We help IT Professionals succeed at work.

Understanding domain local, global and universal groups

mvvinod
mvvinod asked
on
1,351 Views
Last Modified: 2012-06-27
Hi all,
  I've read the difference several times between domain local, global and universal groups...i know we all have...but i'm still unclear about the actual differences and when to use which group..

Anyone providing me difference between these from security and distribution group perspective or provide link to document that explains the difference with situation will get the points....

Thank you all,
Vinod.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2006

Commented:
local security groups apply security settings locally and are used for localised administration etc

Global security groups are your Domain Groups which are created with the installation of AD (as you would know :) ) these groups when operating at native mode are able to be nested into other groups etc within your domain environment

Universal groups are one step higher and provide the ability of group nesting interdomain and forests. If you have trusts configured between domains etc, you can nest a universla group in domain a, into either a universal group or a global group within Domain B. However you cannot nest a global group from Domain A into Domain B

I am sure there are other useful points out there about groups also, but these are some of the important ones,

Cheers mate
CERTIFIED EXPERT
Top Expert 2006
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Great document....explain all clearly...

But i still have 2 questions...

If domain local can include users,global and univ groups from any domain and can set permission in the created domain, why in the document they are recommending global group instead of domain local. The reason for global is given that they have single domain and dont have need for universal group. But in that case, they dont even need global group right???? Or am i missing something ???

Also how does distribution group come into the picture of these group types ??

Thanks!
Vinod.
Hi,
Domain local groups are available only with in the scope of the domain to which they belong but can have mebmer objects from any domain across the forest.
But, Global groups can only have members from the same domain and are available forest wide. With windows 2003 you can nest global groups.

So you can assign permission to a global group defined in a different domain in the current domain bit that cannot be done with the domain local group. For example, say you have to domains a.com & b.com and say you want to allow 500 users in b.com to print to a printer locatd in a.com. then you can accomplish it in  ways

1st - create a domain local group in a.com and add one by one all 500 users of b.com to this group and allow printing for the domain local group just created.
alternatively
2nd - Create a global group in b.com and add the groups in b.com which contain the 500 users. Then either directly allow printing for this global group in b.com in the printer or create a domain local group in a.com and add the global group in b.com to the domain local group in a.com and enable printing for the domain local group in a.com

Rajat.

Author

Commented:
Does anybody have any links or explanation as to difference between groups when it comes to distribution groups ?????

Vinod.
CERTIFIED EXPERT
Top Expert 2006

Commented:
CERTIFIED EXPERT
Top Expert 2006

Commented:
Distribution groups are purely for email

Author

Commented:
I understand that...But what is the difference in global, universal distribution group etc ??

Vinod.
CERTIFIED EXPERT
Top Expert 2006

Commented:
same as security groups

Local Group - can contain members from any domain, can only be assigned permissions in the domain
Global Group - can only contain members from the domain, can be assigned permissions anywhere in the forest
Universal Group - can contain members from anywhere in the forest, can be assigned permissions anywhere in the forest

Author

Commented:
Since its a distribution group, where does the assign permission come into picture from your above statement ????

Vinod.
CERTIFIED EXPERT
Top Expert 2006

Commented:
i dont quite understand your question.....

Author

Commented:
In the previous post you said that "can contain members from any domain, can only be ASSIGNED PERMISSION in the domain".

How can you use the distribution group to assign permission ????

Vinod.
CERTIFIED EXPERT
Top Expert 2006

Commented:
ah i see i see, i honestly dont know with that, i didnt think that you could assign permissions to a dissy group, confuses me just as much at the moment, trying to learn as i go with this Q :)
CERTIFIED EXPERT
Top Expert 2006

Commented:
cheers mate - sorry i couldnt make it clearer :)

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.