What is the purpose of adding global/univeral groups to domain local grous?

Posted on 2009-02-20
Last Modified: 2012-05-06

I dont know if this is the right place to ask this question but im sure someboy could give me an answer - it is more of an enquiry than a technical problem.

Ok. i am studying for my final MCSA exam (only 70-290 left) and i almost have the whole domain local/global/universal group concept nailed, but i have a nagging question in the back of my head which makes my test questions difficult to answer without thinking i am the right!

So lets say we have 1 forest, 2 domains. Each domain has a global group called 'accountants' and of course, contains the accountants for their domains. Now, there is a shared folder in each domain called 'Accounts Data' for which the accountants of both domains need full control of. So, it begs the question. If you really wanted to minimise the number of groups you are using, why would you not create a universal group called accountants, then either just add all of the accountants of the domains to the one big univeral group or add the two global accountants group to the universal accountants group. You could then just add this one universal accountants group to the DACL of the shared folder, and therefore have one simple ACE on the DACL of the folder and keep things nice and tidy? (and yes, this group wont change often so there shouldnt be a lot of replication traffic generated from its changing membership).

It seems that microsoft would have you either add those global groups to the domain local groups in the domain or add the universal group to a domain local group in the domain and add an entry to the DACL of the shared folder to the domain local group. But its not like the DACL can only contain ACE's of domain local groups, you can add a universal or global group to the DACL of an object (the group just needs an SID, which is gets by being a security group). Therefore, it seems like a whole load of administration work and a lot more calculation on the administrators side to understand who has access to a file or folder when you could simply identify it by looking at the DACL and saying 'oh, the global group or the universal group has access' instead of 'oh god, i better figure out who belongs to that group and its group' and calculating backwards.

And the weirdest part of it all, the test prep questions always ask you to use the minumum amount of groups, yet in their ms press book, they encourage using all of these groups as the way to do it for simplifying and breaking the network down into smaller, more manageable structure. To me, it just makes a simple process more complicated.

Or perhaps there is something i am not considering . . . .
Question by:sparky2156
    LVL 6

    Expert Comment

    Unless they've changed things drastically the answer they are looking for is usually going to be some form of User >Domain Global>Domain Local >Resource.  

    They don't tell you when you are studying for the test but there are practical reasons for doing things this way and most of them center on the Global Catalog.  The simple reason is that extensive use of Universal groups increases the size of the Global Catalog and and load on the Global Catalog Servers.  Overuse of universal groups can have a significant impact on network performance.

    For more information on the Global Catalog see:
    LVL 3

    Expert Comment

    Okay, Say you have, you also have and Now you have and Accountants OU in both the NY and LA domains. You also have Shared "Accountants" folders in both NY and LA. the theory is that if you have a domain global accts group in both domains and a they are a part of a domain universal group then you have the flexibility to add the Accts domain global groups in either domain to a shared folder individually or you can add both of the domain global groups to a domain universal group and add the entire accts staff to a folder.  This is handy because if later on down the line you add a shared folder in the LA office that only LA accts need access to then all you have to do is add a the domain global group to the share. However if you hired a new employee in LA you would only have to add him to the one group and he would have membership to all respective places. As for your question about adding both domain global groups to the folders that all accts need access to. If you add an office ... lets say Now Denver has an accounting department. All you have to do is make a domain global group and add it to the domain universal group and all is right....  make sense?
    LVL 18

    Expert Comment

    To grant permission on the shared folder, you can only grant user account, global or universal group from the local domain, or domain local from the local domain.
    You don't want to use individual user account as its high maintenance. Since you cannot grant global or universal
    Group from foreign domain and you left with only Domain Local group.This group will be used to grant permission in a multiple domain environment.

    Depending on how the business structured and the history of their domain environment, there is no one solution fits all.
    But in general, you organize users in the domain by global group in its domain by the helpdesk support that domain. Then you add these global groups to either the universal group or directly to the Domain Local group. Of course if there are specific resources only or need to be managed by helpdesk of one particular domain, the you can add users from both domains to this Universal group. If there is aleady a global group consist those users you would add the global group instead of users. Even there's no global group created, you should. Still create the global group. There are Universal group for security reason are restricted and manage specifically by an admin in a particular domain and this Universal group should not add global group from the other domain as this created a Security hole where admin on the other domain can add users to their global group which added in the universal group. ..
    LVL 30

    Expert Comment

    The business reason for it stems from an assumption of a multi-domain forest, which in the early days of Active Directory was what MS assumed everyone should deploy. By doing group AGUDLP group nesting, you're only ever changing the membership of the global group, which doesn't replicate beyond the domain boundary and thus saves on replication traffic.

    If you're in a single-domain forest in your "real-world" implementation, you're going to make everything a global group or a universal group. Learn the AGUDLP way to pass the test, then go do it for real in a way that makes sense - it's what everyone else does. :-)
    LVL 3

    Author Comment

    Hi, thank you for all of your responses.

    So lets get this right, i can only add a global/universal group to the DACL of a resource if that global or universal group exists in the same domain as the resource?

    Also, as for what smashpmk712 said, it makes sense to use these global/universal groups in this respect, however i have always been under the impression that if i made a universal group in a domain in the forest, i could use that group in any other domain in the forest due to their domainwide scope (but from what Americom has said, it seems that it can hold any group from any domain in the forest, but not actually be used in any domain in the forest, rather it can only be used in the domain for which it resides).

    And if this is the case, it explains why i would add universal or global groups from one domain to a domain local or global group in a different domain. Up until now, i have always thought that universal groups had universal scope in terms of being applied to resources, as mentioned above.

    Could one of you please clarify this for me please?

    Also, LauraEHunterMVP, you raise a very valid point - there is no substitute for doing the job in real life and it always works out differently in practice. Its great to hear that from an MVP !
    LVL 30

    Expert Comment

    It goes like this:

    Domain Local groups can contain users/groups from anywhere in the local forest or any trusted forest, but can only be used to secure resources from the same domain that the group resides in because the group does not "exist" outside of that domain.

    Global groups can contain users/groups only from within the same domain, but can be used to secure resources in any domain in the local forest or any trusting forest.

    Universal groups can contain users/groups from anywhere, and can secure resources anywhere. This flexibility comes at the potential expense of replication overhead in a multi-domain environment, since changes to universal group membership are replicated to the global catalog.
    LVL 18

    Accepted Solution

    Sparky2156, i need to make some correct regarding my comments above:
    Laura is correct on the Global and Universal groups that can secure resources in any domain in the local forest or any trusting forest regardless of the type of trust, forest or external.

    It just that you SHOULD NOT grant permission to a shared resource to global group from a foreign domain or to Universal group. As Laura indicated, each time you change membership of a Universal group, you are creating replication overhead. So, you need to avoid having a Universal group that you constantly moving users or global group in/out of the Universal group. Department staff change not as frequently and may not be that bad to use universal group. But for shares that access by multiple departments or all users across domain, you definitely would want to control membership by global group and if needed add them to a Universal Group. But you should still grant permission by Domain Local group instead of Universal group expecially for shares that need to grant access to multiple departments therefore could be multiple global and universal group. Another reason is that you should not grant permission to Global group from different domain to shared resources. The key of managing your shared resouces particularly on a large file server, you want to grant access by group and not user. Even better by less group than more groups. Here's the reason why: if you have  shared folder consist of hundred of thousand of sub-folders and million of files, each time you adjust the NTFS permission, you are making status change on those folders and files. This adjustment can take your hours to get through and it could messed up your incremental or differential daily backup!
    LVL 3

    Author Closing Comment

    Good answer

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do email signature updates give you a headache?

    Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

    On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now