• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 823
  • Last Modified:

What is the purpose of adding global/univeral groups to domain local grous?

HI,

I dont know if this is the right place to ask this question but im sure someboy could give me an answer - it is more of an enquiry than a technical problem.

Ok. i am studying for my final MCSA exam (only 70-290 left) and i almost have the whole domain local/global/universal group concept nailed, but i have a nagging question in the back of my head which makes my test questions difficult to answer without thinking i am the right!

So lets say we have 1 forest, 2 domains. Each domain has a global group called 'accountants' and of course, contains the accountants for their domains. Now, there is a shared folder in each domain called 'Accounts Data' for which the accountants of both domains need full control of. So, it begs the question. If you really wanted to minimise the number of groups you are using, why would you not create a universal group called accountants, then either just add all of the accountants of the domains to the one big univeral group or add the two global accountants group to the universal accountants group. You could then just add this one universal accountants group to the DACL of the shared folder, and therefore have one simple ACE on the DACL of the folder and keep things nice and tidy? (and yes, this group wont change often so there shouldnt be a lot of replication traffic generated from its changing membership).

It seems that microsoft would have you either add those global groups to the domain local groups in the domain or add the universal group to a domain local group in the domain and add an entry to the DACL of the shared folder to the domain local group. But its not like the DACL can only contain ACE's of domain local groups, you can add a universal or global group to the DACL of an object (the group just needs an SID, which is gets by being a security group). Therefore, it seems like a whole load of administration work and a lot more calculation on the administrators side to understand who has access to a file or folder when you could simply identify it by looking at the DACL and saying 'oh, the global group or the universal group has access' instead of 'oh god, i better figure out who belongs to that group and its group' and calculating backwards.

And the weirdest part of it all, the test prep questions always ask you to use the minumum amount of groups, yet in their ms press book, they encourage using all of these groups as the way to do it for simplifying and breaking the network down into smaller, more manageable structure. To me, it just makes a simple process more complicated.

Or perhaps there is something i am not considering . . . .
0
sparky2156
Asked:
sparky2156
  • 2
  • 2
  • 2
  • +2
1 Solution
 
aces4all2008Commented:
Unless they've changed things drastically the answer they are looking for is usually going to be some form of User >Domain Global>Domain Local >Resource.  

They don't tell you when you are studying for the test but there are practical reasons for doing things this way and most of them center on the Global Catalog.  The simple reason is that extensive use of Universal groups increases the size of the Global Catalog and and load on the Global Catalog Servers.  Overuse of universal groups can have a significant impact on network performance.

For more information on the Global Catalog see:

http://technet.microsoft.com/en-us/library/cc728188.aspx
0
 
smashpmk712Commented:
Okay, Say you have contoso.com, you also have ny.contoso.com and LA.Contoso.com. Now you have and Accountants OU in both the NY and LA domains. You also have Shared "Accountants" folders in both NY and LA. the theory is that if you have a domain global accts group in both domains and a they are a part of a domain universal group then you have the flexibility to add the Accts domain global groups in either domain to a shared folder individually or you can add both of the domain global groups to a domain universal group and add the entire accts staff to a folder.  This is handy because if later on down the line you add a shared folder in the LA office that only LA accts need access to then all you have to do is add a the domain global group to the share. However if you hired a new employee in LA you would only have to add him to the one group and he would have membership to all respective places. As for your question about adding both domain global groups to the folders that all accts need access to. If you add an office ... lets say denver.contoso.com. Now Denver has an accounting department. All you have to do is make a domain global group and add it to the domain universal group and all is right....  make sense?
0
 
AmericomCommented:
To grant permission on the shared folder, you can only grant user account, global or universal group from the local domain, or domain local from the local domain.
You don't want to use individual user account as its high maintenance. Since you cannot grant global or universal
Group from foreign domain and you left with only Domain Local group.This group will be used to grant permission in a multiple domain environment.

Depending on how the business structured and the history of their domain environment, there is no one solution fits all.
But in general, you organize users in the domain by global group in its domain by the helpdesk support that domain. Then you add these global groups to either the universal group or directly to the Domain Local group. Of course if there are specific resources only or need to be managed by helpdesk of one particular domain, the you can add users from both domains to this Universal group. If there is aleady a global group consist those users you would add the global group instead of users. Even there's no global group created, you should. Still create the global group. There are Universal group for security reason are restricted and manage specifically by an admin in a particular domain and this Universal group should not add global group from the other domain as this created a Security hole where admin on the other domain can add users to their global group which added in the universal group. ..
 
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LauraEHunterMVPCommented:
The business reason for it stems from an assumption of a multi-domain forest, which in the early days of Active Directory was what MS assumed everyone should deploy. By doing group AGUDLP group nesting, you're only ever changing the membership of the global group, which doesn't replicate beyond the domain boundary and thus saves on replication traffic.

If you're in a single-domain forest in your "real-world" implementation, you're going to make everything a global group or a universal group. Learn the AGUDLP way to pass the test, then go do it for real in a way that makes sense - it's what everyone else does. :-)
0
 
sparky2156Author Commented:
Hi, thank you for all of your responses.

So lets get this right, i can only add a global/universal group to the DACL of a resource if that global or universal group exists in the same domain as the resource?

Also, as for what smashpmk712 said, it makes sense to use these global/universal groups in this respect, however i have always been under the impression that if i made a universal group in a domain in the forest, i could use that group in any other domain in the forest due to their domainwide scope (but from what Americom has said, it seems that it can hold any group from any domain in the forest, but not actually be used in any domain in the forest, rather it can only be used in the domain for which it resides).

And if this is the case, it explains why i would add universal or global groups from one domain to a domain local or global group in a different domain. Up until now, i have always thought that universal groups had universal scope in terms of being applied to resources, as mentioned above.

Could one of you please clarify this for me please?

Also, LauraEHunterMVP, you raise a very valid point - there is no substitute for doing the job in real life and it always works out differently in practice. Its great to hear that from an MVP !
0
 
LauraEHunterMVPCommented:
It goes like this:

Domain Local groups can contain users/groups from anywhere in the local forest or any trusted forest, but can only be used to secure resources from the same domain that the group resides in because the group does not "exist" outside of that domain.

Global groups can contain users/groups only from within the same domain, but can be used to secure resources in any domain in the local forest or any trusting forest.

Universal groups can contain users/groups from anywhere, and can secure resources anywhere. This flexibility comes at the potential expense of replication overhead in a multi-domain environment, since changes to universal group membership are replicated to the global catalog.
0
 
AmericomCommented:
Sparky2156, i need to make some correct regarding my comments above:
Laura is correct on the Global and Universal groups that can secure resources in any domain in the local forest or any trusting forest regardless of the type of trust, forest or external.

It just that you SHOULD NOT grant permission to a shared resource to global group from a foreign domain or to Universal group. As Laura indicated, each time you change membership of a Universal group, you are creating replication overhead. So, you need to avoid having a Universal group that you constantly moving users or global group in/out of the Universal group. Department staff change not as frequently and may not be that bad to use universal group. But for shares that access by multiple departments or all users across domain, you definitely would want to control membership by global group and if needed add them to a Universal Group. But you should still grant permission by Domain Local group instead of Universal group expecially for shares that need to grant access to multiple departments therefore could be multiple global and universal group. Another reason is that you should not grant permission to Global group from different domain to shared resources. The key of managing your shared resouces particularly on a large file server, you want to grant access by group and not user. Even better by less group than more groups. Here's the reason why: if you have  shared folder consist of hundred of thousand of sub-folders and million of files, each time you adjust the NTFS permission, you are making status change on those folders and files. This adjustment can take your hours to get through and it could messed up your incremental or differential daily backup!
0
 
sparky2156Author Commented:
Good answer
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now