i dunno why but i just cant get my head around security groups. i work in a single AD domain enviroment (only 1 site) with a small number of users so ive never had to worry about security groups too much in the past.
any how, i managed to get through the 70-290 & 70-291 exams but was uncomfortable when a security group question popped up, thankfully there wasnt many of them in my previous exams. im now studying for 70-294 and starting to feel a little worried as security groups are cover more in this exam. i've been through the cbt & testout videos twice and read a couple of internet article on security groups but im still a little unsure when/why to use them.
below is my current understaing of security groups... there most likely to be wrong so please correct me.
domain local groups
basically i would create a DLGroup in a domain to grant permissions to a resource in the same domain. i could then add accounts or groups from any trusted domain to the DLGroup?
global groups
i would use global groups to consulidate users or computers into a single group (ie: i could add all the sales user accounts to a global group named SalesUsers. i could then add the SalesUsers global group to something like a DLGroup which grants permissions to a Sales file share.
universal groups
im note sure why i would want to create a universal group? from what ive read/watched so far they seem to be a big 'No No' as they cause replication traffic and are difficult to manage. any suggestions/examples when/why to use a universal group would appreciated
also, if anyone can point me to a site which gives a clear explanation would be great... is it just me or are the microsoft explanations poor!
