Group Scopes

Dracula28

This my only real weakness, whenever I start to look at resources that explain the difference between group scopes, I get a headache. I just can't get the difference between them. This is what I get:

Domain Local - Can contain users and groups from any domain, but can only be assigned permissions on the domain they were created.

Global - Can contain only users and groups from the domain they were created in, but can be members of Domain Local groups, to get access to resources in other domains.

Universal - Only avaialable as security groups, if the domain is not running in Win 2000 mixed (are they available in Win 2k3 interim?). Can contain users and groups from any domain, and can be assigned permissions in any domain.

Am I getting this right, or am I way out there? I might fail, just because I cant get the difference between group scopes.

dynamik

Remembering the differences between all the DFLs and FFLs has been the greatest thorn in my side throughout my studies.

This should help you out. It helps to have everything in a neat little table like that. It can be hard to keep track of everything while just reading about it in paragraph form.

snadam

Dracula28 wrote:

This my only real weakness, whenever I start to look at resources that explain the difference between group scopes, I get a headache. I just can't get the difference between them. This is what I get:

Domain Local - Can contain users and groups from any domain, but can only be assigned permissions on the domain they were created.

Global - Can contain only users and groups from the domain they were created in, but can be members of Domain Local groups, to get access to resources in other domains.

Universal - Only avaialable as security groups, if the domain is not running in Win 2000 mixed (are they available in Win 2k3 interim?). Can contain users and groups from any domain, and can be assigned permissions in any domain.

Am I getting this right, or am I way out there? I might fail, just because I cant get the difference between group scopes.

hey,

It was really confusing for me at first too. have a look at the technotes available on this very site. They helped me out. I also found that repetition helps with this portion of studying. Once you can quote what each group scope is and which way you can nest them, you should be good.

Managing groups technotes

Vogon Poet

Wow, that's a lot of verbiage to remember.

A-G-U-L-P

(Accounts -> Global -> Universal -> Domain Local <- Permissions)

(Accounts = user accounts)
(I know, Domain Local should be DL, but then it would be AGUDLP)

If this is confusing, reread the info on nesting. That's what they want you to know.

Dracula28

Thanks for the replies guys. I'll have a loook at those links. I guess if I do as snadam suggests, I might be able to keep track of what differentiates the various group scopes.

Vogon Poet, with A-G-U-L-P, are you suggesting that the permissions are always only assigned to the Domain Local scope groups?

Btw, Can Universal security groups, be created in WinServer2k3 Interim functional level? I seem to have read somewhere that suggested that. But according to the training kit, they can only be created in native and WinServer 2003 functional level, not mixed and interim (which includes NT4 DCs).

famosbrown

Dracula28 wrote:

Thanks for the replies guys. I'll have a loook at those links. I guess if I do as snadam suggests, I might be able to keep track of what differentiates the various group scopes.

Vogon Poet, with A-G-U-L-P, are you suggesting that the permissions are always only assigned to the Domain Local scope groups?

Btw, Can Universal security groups, be created in WinServer2k3 Interim functional level? I seem to have read somewhere that suggested that. But according to the training kit, they can only be created in native and WinServer 2003 functional level, not mixed and interim (which includes NT4 DCs).

Universal Groups can be created in 2000 native, 2003, and 2003 Interim. In 2000 mixed, you can only create Universal Distro Groups.


EDIT: This is documented in the link Dynamik posted as well.

Vogon Poet

Dracula28 wrote:

Vogon Poet, with A-G-U-L-P, are you suggesting that the permissions are always only assigned to the Domain Local scope groups?

Yes. MS recommends that you assign permissions to Domain Local groups, put user accounts in Global groups, and then nest the Global groups in the Domain Local groups.
(If you had a complicated organization, you could put Global groups in Universals, and then apply Universals to Domain Locals) It's more of a pain to set up, but if your organization is large and might go through any drastic changes, it makes things more modular and easier to change.
Do you have to do it this way? No.
Do most people do it this way? No, not that I can tell.

Mostly the test wants to know if you know where to set the scope in ADUC, and that you know that you can only change Global to DL (& vice versa) if you first convert it to Universal.

royal

I might be preaching to the choir, but make sure you guys learn this properly. I've seen too many environments become so disorganized cause of improper user/group/permission designs. And the best material I found for learning group scopes was the Windows Help File itself.

dynamik

royal wrote:

I might be preaching to the choir, but make sure you guys learn this properly. I've seen too many environments become so disorganized cause of proper user/group/permission designs. And the best material I found for learning group scopes was the Windows Help File itself.

Even if you are, I hear repetition is important. I wouldn't worry too much about it

Dracula28

Thanks for the input guys, really appreciate it.

Dracula28

famosbrown wrote:

Dracula28 wrote:

Btw, Can Universal security groups, be created in WinServer2k3 Interim functional level? I seem to have read somewhere that suggested that. But according to the training kit, they can only be created in native and WinServer 2003 functional level, not mixed and interim (which includes NT4 DCs).

Universal Groups can be created in 2000 native, 2003, and 2003 Interim. In 2000 mixed, you can only create Universal Distro Groups.


EDIT: This is documented in the link Dynamik posted as well.

I keep on reading this, and it seems like there are only really restrictions if the domain functional level is win 2000 mixed, which is kind of weird, as interim also includes a NT 4 domain controller.

Can anyone elaborate on why its like that?

Btw, are universal groups the only scope that can contain computer accounts? According to the excellent technotes on this site, computer accounts are only mentioned in the paragraph about Universal groups.

Dracula28

Sorry to bump this thread, but I've booked the exam for Thursday, and am really curious about the above questions.

Mishra

Dracula28 wrote:

famosbrown wrote:

Dracula28 wrote:

Btw, Can Universal security groups, be created in WinServer2k3 Interim functional level? I seem to have read somewhere that suggested that. But according to the training kit, they can only be created in native and WinServer 2003 functional level, not mixed and interim (which includes NT4 DCs).

Universal Groups can be created in 2000 native, 2003, and 2003 Interim. In 2000 mixed, you can only create Universal Distro Groups.


EDIT: This is documented in the link Dynamik posted as well.

I keep on reading this, and it seems like there are only really restrictions if the domain functional level is win 2000 mixed, which is kind of weird, as interim also includes a NT 4 domain controller.

Can anyone elaborate on why its like that?

Btw, are universal groups the only scope that can contain computer accounts? According to the excellent technotes on this site, computer accounts are only mentioned in the paragraph about Universal groups.

2000 mixed is the only level that cannot contain universal security groups.

I can't completely elaborate on WHY it is like that.. But this paragraph might help a bit.

"Windows 2000 Sever native mode eliminates the restrictions imposed by Windows NT compatibility. Unlike mixed mode, native mode supports universal groups, nested groups, conversion between security and distribution groups, and SID history (to allow migration of security principals from one domain to another). Moving to native mode disables NT domain controller emulation, however, removing the capability for replication with Windows NT domain controllers. In addition, Windows clients earlier than Windows 2000 must use the add-on Active Directory client software to enable interaction with the Active Directory.
"
Computer objects can be added to any groups just the same as user objects.

Pash

royal wrote:

I might be preaching to the choir, but make sure you guys learn this properly. I've seen too many environments become so disorganized cause of improper user/group/permission designs. And the best material I found for learning group scopes was the Windows Help File itself.

Quoted for the truth!

Best implementation ive seen is very well done, GG names have a good naming convention so you dont lose track of purpose of that group. Helps so much.