Study Notes / Group Administration Question

In the study notes the preferred method to use the group scopes is...

1. Create a domain local group for the sales department, and assign it permissions to the printer.

This I understand, thats normal.

2. Create a global group and add all of the users to the global group.... then nest the global group in the domain local group.

This... i'm not too sure of..... but i'll try to understand.

Is the reason that we've assigned a domain local group for the printer so that we can add other groups to it afterwards, and just keeps the administrative level down?

or is there another reason that i'm totally missing as to why we've created a group for the printer, and not just assigned the users in the sales department to the group with the proper permissions...

Find more posts tagged with

Comments

kujayhawk93

mzgavc wrote:

Is the reason that we've assigned a domain local group for the printer so that we can add other groups to it afterwards, and just keeps the administrative level down?

From what I understand, that sounds right. It also allows you to control other access permissions for those users by adding their global groups to other domain local groups, without having to individually assign permissions for each user.

sprkymrk

Well, it might work just fine in a number of different ways (namely in a single forest/single domain environment), but for best practices that is the recommended way by Microsoft, and here is why;

Domain Local Groups can contain members from Global Groups of the same or trusted domains, Universal Groups from the same or trusted forest, and other Domain Local Groups from the same domain. However, Global Groups can only contain other Global Groups from the same domain, so if you were to only create a Global Group for the sharing of the Printer resourse you would not be able to include users outside of your domain. Thus in the example we might imagine that the Sales Department itself might span several domains within the Forest, so anyone from the Sales Department in another domain (maybe a Sales VP from the Corporate.bigcompany.com domain is at the dallas.corporate.bigcompany.com domain) would not be able to use Printer1 if we did not use a Domain Local Group for resourse sharing.

To further explain, MS recommends the following:

Assign Users with common job responsibilities to global groups.
Here we can say that every domain would create their own Global Group "Sales" and add their sales users to it.

Create a Domain Local Group for sharing resources.
As per the example, we create the "SalesPrinters" DL Group and assign the permissions to allow "Print" or whatever.

Add Global Groups that require access to the resourse to the DL group.
Here is the meat of your question - we can add global groups from any domain that is trusted, including (as in my example) the Corporate.bigcompany.com domain, even though we might be in the dallas.corporate.bigcompany.com domain, or the chicago.Corporate.bigcompany.com, or even the training.dallas.corporate.bigcompany.com domain, etc. We couldn't do that if we had only used a global group for sharing that printer.

Sorry for the long explanation, but I hope it was helpful!

mzgavc

It does answer the question, thank you for your responses.

Technically the jist of my question stemmed from the lack of knowledge which involved the 3 scopes.

Thanks a bunch for elaborating

PS. It even says right in the MSPRESS book that its the preffered method