Link to home
Create AccountLog in
Avatar of Joe_Budden
Joe_Budden

asked on

Domain Local groups v Global Groups

Running AD 2008, one domain.

We have a finance application and we need to assign permissions to an object. For the people we want to assign these permissions to, there is already a Domain Local group set up, DLGroup1, which we can use.

The vendor is saying to a Global group though, which means we either need to create a seperate Global group containing these exact users, or modify DLGroup1 to become a Global group.

Some questions -

1. What is the impact of changing DLGroup1 from a Domain Local to a Global group?

2. From what I understand, Global groups should be placed in Domain Local groups, and the permissions actually given to the Domain Local groups, is there anyway why the vendor should say the permissions should be set to the Global group?

3. Re. the point above, what's the reason for having Global groups in a Domain Local group and setting the permissions for the Domain Local group?
ASKER CERTIFIED SOLUTION
Avatar of Premkumar Yogeswaran
Premkumar Yogeswaran
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I want to clarify something - so don't accept this as an answer.

Use your Domain Local group to assign permissions to the application.
Create a new Global group and add your users to it.
Nest the new Global group into the Domain Local group (global group is a member of local group).

This is the correct way to do this.

Avatar of Joe_Budden
Joe_Budden

ASKER

Thanks guys.

What's the reason we assign permissions to Domain Local groups though? There must be a reason for this?

And, given our problem, is there any issue with converting a Domain Local to a Global group?
Because it's best practice to assign permissions to resources contained on a server to a group that is local to the server.  Membership of this group is what changes, but not permissions given to it.  If you need to change the permission level for the local group then there is no replication required since it remains local to the box.

No, there is no issue, however Global groups now become caught up in any change to membership globally - whereas a local group doesn't change at all.