Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 673
  • Last Modified:

In Active Directory why would you not assign resource permissions to Global Groups as opposed to Local Groups

Is there a specific reason why Global Groups should not be used to assign permissions to resources?

Also what performance implications are there for using Global groups everywhere as opposed to a combination of Domain Local and Global Groups?

What levels of nesting is permitted for the different security group types?
0
elchermans
Asked:
elchermans
1 Solution
 
MaheshArchitectCommented:
Domain local groups are local to domain and can be assigned permissions to only local domain resources, you can't assign domain local groups permissions to resources in another domain.
However they can contains other domain local groups from same domain, users, global groups and universal groups from same domain and another domains as well
What you can't do, you can't add domain local groups from another domain to domain local groups in your domain
That is why it is recommended to give permissions to domain local groups on local resources and nest all required groups, users from its same domain \ another domain in side them

In contrast, global groups can contains users only from his own domain, global groups from his own domain, but you cannot nest global groups from another domain.
Also you can't nest domain local groups and universal groups from same domain \ another domain inside global groups

However you can assign global groups permissions to resources in another domain directly
But again then you can't manage group membership of that global groups with simplicity means if you are also having users and groups from your domain, you need to add them separately

That is why MS recommends that assign domain local groups permissions to resources initially in same domain and nest users, global, universal groups from its own domain\ another domain for easy management which helps you to streamline security \ permissions model for resources

Lastly universal groups can contains users, global groups and universal groups from its own domain and another domains, what you can't do, you can't add domain local groups to universal groups
Also you setup universal groups on resources rarely as universal groups are replicated with Global catalog which increases GC replication traffic specially no of universal groups are high
Also in order to work with universal groups you have to have windows 2000 native domain functional level within all domains

Mahesh.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now