?
Solved

In Active Directory why would you not assign resource permissions to Global Groups as opposed to Local Groups

Posted on 2014-03-23
1
Medium Priority
?
646 Views
Last Modified: 2014-04-08
Is there a specific reason why Global Groups should not be used to assign permissions to resources?

Also what performance implications are there for using Global groups everywhere as opposed to a combination of Domain Local and Global Groups?

What levels of nesting is permitted for the different security group types?
0
Comment
Question by:elchermans
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39949634
Domain local groups are local to domain and can be assigned permissions to only local domain resources, you can't assign domain local groups permissions to resources in another domain.
However they can contains other domain local groups from same domain, users, global groups and universal groups from same domain and another domains as well
What you can't do, you can't add domain local groups from another domain to domain local groups in your domain
That is why it is recommended to give permissions to domain local groups on local resources and nest all required groups, users from its same domain \ another domain in side them

In contrast, global groups can contains users only from his own domain, global groups from his own domain, but you cannot nest global groups from another domain.
Also you can't nest domain local groups and universal groups from same domain \ another domain inside global groups

However you can assign global groups permissions to resources in another domain directly
But again then you can't manage group membership of that global groups with simplicity means if you are also having users and groups from your domain, you need to add them separately

That is why MS recommends that assign domain local groups permissions to resources initially in same domain and nest users, global, universal groups from its own domain\ another domain for easy management which helps you to streamline security \ permissions model for resources

Lastly universal groups can contains users, global groups and universal groups from its own domain and another domains, what you can't do, you can't add domain local groups to universal groups
Also you setup universal groups on resources rarely as universal groups are replicated with Global catalog which increases GC replication traffic specially no of universal groups are high
Also in order to work with universal groups you have to have windows 2000 native domain functional level within all domains

Mahesh.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question