• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 333
  • Last Modified:

Active Directory Groups Global/Universal

Experts,

We have quite a few groups setup in our organization.  These groups have email addresses and when we send email to the group sometimes the members get the email, but most times they don't.  The groups with the trouble seem to be security groups with a group scope of global.  We changed the groups to have a universal group scope and now the members are receiving their emails.  All the members of these groups are in the same domain, so why would that make a difference?
0
Rowdyone52
Asked:
Rowdyone52
  • 3
  • 2
1 Solution
 
aiailaCommented:
Why are you using security group with email address? Why not use distribution group?
0
 
Rowdyone52Author Commented:
Distribution Group...Not security group
0
 
f_umarCommented:
Universal
Universal groups can be used anywhere in the same Windows forest. They are only available in a Native-mode enterprise. Universal groups may be an easier approach for some administrators because there are no intrinsic limitations on their use. Users can be directly assigned to Universal groups, they can be nested, and they can be used directly with access-control lists to denote access permissions in any domain in the enterprise.

Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely.
Global
Global groups are the primary scope of groups into which users are placed in Mixed-mode domains. Global groups can be placed only in the security descriptors of resource objects that reside in the same domain. This means that you cannot restrict access to an object based solely on user membership in a global group from another domain.

Global group membership for a user is evaluated when that user logs on to a domain. Because global group membership is domain-centric, changes in global group membership do not impose global catalog replication throughout an entire enterprise.

In a Native-mode domain, global groups can be nested within each other. This may be useful when administrators have nested organizational units, and want to delegate Organizational Unit (OU) administrative functionality in a gracefully decreasing manner down an OU tree. In this situation, a global group tree can be used as a parallel construct, for the assignment of such decreasing privileges
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Rowdyone52Author Commented:
Do you know why users of global groups wouldnt get emails, while users in Universal groups would?
0
 
f_umarCommented:
i think because Global group membership for a user is evaluated when that user logs on to a domain. Because global group membership is domain-centric, changes in global group membership do not impose global catalog replication throughout an entire enterprise.

Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise.
0
 
f_umarCommented:
thanks :-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now