?
Solved

When to use Global, Universal or Domain Local security  groups

Posted on 2007-11-24
6
Medium Priority
?
6,811 Views
Last Modified: 2010-01-05
Can someone please explain to me in the most simple way when do I use a
Domain Local Security Group
Universal Security Group
Global Security Group

How do I knwo when to apply which one?

Thanks :)
0
Comment
Question by:noad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:bsharath
ID: 20344815
Hi,

Here is the link which explain about these groups.
http://kb.iu.edu/data/ahrl.html
0
 
LVL 1

Author Comment

by:noad
ID: 20344844
Still dont get it, sorry looking for a simple explaination.
Can you break it down
This for this, that for that???
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20344900
local security groups apply security settings locally and are used for localised administration etc

Global security groups are your Domain Groups which are created with the installation of AD (as you would know :) ) these groups when operating at native mode are able to be nested into other groups etc within your domain environment

Universal groups are one step higher and provide the ability of group nesting interdomain and forests. If you have trusts configured between domains etc, you can nest a universla group in domain a, into either a universal group or a global group within Domain B. However you cannot nest a global group from Domain A into Domain B

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21731197.html?sfQueryTermInfo=1+domain+global+group+local+secur+univers+us+when
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 1000 total points
ID: 20345256
Hi!

Use global security groups to group user (or computer) accounts with simillar characteristics, for example members of Sales department.
Use domain local security groups to define access to resources (share, NTFS, printer), for example you would create domain local group "DL ColorPrinter Print" and assign print permission to this group. Then you would put global security group Sales in "DL ColorPrinter Print" group to enable printing for sales department. If marketing department wants to use the same printer you have to create global group Marketing and put this group in "DL ColorPrinter Print" group. This strategy is called A-G-DL-P. Put accounts in global groups, global groups in domain local groups and assign permissions to domain local groups and you will assign permission only once. Everything else happens in Active Directory Users and Computers when you modify groups memberships.

Universal groups should only be used in multiple domain forest. Universal groups are used to nest global groups. Group strategy is then called A-G-U-DL-P.

HTH

Toni
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 1000 total points
ID: 20345908
Toniur has given a good explanation let me see  if I can simplify it a bit:

Global Groups:
Use these to group users with similar needs within the organisation, sales people, finance people, managers etc

Domain Local Groups:
Use these to specify access to resources eg database users, Colour Printer Users.

Universal Groups
Use only in mulitiple domains to give forest wide privilages.

Put users into Global groups
Apply permissions to Domain Local Groups
Nest Global groups in Domain Local groups to assign permissions
0
 
LVL 1

Author Comment

by:noad
ID: 20346596
Thanks guy's I think I got it now!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question