Domain Local Vs Global Groups

I know that microsoft recommends AGDLP for User/Group assignment, but what is the real world advantage to Domain Local?

Why not create just Global Groups and assign them to resources?

Find more posts tagged with

Comments

royal

It's for organizational purposes and to reduce your Total Cost of Ownership. Let's say your organization is structured as follows:

Sales
Marketing
Executives

Lets say you wanted to assign Sales users to Sales printers, Marketing users to Marketing printers, and Executives to Executive printers.

Now let's say you have 10 printers for Sales people, 10 printers for Marketing people, and 10 printers for Executives.

Now according to your inquiry, we would have to add the Executives Global Group to every single Sales printer, the Marketing Global Group to every single Marketingprinter, and the Executives Global Group to every single Executives printer.

Let's say a person from the Executive team gets demoted to the sales team. Now here comes the tediousness. You have to go to every single Executives printer and remove them. Now you have to go to every single sales printer and add them. This requires you to make 20 modifications. Very inefficient in terms to Total Cost of Ownership (TCO).

Now let's say we use the AGDLP method.

Instead, we take all 10 sales printers and add them to a Sales domain local group, 10 marketing printers and add them to a marketing domain local group, and all 10 executive printers and add them to a executives domain local group. You then only have to add the sales global group to the domain local sales printer group (1 modification) and all your sales members in that sales global group have instant access to all those printers.

So let's say now someone gets demoted from the executive to the sales team. Since we're using the AGDLP method, instead of having to make 20 modifications, you just remove them from the executive global group and place that user in the sales global group (2 modifications instead of 20). Now that former executive who is now a sales team member automatically has access to every single sales printer.

So by using the AGDLP method, you just reduced your TCO dramatically. You now can make 2 modifications whereas previously, you would have to make 20 modifications.

This help?

sprkymrk

ITBarbarian wrote:

I know that microsoft recommends AGDLP for User/Group assignment, but what is the real world advantage to Domain Local?

Why not create just Global Groups and assign them to resources?

If your forest consists of only a single domain, there really wouldn't be any reason not to just use global groups. Domain Local groups allow you to nest global groups and accounts from other domains as well as universal groups. A global group can only contain members and global groups from the same domain. That's the biggest difference.

royal wrote:

Let's say a person from the Executive team gets demoted to the sales team. Now here comes the tediousness. You have to go to every single Executives printer and remove them. Now you have to go to every single sales printer and add them. This requires you to make 20 modifications. Very inefficient in terms to Total Cost of Ownership (TCO).

Actually you would just remove that user's account from the Executives Global Group and add it to the Sales Global Group and you're done.

royal wrote:

Now let's say we use the AGDLP method.

Instead, we take all 10 sales printers and add them to a Sales domain local group, 10 marketing printers and add them to a marketing domain local group, and all 10 executive printers and add them to a executives domain local group.

I'm not sure what you mean here, royal. You can't add Printers to groups. An OU yes, but not a security group.

royal

Sorry, I didn't mean adding a printer to a domain local group. I meant adding a domain local group to the ACL of a specific printer. And to just put it short, you'll use domain local groups for permission management, and you'll use global groups for user management. If you want a specific global group to have permissions to an object, you can just nest them into that domain local group and now that global group has access to those objects. If you use a domain local group, you can add groups from other domains whereas if you assigned permissions to a global group, you can't nest global groups from other domain's into the global group for permission access. If you used domain local groups for permissions, you can nest global groups from other domains into that domain local group for permission access.

sprkymrk

royal wrote:

Sorry, I didn't mean adding a printer to a domain local group. I meant adding a domain local group to the ACL of a specific printer.

That's what I thought. Just because I knew you knew...

royal wrote:

And to just put it short, you'll use domain local groups for permission management, and you'll use global groups for user management. If you want a specific global group to have permissions to an object, you can just nest them into that domain local group and now that global group has access to those objects. If you use a domain local group, you can add groups from other domains whereas if you assigned permissions to a global group, you can't nest global groups from other domain's into the global group for permission access. If you used domain local groups for permissions, you can nest global groups from other domains into that domain local group for permission access.

Which goes right back to my comment, if you only have a single domain in your forest there really isn't much advantage to using DL groups. However, FOR THE EXAM, Microsoft recommends the AGDLP method, and correct answers will reflect that.