Domain Local group vs Global group

cakirfatih used Ask the Experts™

I came accross this text on MS web site about using groups in AD

When to use groups with domain local scope
Groups with domain local scope help you define and manage access to resources within a single domain. These groups can have as their members:

• Groups with global scope
• Groups with universal scope
• Accounts
• Other groups with domain local scope
• A mixture of any of the above

For example, to give five users access to a particular printer, you could add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you would again have to specify all five accounts in the permissions list for the new printer.

With a little planning, you can simplify this routine administrative task by creating a group with domain local scope and assigning it permission to access the printer. Put the five user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the five users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer.


Why can't i just use a Gloabal group with five users and assign it Printer permissions.
It says i have to add the Global group to Domain local group and assign permissions on it.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

You can use a global group and assign it permissions to the printer, however it is a best pracctice to use the A-G-Dl-P model when assigning permissions. What this model means is that you put "user Accounts" in to "Global groups" and then put the global groups into "Domain local" groups and then assign permissions to that Domain local group. This initially will take longer to set up but allows for future administration to be easier. That being said, while it is a recomended practice to use a Domain Local group to assign permissions you should be able to use a global group just fine.

Hope this helps!



Would you give an example of making the administration easier? just to confort my hearth:)

           A good example is if you have an accounting share and there are many different global groups that need access to this share. Rather than adding many different global groups to give the same access (lets say Read permissions) to this share you can create one Domain Local group named "DL Accounting Read" and put all of the global groups that need read access to the share within this group. This allows for setting permissions for multiple groups though one easily managed group on the permissions and security tab of the share. This helps because you can then avoid the situation of where a user is a member of more than one global group and one of those global groups permissions are configured incorrectly you have to go through each one to figure out which. Overall it makes management much easier. Although this is a best practice, if you have a small enough environment that will not be expanding quickly you can manage permissions through Global Groups just as effectively. But if your environment is mid-size to large you will definately want to put in the extra time initially as using A-G-DL-P will make your life much easier.

I hope this helps, there are also many support articles in Microsofts Knowledge Base that will cover this as well.

Best of luck!

Another thing you'll be thanking yourself for is when three years from now when your company goes public and you have to comply with Sarbanes Oxley regulations regarding network security.  You will be able to say with confidence, "I can know by looking at the resource (actually, the security group that has permissions to the resource) which users have what permissions to the resource.  Here's why - because each resource has a security group for each different kind of permission.  Global Groups full of users are added to those Domain Local groups for permissions."

You (or the next admin after you're gone) will know and be in complete control of who's got what access to what resource.  It's a beautiful thing.

On the other hand, if you just apply permissions willy-nilly, after some time you'll end up with a morass of resources and permissions, and no understanding of how it all works.  You will not be able to tell any auditors or management that you are in control of this fairly basic level of security.  And that makes people cry.

Oh and after the crying is over, management will tell you that you have to get it together, and you'll decide that what you need to do is use A-G-DL-P like Mitch describes.  But that will be a long and tedious task, and the audit is in a month.  So you'll dig around online to find a tool that will scan the network and report on resources and their permissions - and you'll find one!  And it's eight thousand dollars!  And management refuses to spend any money on IT, because they view IT as a cost center, a necessary evil.  Even though it's a financial services company, where handling information is all the company does.  They'll tell you that you'll just have to do the whole thing manually (even though you point out to them that the salary they pay you over the time it will take to do it manually is way more than eight thousand dollars; they don't care about that, because your salary is already in the budget, and they're getting you pretty cheap anyway).

Now you will know what crying is.  They'll start calling you Ringo.  ("I've got blisters on my fingers!")

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial