Domain Local groups v Global Groups

Running AD 2008, one domain.

We have a finance application and we need to assign permissions to an object. For the people we want to assign these permissions to, there is already a Domain Local group set up, DLGroup1, which we can use.

The vendor is saying to a Global group though, which means we either need to create a seperate Global group containing these exact users, or modify DLGroup1 to become a Global group.

Some questions -

1. What is the impact of changing DLGroup1 from a Domain Local to a Global group?

2. From what I understand, Global groups should be placed in Domain Local groups, and the permissions actually given to the Domain Local groups, is there anyway why the vendor should say the permissions should be set to the Global group?

3. Re. the point above, what's the reason for having Global groups in a Domain Local group and setting the permissions for the Domain Local group?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Premkumar YogeswaranSr. Analyst - System AdministratorCommented:

For permission, mostly recommended to create Domain Local DL group and assign permission to that group.
Then if you need to grant access to users or group, create a global group and add to DL group.
Now you can add users to the Global group.

1. There wont be any impact on changing DL group to Global group

One main prob occurs is: you cannot add universal groups to Domain local group.

2. If the vendor says permission need to apply to Global group, then you need to add global group directly to the application and grant access.

3. as i said above, if we place local group on application end, we can add universal group and global group to DL group.

Please let me know if you have more questions.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I want to clarify something - so don't accept this as an answer.

Use your Domain Local group to assign permissions to the application.
Create a new Global group and add your users to it.
Nest the new Global group into the Domain Local group (global group is a member of local group).

This is the correct way to do this.

Joe_BuddenAuthor Commented:
Thanks guys.

What's the reason we assign permissions to Domain Local groups though? There must be a reason for this?

And, given our problem, is there any issue with converting a Domain Local to a Global group?
Because it's best practice to assign permissions to resources contained on a server to a group that is local to the server.  Membership of this group is what changes, but not permissions given to it.  If you need to change the permission level for the local group then there is no replication required since it remains local to the box.

No, there is no issue, however Global groups now become caught up in any change to membership globally - whereas a local group doesn't change at all.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.