Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

In Active Directory why would you not assign resource permissions to Global Groups as opposed to Local Groups

Posted on 2014-03-23
1
Medium Priority
?
654 Views
Last Modified: 2014-04-08
Is there a specific reason why Global Groups should not be used to assign permissions to resources?

Also what performance implications are there for using Global groups everywhere as opposed to a combination of Domain Local and Global Groups?

What levels of nesting is permitted for the different security group types?
0
Comment
Question by:elchermans
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39949634
Domain local groups are local to domain and can be assigned permissions to only local domain resources, you can't assign domain local groups permissions to resources in another domain.
However they can contains other domain local groups from same domain, users, global groups and universal groups from same domain and another domains as well
What you can't do, you can't add domain local groups from another domain to domain local groups in your domain
That is why it is recommended to give permissions to domain local groups on local resources and nest all required groups, users from its same domain \ another domain in side them

In contrast, global groups can contains users only from his own domain, global groups from his own domain, but you cannot nest global groups from another domain.
Also you can't nest domain local groups and universal groups from same domain \ another domain inside global groups

However you can assign global groups permissions to resources in another domain directly
But again then you can't manage group membership of that global groups with simplicity means if you are also having users and groups from your domain, you need to add them separately

That is why MS recommends that assign domain local groups permissions to resources initially in same domain and nest users, global, universal groups from its own domain\ another domain for easy management which helps you to streamline security \ permissions model for resources

Lastly universal groups can contains users, global groups and universal groups from its own domain and another domains, what you can't do, you can't add domain local groups to universal groups
Also you setup universal groups on resources rarely as universal groups are replicated with Global catalog which increases GC replication traffic specially no of universal groups are high
Also in order to work with universal groups you have to have windows 2000 native domain functional level within all domains

Mahesh.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question