I dont know if this is the right place to ask this question but im sure someboy could give me an answer - it is more of an enquiry than a technical problem.
Ok. i am studying for my final MCSA exam (only 70-290 left) and i almost have the whole domain local/global/universal group concept nailed, but i have a nagging question in the back of my head which makes my test questions difficult to answer without thinking i am the right!
So lets say we have 1 forest, 2 domains. Each domain has a global group called 'accountants' and of course, contains the accountants for their domains. Now, there is a shared folder in each domain called 'Accounts Data' for which the accountants of both domains need full control of. So, it begs the question. If you really wanted to minimise the number of groups you are using, why would you not create a universal group called accountants, then either just add all of the accountants of the domains to the one big univeral group or add the two global accountants group to the universal accountants group. You could then just add this one universal accountants group to the DACL of the shared folder, and therefore have one simple ACE on the DACL of the folder and keep things nice and tidy? (and yes, this group wont change often so there shouldnt be a lot of replication traffic generated from its changing membership).
It seems that microsoft would have you either add those global groups to the domain local groups in the domain or add the universal group to a domain local group in the domain and add an entry to the DACL of the shared folder to the domain local group. But its not like the DACL can only contain ACE's of domain local groups, you can add a universal or global group to the DACL of an object (the group just needs an SID, which is gets by being a security group). Therefore, it seems like a whole load of administration work and a lot more calculation on the administrators side to understand who has access to a file or folder when you could simply identify it by looking at the DACL and saying 'oh, the global group or the universal group has access' instead of 'oh god, i better figure out who belongs to that group and its group' and calculating backwards.
And the weirdest part of it all, the test prep questions always ask you to use the minumum amount of groups, yet in their ms press book, they encourage using all of these groups as the way to do it for simplifying and breaking the network down into smaller, more manageable structure. To me, it just makes a simple process more complicated.
Or perhaps there is something i am not considering . . . .