Joe_Budden
asked on
Domain Local groups v Global Groups
Running AD 2008, one domain.
We have a finance application and we need to assign permissions to an object. For the people we want to assign these permissions to, there is already a Domain Local group set up, DLGroup1, which we can use.
The vendor is saying to a Global group though, which means we either need to create a seperate Global group containing these exact users, or modify DLGroup1 to become a Global group.
Some questions -
1. What is the impact of changing DLGroup1 from a Domain Local to a Global group?
2. From what I understand, Global groups should be placed in Domain Local groups, and the permissions actually given to the Domain Local groups, is there anyway why the vendor should say the permissions should be set to the Global group?
3. Re. the point above, what's the reason for having Global groups in a Domain Local group and setting the permissions for the Domain Local group?
We have a finance application and we need to assign permissions to an object. For the people we want to assign these permissions to, there is already a Domain Local group set up, DLGroup1, which we can use.
The vendor is saying to a Global group though, which means we either need to create a seperate Global group containing these exact users, or modify DLGroup1 to become a Global group.
Some questions -
1. What is the impact of changing DLGroup1 from a Domain Local to a Global group?
2. From what I understand, Global groups should be placed in Domain Local groups, and the permissions actually given to the Domain Local groups, is there anyway why the vendor should say the permissions should be set to the Global group?
3. Re. the point above, what's the reason for having Global groups in a Domain Local group and setting the permissions for the Domain Local group?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks guys.
What's the reason we assign permissions to Domain Local groups though? There must be a reason for this?
And, given our problem, is there any issue with converting a Domain Local to a Global group?
What's the reason we assign permissions to Domain Local groups though? There must be a reason for this?
And, given our problem, is there any issue with converting a Domain Local to a Global group?
Because it's best practice to assign permissions to resources contained on a server to a group that is local to the server. Membership of this group is what changes, but not permissions given to it. If you need to change the permission level for the local group then there is no replication required since it remains local to the box.
No, there is no issue, however Global groups now become caught up in any change to membership globally - whereas a local group doesn't change at all.
No, there is no issue, however Global groups now become caught up in any change to membership globally - whereas a local group doesn't change at all.
Use your Domain Local group to assign permissions to the application.
Create a new Global group and add your users to it.
Nest the new Global group into the Domain Local group (global group is a member of local group).
This is the correct way to do this.