Solved

When to use Global, Universal or Domain Local security  groups

Posted on 2007-11-24
6
6,793 Views
Last Modified: 2010-01-05
Can someone please explain to me in the most simple way when do I use a
Domain Local Security Group
Universal Security Group
Global Security Group

How do I knwo when to apply which one?

Thanks :)
0
Comment
Question by:noad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:bsharath
ID: 20344815
Hi,

Here is the link which explain about these groups.
http://kb.iu.edu/data/ahrl.html
0
 
LVL 1

Author Comment

by:noad
ID: 20344844
Still dont get it, sorry looking for a simple explaination.
Can you break it down
This for this, that for that???
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20344900
local security groups apply security settings locally and are used for localised administration etc

Global security groups are your Domain Groups which are created with the installation of AD (as you would know :) ) these groups when operating at native mode are able to be nested into other groups etc within your domain environment

Universal groups are one step higher and provide the ability of group nesting interdomain and forests. If you have trusts configured between domains etc, you can nest a universla group in domain a, into either a universal group or a global group within Domain B. However you cannot nest a global group from Domain A into Domain B

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21731197.html?sfQueryTermInfo=1+domain+global+group+local+secur+univers+us+when
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 250 total points
ID: 20345256
Hi!

Use global security groups to group user (or computer) accounts with simillar characteristics, for example members of Sales department.
Use domain local security groups to define access to resources (share, NTFS, printer), for example you would create domain local group "DL ColorPrinter Print" and assign print permission to this group. Then you would put global security group Sales in "DL ColorPrinter Print" group to enable printing for sales department. If marketing department wants to use the same printer you have to create global group Marketing and put this group in "DL ColorPrinter Print" group. This strategy is called A-G-DL-P. Put accounts in global groups, global groups in domain local groups and assign permissions to domain local groups and you will assign permission only once. Everything else happens in Active Directory Users and Computers when you modify groups memberships.

Universal groups should only be used in multiple domain forest. Universal groups are used to nest global groups. Group strategy is then called A-G-U-DL-P.

HTH

Toni
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 250 total points
ID: 20345908
Toniur has given a good explanation let me see  if I can simplify it a bit:

Global Groups:
Use these to group users with similar needs within the organisation, sales people, finance people, managers etc

Domain Local Groups:
Use these to specify access to resources eg database users, Colour Printer Users.

Universal Groups
Use only in mulitiple domains to give forest wide privilages.

Put users into Global groups
Apply permissions to Domain Local Groups
Nest Global groups in Domain Local groups to assign permissions
0
 
LVL 1

Author Comment

by:noad
ID: 20346596
Thanks guy's I think I got it now!
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question