AD Groups, Domain Local, Global and Universal help? WTF

Afternoon peeps,

I have been Googling all morning today and still cannot get my head around in understanding the AD group types: Domain Local, Global and Universal.

I know some of you will refer me to the Technet pages but i have browsed Technet and still can't get an understanding.

Is there a post, thread, article, diagram or webpage someone can point me to that will explain these groups in a simple way? Or if someone can provide me with simple examples for each group?

Responses will appreciated.

Thanks

Comments

  • Tom239Tom239 Posts: 33Member ■■□□□□□□□□
    A Universal group is basically a group that can contains users, groups and computers but c[FONT=Segoe UI, Arial, Verdana, Tahoma, sans-serif]an also include multiple domains -[/FONT] So exampledowmain.microsoft.co.uk and Exampledomain2.microsoft.co.uk could both be in a universal group if they are under the same forest.

    A global group, again contains groups, users and computers but is contained in one domain. So ExampleDomain-microsoft.co.uk and exampleDomain2-microsoft.co.uk would both be in separate global groups. There is also trusting domains that someone can tell you about as i dont know.

    A domain local is a combination of the both as well as other domain local groups.

    Again icon_redface.gificon_redface.gif I could be wrong, some higher feel free to correct me lol
  • BeanyBeany Posts: 177Member
    cyberguypr wrote: »

    Smart, does seem easier than some of the stuff i've seen or read. Will need to go through it thoroughly. Thanks
  • pandiculatorpandiculator Posts: 42Member ■■■□□□□□□□
    This TechNet (yes, I know, sorry) article has one of the better explanations. I include it in case you've not come across that one.

    The following is summarised from the 70-640 MS Press Training Kit:

    The group's scope defines three characteristics:

    Replication: Where is the group defined and to what systems is it replicated?
    Membership: What can the group contain as members? Can the group include security principals from trusted domains?
    Availability: Where can the group be used? Can the group be added to other groups? Can the group be added to an Access Control List (ACL)?

    With those characteristics in mind you can get a better understanding of the different group scopes.

    Domain Local Groups
    Replication: Defined in the domain naming context. Replicated to all domain controllers in the domain.
    Membership: Can contain users, computers, global groups and domain local groups from the same domain. Can contain users, computers and global groups from any domain in the forest or any trusted domain. Can contain universal groups defined in any domain in the forest.
    Availability: Can be added to ACLs on any resource on any domain member. Can be a member of other domain local groups.

    Global Groups
    Replication: Defined in the domain naming context. Replicated to all domain controllers in the domain.
    Membership: Can contain users, computers and other global groups from the same domain.
    Availability: Available to all domain members, other domains in the forest and all trusting external domains. Can be a member of any domain local or universal group in the forest. Can be added to ACLs in the domain, forest or trusting domains.

    Universal Groups
    Replication: Defined in a single domain in the forest but replicated to the global catalog.
    Membership: Can contain users, computers, global groups and other universal groups from any domain in the forest.
    Availability: Can be a member of a universal group or domain local group anywhere in the forest. Can be added to ACLs anywhere in the forest.

    If this hasn't helped, or has confused things more, please let me know and I'll try and break it down with some examples.
  • BeanyBeany Posts: 177Member
    This TechNet (yes, I know, sorry) article has one of the better explanations. I include it in case you've not come across that one.

    The following is summarised from the 70-640 MS Press Training Kit:

    The group's scope defines three characteristics:

    Replication: Where is the group defined and to what systems is it replicated?
    Membership: What can the group contain as members? Can the group include security principals from trusted domains?
    Availability: Where can the group be used? Can the group be added to other groups? Can the group be added to an Access Control List (ACL)?

    With those characteristics in mind you can get a better understanding of the different group scopes.

    Domain Local Groups
    Replication: Defined in the domain naming context. Replicated to all domain controllers in the domain.
    Membership: Can contain users, computers, global groups and domain local groups from the same domain. Can contain users, computers and global groups from any domain in the forest or any trusted domain. Can contain universal groups defined in any domain in the forest.
    Availability: Can be added to ACLs on any resource on any domain member. Can be a member of other domain local groups.

    Global Groups
    Replication: Defined in the domain naming context. Replicated to all domain controllers in the domain.
    Membership: Can contain users, computers and other global groups from the same domain.
    Availability: Available to all domain members, other domains in the forest and all trusting external domains. Can be a member of any domain local or universal group in the forest. Can be added to ACLs in the domain, forest or trusting domains.

    Universal Groups
    Replication: Defined in a single domain in the forest but replicated to the global catalog.
    Membership: Can contain users, computers, global groups and other universal groups from any domain in the forest.
    Availability: Can be a member of a universal group or domain local group anywhere in the forest. Can be added to ACLs anywhere in the forest.

    If this hasn't helped, or has confused things more, please let me know and I'll try and break it down with some examples.

    Many thanks for this, helped a little. Can you please provide me with examples?

    Appreciate the response
  • pandiculatorpandiculator Posts: 42Member ■■■□□□□□□□
    The best practice for group nesting is AGDA: Account -> Global Group -> Domain Local Group -> Access Control List

    Accounts are added to global groups, global groups are added to domain local groups, domain local groups are added to access control lists.

    Let's start with a single domain: contoso.com

    Sally and Bob are managers in the sales team at Contoso. They need Modify access on the Sales Reports folder.
    Bruce and Tara work in the sales team at Contoso and they need read only access to the Sales Reports folder.

    We use global groups to define roles.
    Sally and Bob are managers so it would make sense to create a global group called Sales Managers.
    Bruce and Tara not managers, we'll put them in a global group called Sales Users.

    We use domain local groups to define rules.
    We have two levels of access that are required so we create two domain local groups Sales Reports - Read Only and Sales Reports - Modify .

    We add the Sales Managers global group to the Sales Reports - Modify domain local group.
    We add the Sales Users global group to the Sales Reports - Read Only domain local group.

    Finally, we edit the folder permissions (the access control list) on the Sales Reports folder and grant Sales Reports - Read read only access and Sales Reports - Modify modify access.


    So, where do Universal groups fit into this?
    In the AGDA nesting, universal groups slot in between global groups and domain local groups (AGUDA).

    Let's say that there's a North American branch of Contoso that is a child domain in our forest. Now we have two domains, contoso.com and na.contoso.com

    Mary and Beth are sales managers for Contoso North America and they need Modify access on the Sales Reports folder on the file server in the contoso.com domain.

    We cannot add Mary and Beth to the Sales Managers group we created in contoso.com because global groups can only contain security principals from the same domain. However, we can create a global group called Sales Managers in the na.contoso.com domain.

    Now you can see that we have defined the sales managers role in both domains but Mary, Beth, Sally and Bob all do the same job, just on different sides of the planet.

    We can define their role across the whole forest by creating a universal group, we'll call it Contoso Sales Managers.

    To the universal group we add the Sales Managers global group from the contoso.com domain and we add the Sales Managers global group from the na.contoso.com domain.

    Finally, we add the Contoso Sales Managers universal group to the domain local group Sales Reports - Modify.
  • BeanyBeany Posts: 177Member
    The best practice for group nesting is AGDA: Account -> Global Group -> Domain Local Group -> Access Control List

    Accounts are added to global groups, global groups are added to domain local groups, domain local groups are added to access control lists.

    Let's start with a single domain: contoso.com

    Sally and Bob are managers in the sales team at Contoso. They need Modify access on the Sales Reports folder.
    Bruce and Tara work in the sales team at Contoso and they need read only access to the Sales Reports folder.

    We use global groups to define roles.
    Sally and Bob are managers so it would make sense to create a global group called Sales Managers.
    Bruce and Tara not managers, we'll put them in a global group called Sales Users.

    We use domain local groups to define rules.
    We have two levels of access that are required so we create two domain local groups Sales Reports - Read Only and Sales Reports - Modify .

    We add the Sales Managers global group to the Sales Reports - Modify domain local group.
    We add the Sales Users global group to the Sales Reports - Read Only domain local group.

    Finally, we edit the folder permissions (the access control list) on the Sales Reports folder and grant Sales Reports - Read read only access and Sales Reports - Modify modify access.


    So, where do Universal groups fit into this?
    In the AGDA nesting, universal groups slot in between global groups and domain local groups (AGUDA).

    Let's say that there's a North American branch of Contoso that is a child domain in our forest. Now we have two domains, contoso.com and na.contoso.com

    Mary and Beth are sales managers for Contoso North America and they need Modify access on the Sales Reports folder on the file server in the contoso.com domain.

    We cannot add Mary and Beth to the Sales Managers group we created in contoso.com because global groups can only contain security principals from the same domain. However, we can create a global group called Sales Managers in the na.contoso.com domain.

    Now you can see that we have defined the sales managers role in both domains but Mary, Beth, Sally and Bob all do the same job, just on different sides of the planet.

    We can define their role across the whole forest by creating a universal group, we'll call it Contoso Sales Managers.

    To the universal group we add the Sales Managers global group from the contoso.com domain and we add the Sales Managers global group from the na.contoso.com domain.

    Finally, we add the Contoso Sales Managers universal group to the domain local group Sales Reports - Modify.

    Superb post. Definitely understand groups better.
Sign In or Register to comment.