Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

In Active Directory why would you not assign resource permissions to Global Groups as opposed to Local Groups

Posted on 2014-03-23
1
Medium Priority
?
664 Views
Last Modified: 2014-04-08
Is there a specific reason why Global Groups should not be used to assign permissions to resources?

Also what performance implications are there for using Global groups everywhere as opposed to a combination of Domain Local and Global Groups?

What levels of nesting is permitted for the different security group types?
0
Comment
Question by:elchermans
1 Comment
 
LVL 39

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39949634
Domain local groups are local to domain and can be assigned permissions to only local domain resources, you can't assign domain local groups permissions to resources in another domain.
However they can contains other domain local groups from same domain, users, global groups and universal groups from same domain and another domains as well
What you can't do, you can't add domain local groups from another domain to domain local groups in your domain
That is why it is recommended to give permissions to domain local groups on local resources and nest all required groups, users from its same domain \ another domain in side them

In contrast, global groups can contains users only from his own domain, global groups from his own domain, but you cannot nest global groups from another domain.
Also you can't nest domain local groups and universal groups from same domain \ another domain inside global groups

However you can assign global groups permissions to resources in another domain directly
But again then you can't manage group membership of that global groups with simplicity means if you are also having users and groups from your domain, you need to add them separately

That is why MS recommends that assign domain local groups permissions to resources initially in same domain and nest users, global, universal groups from its own domain\ another domain for easy management which helps you to streamline security \ permissions model for resources

Lastly universal groups can contains users, global groups and universal groups from its own domain and another domains, what you can't do, you can't add domain local groups to universal groups
Also you setup universal groups on resources rarely as universal groups are replicated with Global catalog which increases GC replication traffic specially no of universal groups are high
Also in order to work with universal groups you have to have windows 2000 native domain functional level within all domains

Mahesh.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question