Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

When to use Global, Universal or Domain Local security  groups

Posted on 2007-11-24
6
Medium Priority
?
6,824 Views
Last Modified: 2010-01-05
Can someone please explain to me in the most simple way when do I use a
Domain Local Security Group
Universal Security Group
Global Security Group

How do I knwo when to apply which one?

Thanks :)
0
Comment
Question by:noad
6 Comments
 
LVL 11

Expert Comment

by:bsharath
ID: 20344815
Hi,

Here is the link which explain about these groups.
http://kb.iu.edu/data/ahrl.html
0
 
LVL 1

Author Comment

by:noad
ID: 20344844
Still dont get it, sorry looking for a simple explaination.
Can you break it down
This for this, that for that???
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20344900
local security groups apply security settings locally and are used for localised administration etc

Global security groups are your Domain Groups which are created with the installation of AD (as you would know :) ) these groups when operating at native mode are able to be nested into other groups etc within your domain environment

Universal groups are one step higher and provide the ability of group nesting interdomain and forests. If you have trusts configured between domains etc, you can nest a universla group in domain a, into either a universal group or a global group within Domain B. However you cannot nest a global group from Domain A into Domain B

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21731197.html?sfQueryTermInfo=1+domain+global+group+local+secur+univers+us+when
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 1000 total points
ID: 20345256
Hi!

Use global security groups to group user (or computer) accounts with simillar characteristics, for example members of Sales department.
Use domain local security groups to define access to resources (share, NTFS, printer), for example you would create domain local group "DL ColorPrinter Print" and assign print permission to this group. Then you would put global security group Sales in "DL ColorPrinter Print" group to enable printing for sales department. If marketing department wants to use the same printer you have to create global group Marketing and put this group in "DL ColorPrinter Print" group. This strategy is called A-G-DL-P. Put accounts in global groups, global groups in domain local groups and assign permissions to domain local groups and you will assign permission only once. Everything else happens in Active Directory Users and Computers when you modify groups memberships.

Universal groups should only be used in multiple domain forest. Universal groups are used to nest global groups. Group strategy is then called A-G-U-DL-P.

HTH

Toni
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 1000 total points
ID: 20345908
Toniur has given a good explanation let me see  if I can simplify it a bit:

Global Groups:
Use these to group users with similar needs within the organisation, sales people, finance people, managers etc

Domain Local Groups:
Use these to specify access to resources eg database users, Colour Printer Users.

Universal Groups
Use only in mulitiple domains to give forest wide privilages.

Put users into Global groups
Apply permissions to Domain Local Groups
Nest Global groups in Domain Local groups to assign permissions
0
 
LVL 1

Author Comment

by:noad
ID: 20346596
Thanks guy's I think I got it now!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question