?
Solved

When need to use local, global and universal group permission?

Posted on 2011-09-07
5
Medium Priority
?
786 Views
Last Modified: 2012-06-27
Can someone can explain basically when do we need to use local, global and universal group permission?

Thank you.
0
Comment
Question by:SAM2009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 400 total points
ID: 36499364
What is your domain/forest structure (single domain or multiple domains)
 

There is the standard AGLP/UGLY but those don't always apply.
http://adisfun.blogspot.com/2009/04/ugly-aglp-what-are-they.html

Thanks

Mike
0
 
LVL 7

Assisted Solution

by:dsnegi_25dec
dsnegi_25dec earned 400 total points
ID: 36499456
Universal Group: can contain users and groups (global and universal) from any domain in the forest.  Universal groups do not care about trust.  Universal groups can be a member of domain local groups or other universal groups but NOT global groups.

Global Group: can contain users, computers and groups from same domain but NOT universal groups.  Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.

Domain Local Group:  Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups frm the same domain.  Can be a member of any domain local group in the same domain.

The short answer is that domain local groups are the only groups that can have members from outside the forest.  And use global groups if you have trust, universal groups if you don't care about trust.

0
 
LVL 1

Author Comment

by:SAM2009
ID: 36499771
Then when should we need trust and when should we use universal group without trust?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1200 total points
ID: 36500643
Use global security groups to group user (or computer) accounts with simillar characteristics, for example members of Sales department.

Use domain local security groups to define access to resources (share, NTFS, printer),
for example you would create domain local group "DL ColorPrinter Print" and assign print permission to this group. Then you would put global security group Sales in "DL ColorPrinter Print" group to enable printing for sales department. If marketing department wants to use the same printer you have to create global group Marketing and put this group in "DL ColorPrinter Print" group. This strategy is called A-G-DL-P. Put accounts in global groups, global groups in domain local groups and assign permissions to domain local groups and you will assign permission only once. Everything else happens in Active Directory Users and Computers when you modify groups memberships.

Universal groups should only be used in multiple domain forest. Universal groups are used to nest global groups. Group strategy is then called A-G-U-DL-P.

In shot below are the details
Global Groups:
Use these to group users with similar needs within the organisation, sales people, finance people, managers etc

Domain Local Groups:
Use these to specify access to resources eg database users, Colour Printer Users.

Universal Groups
Use only in mulitiple domains to give forest wide privilages.

0
 
LVL 1

Author Closing Comment

by:SAM2009
ID: 36505533
Many thanks!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question