Domain Local Vs Global Groups
ITBarbarian
Member Posts: 13 ■□□□□□□□□□
I know that microsoft recommends AGDLP for User/Group assignment, but what is the real world advantage to Domain Local?
Why not create just Global Groups and assign them to resources?
Why not create just Global Groups and assign them to resources?
Comments
-
royal Member Posts: 3,352 ■■■■□□□□□□It's for organizational purposes and to reduce your Total Cost of Ownership. Let's say your organization is structured as follows:
Sales
Marketing
Executives
Lets say you wanted to assign Sales users to Sales printers, Marketing users to Marketing printers, and Executives to Executive printers.
Now let's say you have 10 printers for Sales people, 10 printers for Marketing people, and 10 printers for Executives.
Now according to your inquiry, we would have to add the Executives Global Group to every single Sales printer, the Marketing Global Group to every single Marketingprinter, and the Executives Global Group to every single Executives printer.
Let's say a person from the Executive team gets demoted to the sales team. Now here comes the tediousness. You have to go to every single Executives printer and remove them. Now you have to go to every single sales printer and add them. This requires you to make 20 modifications. Very inefficient in terms to Total Cost of Ownership (TCO).
Now let's say we use the AGDLP method.
Instead, we take all 10 sales printers and add them to a Sales domain local group, 10 marketing printers and add them to a marketing domain local group, and all 10 executive printers and add them to a executives domain local group. You then only have to add the sales global group to the domain local sales printer group (1 modification) and all your sales members in that sales global group have instant access to all those printers.
So let's say now someone gets demoted from the executive to the sales team. Since we're using the AGDLP method, instead of having to make 20 modifications, you just remove them from the executive global group and place that user in the sales global group (2 modifications instead of 20). Now that former executive who is now a sales team member automatically has access to every single sales printer.
So by using the AGDLP method, you just reduced your TCO dramatically. You now can make 2 modifications whereas previously, you would have to make 20 modifications.
This help?“For success, attitude is equally as important as ability.” - Harry F. Banks -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□ITBarbarian wrote:I know that microsoft recommends AGDLP for User/Group assignment, but what is the real world advantage to Domain Local?
Why not create just Global Groups and assign them to resources?
If your forest consists of only a single domain, there really wouldn't be any reason not to just use global groups. Domain Local groups allow you to nest global groups and accounts from other domains as well as universal groups. A global group can only contain members and global groups from the same domain. That's the biggest difference.royal wrote:Let's say a person from the Executive team gets demoted to the sales team. Now here comes the tediousness. You have to go to every single Executives printer and remove them. Now you have to go to every single sales printer and add them. This requires you to make 20 modifications. Very inefficient in terms to Total Cost of Ownership (TCO).royal wrote:Now let's say we use the AGDLP method.
Instead, we take all 10 sales printers and add them to a Sales domain local group, 10 marketing printers and add them to a marketing domain local group, and all 10 executive printers and add them to a executives domain local group.All things are possible, only believe. -
royal Member Posts: 3,352 ■■■■□□□□□□Sorry, I didn't mean adding a printer to a domain local group. I meant adding a domain local group to the ACL of a specific printer. And to just put it short, you'll use domain local groups for permission management, and you'll use global groups for user management. If you want a specific global group to have permissions to an object, you can just nest them into that domain local group and now that global group has access to those objects. If you use a domain local group, you can add groups from other domains whereas if you assigned permissions to a global group, you can't nest global groups from other domain's into the global group for permission access. If you used domain local groups for permissions, you can nest global groups from other domains into that domain local group for permission access.“For success, attitude is equally as important as ability.” - Harry F. Banks
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□royal wrote:Sorry, I didn't mean adding a printer to a domain local group. I meant adding a domain local group to the ACL of a specific printer.royal wrote:And to just put it short, you'll use domain local groups for permission management, and you'll use global groups for user management. If you want a specific global group to have permissions to an object, you can just nest them into that domain local group and now that global group has access to those objects. If you use a domain local group, you can add groups from other domains whereas if you assigned permissions to a global group, you can't nest global groups from other domain's into the global group for permission access. If you used domain local groups for permissions, you can nest global groups from other domains into that domain local group for permission access.All things are possible, only believe.