Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

When to use Global, Universal or Domain Local security  groups

Posted on 2007-11-24
6
Medium Priority
?
6,831 Views
Last Modified: 2010-01-05
Can someone please explain to me in the most simple way when do I use a
Domain Local Security Group
Universal Security Group
Global Security Group

How do I knwo when to apply which one?

Thanks :)
0
Comment
Question by:noad
6 Comments
 
LVL 11

Expert Comment

by:bsharath
ID: 20344815
Hi,

Here is the link which explain about these groups.
http://kb.iu.edu/data/ahrl.html
0
 
LVL 1

Author Comment

by:noad
ID: 20344844
Still dont get it, sorry looking for a simple explaination.
Can you break it down
This for this, that for that???
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20344900
local security groups apply security settings locally and are used for localised administration etc

Global security groups are your Domain Groups which are created with the installation of AD (as you would know :) ) these groups when operating at native mode are able to be nested into other groups etc within your domain environment

Universal groups are one step higher and provide the ability of group nesting interdomain and forests. If you have trusts configured between domains etc, you can nest a universla group in domain a, into either a universal group or a global group within Domain B. However you cannot nest a global group from Domain A into Domain B

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21731197.html?sfQueryTermInfo=1+domain+global+group+local+secur+univers+us+when
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 1000 total points
ID: 20345256
Hi!

Use global security groups to group user (or computer) accounts with simillar characteristics, for example members of Sales department.
Use domain local security groups to define access to resources (share, NTFS, printer), for example you would create domain local group "DL ColorPrinter Print" and assign print permission to this group. Then you would put global security group Sales in "DL ColorPrinter Print" group to enable printing for sales department. If marketing department wants to use the same printer you have to create global group Marketing and put this group in "DL ColorPrinter Print" group. This strategy is called A-G-DL-P. Put accounts in global groups, global groups in domain local groups and assign permissions to domain local groups and you will assign permission only once. Everything else happens in Active Directory Users and Computers when you modify groups memberships.

Universal groups should only be used in multiple domain forest. Universal groups are used to nest global groups. Group strategy is then called A-G-U-DL-P.

HTH

Toni
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 1000 total points
ID: 20345908
Toniur has given a good explanation let me see  if I can simplify it a bit:

Global Groups:
Use these to group users with similar needs within the organisation, sales people, finance people, managers etc

Domain Local Groups:
Use these to specify access to resources eg database users, Colour Printer Users.

Universal Groups
Use only in mulitiple domains to give forest wide privilages.

Put users into Global groups
Apply permissions to Domain Local Groups
Nest Global groups in Domain Local groups to assign permissions
0
 
LVL 1

Author Comment

by:noad
ID: 20346596
Thanks guy's I think I got it now!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Screencast - Getting to Know the Pipeline

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question