Solved

In Active Directory why would you not assign resource permissions to Global Groups as opposed to Local Groups

Posted on 2014-03-23
1
630 Views
Last Modified: 2014-04-08
Is there a specific reason why Global Groups should not be used to assign permissions to resources?

Also what performance implications are there for using Global groups everywhere as opposed to a combination of Domain Local and Global Groups?

What levels of nesting is permitted for the different security group types?
0
Comment
Question by:elchermans
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39949634
Domain local groups are local to domain and can be assigned permissions to only local domain resources, you can't assign domain local groups permissions to resources in another domain.
However they can contains other domain local groups from same domain, users, global groups and universal groups from same domain and another domains as well
What you can't do, you can't add domain local groups from another domain to domain local groups in your domain
That is why it is recommended to give permissions to domain local groups on local resources and nest all required groups, users from its same domain \ another domain in side them

In contrast, global groups can contains users only from his own domain, global groups from his own domain, but you cannot nest global groups from another domain.
Also you can't nest domain local groups and universal groups from same domain \ another domain inside global groups

However you can assign global groups permissions to resources in another domain directly
But again then you can't manage group membership of that global groups with simplicity means if you are also having users and groups from your domain, you need to add them separately

That is why MS recommends that assign domain local groups permissions to resources initially in same domain and nest users, global, universal groups from its own domain\ another domain for easy management which helps you to streamline security \ permissions model for resources

Lastly universal groups can contains users, global groups and universal groups from its own domain and another domains, what you can't do, you can't add domain local groups to universal groups
Also you setup universal groups on resources rarely as universal groups are replicated with Global catalog which increases GC replication traffic specially no of universal groups are high
Also in order to work with universal groups you have to have windows 2000 native domain functional level within all domains

Mahesh.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question