Domain Local groups v Global Groups

Running AD 2008, one domain.

We have a finance application and we need to assign permissions to an object. For the people we want to assign these permissions to, there is already a Domain Local group set up, DLGroup1, which we can use.

The vendor is saying to a Global group though, which means we either need to create a seperate Global group containing these exact users, or modify DLGroup1 to become a Global group.

Some questions -

1. What is the impact of changing DLGroup1 from a Domain Local to a Global group?

2. From what I understand, Global groups should be placed in Domain Local groups, and the permissions actually given to the Domain Local groups, is there anyway why the vendor should say the permissions should be set to the Global group?

3. Re. the point above, what's the reason for having Global groups in a Domain Local group and setting the permissions for the Domain Local group?
Who is Participating?
Premkumar YogeswaranAnalyst II - System AdministratorCommented:

For permission, mostly recommended to create Domain Local DL group and assign permission to that group.
Then if you need to grant access to users or group, create a global group and add to DL group.
Now you can add users to the Global group.

1. There wont be any impact on changing DL group to Global group

One main prob occurs is: you cannot add universal groups to Domain local group.

2. If the vendor says permission need to apply to Global group, then you need to add global group directly to the application and grant access.

3. as i said above, if we place local group on application end, we can add universal group and global group to DL group.

Please let me know if you have more questions.

I want to clarify something - so don't accept this as an answer.

Use your Domain Local group to assign permissions to the application.
Create a new Global group and add your users to it.
Nest the new Global group into the Domain Local group (global group is a member of local group).

This is the correct way to do this.

Joe_BuddenAuthor Commented:
Thanks guys.

What's the reason we assign permissions to Domain Local groups though? There must be a reason for this?

And, given our problem, is there any issue with converting a Domain Local to a Global group?
Because it's best practice to assign permissions to resources contained on a server to a group that is local to the server.  Membership of this group is what changes, but not permissions given to it.  If you need to change the permission level for the local group then there is no replication required since it remains local to the box.

No, there is no issue, however Global groups now become caught up in any change to membership globally - whereas a local group doesn't change at all.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.