mode domains can contain user accounts from the same domain and global groups from the same domain.
• Global groups in mixed-mode domains can contain user accounts from the same domain.
• You can grant permissions to global groups for all domains in the forest, regardless of the location of the global group.
• A global group in a native-mode domain can be converted to a universal group, if it is not a member of any other global group.
• Global groups can contain only recipient objects from the same domain.
• The group object is listed in the global catalog, but the group membership is not
. • Outlook users in other domains cannot view the full membership.
• Group membership must be retrieved on demand if expansion takes place in a remote domain.

Universal Groups Windows 2000 introduces a third group: the universal group. Universal groups behave most like Exchange 5.5 distribution lists. They have the following attributes:
• Universal groups in a native-mode domain can contain user accounts from any domain, global groups from any domain, and universal groups from any domain in the forest.
• Universal groups of the security type, called universal security groups (USGs), can be used only in native-mode domains; universal groups of the distribution type, called universal distribution groups (UDGs), can be used in mixed-mode and native-mode domains.
 • You can grant permissions to universal groups for all domains in the forest, regardless of the location of the universal group.
• Universal groups cannot be converted to any other group scope.
• Outlook users in any domain can view full membership.
 • Membership never needs to be retrieved from remote domain controllers.
• Membership modifications incur replication to the global catalog servers. Note In a single domain environment or a deployment of all Exchange servers in the same domain, you do not need to use universal groups. This is because scope and membership across domains, which universal groups provide, is not necessary in a single domain environment. Uses for Universal Distribution Groups Use UDGs in the same instances in which you used Exchange distribution lists in an Exchange 5.5 environment. UDGs can be used for e-mail distribution and are available on all domains and visible to all Outlook users. However, if your Exchange distribution list functioned as an ACL to a public folder, this group type is not appropriate. Only security groups can grant permissions to public folders, so you should use a security group. Uses for Universal Security Groups USGs are the most like existing Exchange 5.5 distribution lists that are used as ACLs for public folders. Use a USG to assign permissions to a public folder and retain membership and scope throughout the organization. Although you can create a USG only in a native-mode domain, you can use a mixed-mode membership. A USG allows members from mixed-mode domains, so you do not have to upgrade your entire environment to use USGs
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 20

Expert Comment

by:ikm7176
ID: 9692897
Windows 2000 supports both types of Windows NT groups and adds e-mail functionality to these groups. A major change in Windows 2000 group design is that groups can function as either security groups (as they do in Windows NT) or distribution groups (groups that are mail-enabled). All Windows 2000 groups can function as one or both of these types, but for a group to assign users permissions to access resources, it must be a security group.

Domain Local Domain local groups in Windows 2000 function the same as they do in Windows NT, except that in Windows 2000 you can have distribution groups as well as security groups. Groups with domain local scope have the following attributes:
• In a native-mode domain, groups can contain user accounts, global groups, and universal groups from any domain in the forest, as well as domain local groups from the same domain.
• In a mixed-mode domain, groups can contain user accounts and global groups from any domain.
• You can grant permissions to domain local groups only for objects in the domain in which the domain local group exists. You cannot grant permissions to network resources and public folders in other domains.
• You can convert a group to a universal group when it exists in a native-mode domain, provided there is not another domain local group nested inside.
 • The group object is listed in the global catalog, but the group membership is not.
 • Microsoft Outlook® users in other domains cannot view the full membership.
• Group membership must be retrieved on demand if expansion takes place in a remote domain.

 Domain global groups limit membership to the local domain in which the group resides, but they have global scope. Global groups can be referenced in ACLs on resources in any domain. Global groups permit one level of nesting. This means you can have global groups as members of a parent global group, but only if the member global groups do not have any global groups as members. Global groups have the following attributes:
• Global groups in native-mode domains can contain user accounts from the same domain and global groups from the same domain.
• Global groups in mixed-mode domains can contain user accounts from the same domain.
• You can grant permissions to global groups for all domains in the forest, regardless of the location of the global group.
• A global group in a native-mode domain can be converted to a universal group, if it is not a member of any other global group.
• Global groups can contain only recipient objects from the same domain.
• The group object is listed in the global catalog, but the group membership is not
. • Outlook users in other domains cannot view the full membership.
• Group membership must be retrieved on demand if expansion takes place in a remote domain.

Universal Groups Windows 2000 introduces a third group: the universal group. Universal groups behave most like Exchange 5.5 distribution lists. They have the following attributes:
• Universal groups in a native-mode domain can contain user accounts from any domain, global groups from any domain, and universal groups from any domain in the forest.
• Universal groups of the security type, called universal security groups (USGs), can be used only in native-mode domains; universal groups of the distribution type, called universal distribution groups (UDGs), can be used in mixed-mode and native-mode domains.
 • You can grant permissions to universal groups for all domains in the forest, regardless of the location of the universal group.
• Universal groups cannot be converted to any other group scope.
• Outlook users in any domain can view full membership.
 • Membership never needs to be retrieved from remote domain controllers.
• Membership modifications incur replication to the global catalog servers. Note In a single domain environment or a deployment of all Exchange servers in the same domain, you do not need to use universal groups. This is because scope and membership across domains, which universal groups provide, is not necessary in a single domain environment. Uses for Universal Distribution Groups Use UDGs in the same instances in which you used Exchange distribution lists in an Exchange 5.5 environment. UDGs can be used for e-mail distribution and are available on all domains and visible to all Outlook users. However, if your Exchange distribution list functioned as an ACL to a public folder, this group type is not appropriate. Only security groups can grant permissions to public folders, so you should use a security group. Uses for Universal Security Groups USGs are the most like existing Exchange 5.5 distribution lists that are used as ACLs for public folders. Use a USG to assign permissions to a public folder and retain membership and scope throughout the organization. Although you can create a USG only in a native-mode domain, you can use a mixed-mode membership. A USG allows members from mixed-mode domains, so you do not have to upgrade your entire environment to use USGs
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9701779
Well, Netelligen, your comment is typical of Micro$oft FUD. Here's a tip: Micro$oft LIES.

Marketshare for Directory Services? How about Ford Motor Company? United States Postal Service? The entire State Of North Carolina government?

What do YOU recommend to your clients? Whatever you think has the most marketshare, or what's going to do the job the best with the least cost and highest reliability? AD is a pathetic joke next to a mature and scalable Directory Service like eDirectory.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9701919
Guys!
I'm sure Netelligen didn't mean any offense.
And Bill is TRYING to tighten his stuff up, he's just trying to get his legal stategies tight first. ;-)

Seriously, I have worked with both, and although AD is good and improving, and NDS was first, and broadening their scope, they ARE compatible. Best? I would have to scratch my head and watch the fight. MS with the relase of W2K3 has begun to change some things; Just watch the boot. It's starting to remind me of a Linux load. And no-one would dream of arguing the viability of the NDS structure, or it's stability.

And personally, I recommend what the customer needs and can afford. 8-)
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9702045
Casca,

I appreciate your comments, altho I honestly don't see any reason for head-scratching. AD is still, under the hood, NT 4 Domains. Its a 3-dimensional view of the same old 2-dimensional, flat address space. It has no timesync or partitioning ability. You have to reboot into special "directory repair" mode to perform repairs that NDS will do on the fly. I can add and remove NDS replicas to/from servers at will; whoops, gotta rebuild the entire AD server to make it a DC, or move from a DC to a simple member server. A Kerberos implementation that's deliberately (and for no good reason) incompatible with every other Kerberos. A tree structure chained by the neck to DNS, whether or not your organization's DNS is reflective of the best way to organize a directory service. Static inheritance and a huge database size.

And AD is available on only one platform. I can run NDS on Linux, Solaris, Tru64, OS/390, NT, 2K...I don't HAVE to have NetWare.
0
 
LVL 4

Expert Comment

by:Netelligen
ID: 9702239
PsiCop,

I personally have no problems with either OS or DS.

However, YOU are the one that "answered" his question with an implied "Microsoft Sucks."

My response simply stated that I didn't think your answer was very helpful and is based on the FACT that Novell is STILL losing market share overall and will probably be a waste of time to bother learning because it will probably not survive much longer given the current world economy.

So, what percentages are you thinking Microsoft and Novell have in the Server OS and/or Directory Services Marketshare?  Is it 50/50?  60/40?  I am not sure, but does Novell even have a 10% marketshare?  Do you want to talk about client?  How about the majority of the US Government?  How about every military contractor I have worked for?  How about every bank in South Africa?  Korea?  Australia?  New Zealand?  I know this from direct work experience.  By the way, if a company is NOT using Directory Services yet, but IS using Microsoft as their server OS, what DS do you think they are going to go with?

I am mostly a linux person myself, but the numbers speak for themselves after almost 20 years of competition between Microsoft and Novell.

I really don't care who is better or who is lying, that is all subjective and opinionated.

I simply want to try and answer the question given (although admittedly I was not quite correct in my answer for this one... I probably learn as much here as I help).

So, if you really hate Microsoft that much, why bother answering Microsoft questions?  And if you are trying to sell NDS, why not give a nice comment with links, stats, tips, etc to try and convince people of it instead of blowing a bunch of hot air?

Anyway, this is not my thread so I am going to stop wasting space here.

Netelligen
0
 
LVL 6

Expert Comment

by:Casca1
ID: 9703813
Psicop, like I said, good, Getting better, not great, and certainly not there yet. 8-)
As for the platform, that is newer, though I must admit, I doubt Bill would ever untie it from Windows...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
not output on the show arp command 5 45
L2 to EIGRP slow migration? 27 64
LINUX, CPANEL & WHM 5 25
DNS Scavenging configuration 5 24
The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now