Security Groups - Still a little confusing!
preecy
Member Posts: 66 ■■□□□□□□□□
i dunno why but i just cant get my head around security groups. i work in a single AD domain enviroment (only 1 site) with a small number of users so ive never had to worry about security groups too much in the past.
any how, i managed to get through the 70-290 & 70-291 exams but was uncomfortable when a security group question popped up, thankfully there wasnt many of them in my previous exams. im now studying for 70-294 and starting to feel a little worried as security groups are cover more in this exam. i've been through the cbt & testout videos twice and read a couple of internet article on security groups but im still a little unsure when/why to use them.
below is my current understaing of security groups... there most likely to be wrong so please correct me.
domain local groups
basically i would create a DLGroup in a domain to grant permissions to a resource in the same domain. i could then add accounts or groups from any trusted domain to the DLGroup?
global groups
i would use global groups to consulidate users or computers into a single group (ie: i could add all the sales user accounts to a global group named SalesUsers. i could then add the SalesUsers global group to something like a DLGroup which grants permissions to a Sales file share.
universal groups
im note sure why i would want to create a universal group? from what ive read/watched so far they seem to be a big 'No No' as they cause replication traffic and are difficult to manage. any suggestions/examples when/why to use a universal group would appreciated
also, if anyone can point me to a site which gives a clear explanation would be great... is it just me or are the microsoft explanations poor!
any how, i managed to get through the 70-290 & 70-291 exams but was uncomfortable when a security group question popped up, thankfully there wasnt many of them in my previous exams. im now studying for 70-294 and starting to feel a little worried as security groups are cover more in this exam. i've been through the cbt & testout videos twice and read a couple of internet article on security groups but im still a little unsure when/why to use them.
below is my current understaing of security groups... there most likely to be wrong so please correct me.
domain local groups
basically i would create a DLGroup in a domain to grant permissions to a resource in the same domain. i could then add accounts or groups from any trusted domain to the DLGroup?
global groups
i would use global groups to consulidate users or computers into a single group (ie: i could add all the sales user accounts to a global group named SalesUsers. i could then add the SalesUsers global group to something like a DLGroup which grants permissions to a Sales file share.
universal groups
im note sure why i would want to create a universal group? from what ive read/watched so far they seem to be a big 'No No' as they cause replication traffic and are difficult to manage. any suggestions/examples when/why to use a universal group would appreciated
also, if anyone can point me to a site which gives a clear explanation would be great... is it just me or are the microsoft explanations poor!
next up SharePoint... what's that all about!
Comments
-
Mishra Member Posts: 2,468 ■■■■□□□□□□When creating distribution groups in AD you need to make them universal so everyone in the domain may use them.
If you have multiple domains and have a group that needs to give users from all domains access to file permissions across domains (like you have multiple file servers but you need a group that is for QA because QA has to use all the file servers) then create universal groups.
Really segregated groups only applies when you have big domains from about 20,000+. -
preecy Member Posts: 66 ■■□□□□□□□□thanks for your responce MishraMishra wrote:When creating distribution groups in AD you need to make them universal so everyone in the domain may use them.
do you mean everyone in the forest would see a universal distribution group? otherwise im still confused?Mishra wrote:If you have multiple domains and have a group that needs to give users from all domains access to file permissions across domains then create universal groups.
couldnt i create a DLGroup with the relavent permissions in the domain where the share or resource resides. then simply add global groups from each of the domains to the DLGroup? or am i missing something?
thanks for your feed backnext up SharePoint... what's that all about! -
Mishra Member Posts: 2,468 ■■■■□□□□□□preecy wrote:thanks for your responce MishraMishra wrote:When creating distribution groups in AD you need to make them universal so everyone in the domain may use them.
do you mean everyone in the forest would see a universal distribution group? otherwise im still confused?Mishra wrote:If you have multiple domains and have a group that needs to give users from all domains access to file permissions across domains then create universal groups.
couldnt i create a DLGroup with the relavent permissions in the domain where the share or resource resides. then simply add global groups from each of the domains to the DLGroup? or am i missing something?
thanks for your feed back
This is the correct method to apply permissions most of the time. The reason for universal groups is if you want to add multiple global groups to a universal group then apply that universal group to a domain local to execute file permissions. Thus the reason for only using universal groups when you have multiple domains.