Group Policy Q

mr2nut

If you only have one domain (with or without multiple sites), and membership doesnt change frequently, do you simply put users in a domain local group for permissions, or would you still put users in global groups and nest them in the domain local group? I'm looking for the MS response and not the real world way, 2 compleeeeetely different things most of the time

UncleCid

Don't quote me, but i'm pretty sure that you want to use Domain Local Groups only for nesting.

astorrs

mr2nut wrote:

If you only have one domain (with or without multiple sites), and membership doesnt change frequently, do you simply put users in a domain local group for permissions, or would you still put users in global groups and nest them in the domain local group? I'm looking for the MS response and not the real world way, 2 compleeeeetely different things most of the time

The exam response would be to put them in global groups and use domain local groups for permissions.

The real world would just use Global or Universal groups (if all DCs are GCs) for everything.

mr2nut

Fair does. So you can never put users straight into domain local groups, always put them in globals or universals and then nest these in domain locals groups.

Mishra

mr2nut wrote:

Fair does. So you can never put users straight into domain local groups, always put them in globals or universals and then nest these in domain locals groups.

You CAN put users into domain local groups but they can only be in the domain that those groups belong to.

Basically domain local groups can be used for permissions on all domains but only have users from the domain it resides.

Global groups are flipped. They can be used for permissions on only the domain it resides but have users from all domains.

You said "can never" so I'm just making sure you know that you can but it isn't the recommended.

mr2nut

Mishra wrote:

mr2nut wrote:

Fair does. So you can never put users straight into domain local groups, always put them in globals or universals and then nest these in domain locals groups.

You CAN put users into domain local groups but they can only be in the domain that those groups belong to.

Basically domain local groups can be used for permissions on all domains but only have users from the domain it resides.

Global groups are flipped. They can be used for permissions on only the domain it resides but have users from all domains.

You said "can never" so I'm just making sure you know that you can but it isn't the recommended.

You sure you got that the right way around?

domain local = users from any domain but permission for only the domain it is created

global group = users from only the domain it is created, but permissions to any domain in the forest.

mr2nut

I MAY be doing this wrong. I have just figured out that I can add global groups to universal groups, and then if I go to the 'member of' tab on the universal group, I can then make the universal group a member of the domain local group in the other domain.


I'll try put that a bit more simply what I can do..

a) put users in global groups
b) make global groups members of the universal group
c) make universal group member of domain local group


Are these the steps required to put users into universal groups, or should I only have to right click the universal group, properties, then click 'members' tab (NOT 'members of') then select users from any domain within the trust?

aordal

Here's the deal. You can add members to any of those groups, and you can assign permissions to any of those groups. However, there's reasons you dont. For a single domain environment you would never use Universal groups, period. The reason you want to assign permissions to Domain Local groups and then add Global groups to Domain Local groups is for auditing purposes. You can also add Universal groups from any domain into a Domain Local group, but for a single domain you aren't really worried about this.. except for unexpected future growth.

Also the reason you don't add members to Universal groups is because it eats up more space on your GC. Every time a member is added/removed it has to update the GC with all the members. Whereas if you just add global groups to Universal groups your GC is smaller and the GC is only updated when groups add/leave the Universal group, not when members are added/removed grom the Global groups which are members of the Universal group.

There will be a time, not if - it will happen, when somebody asks you, "Who all has access to these folders on this server?" And if you are assigning permissions directly to users or to global groups then you have to go through every folder and find out who's assigned. However, if you are assigning Read/Write etc.. to a Domain Local group and then adding members/groups to the Domain Local group you can easily print out a list. It's better to make a Security Group for 1 user than it is to directly assign permissions to someone on the resource.


wow i typed alot, anyways i hope that helps.

mr2nut

aordal wrote:

Here's the deal. You can add members to any of those groups, and you can assign permissions to any of those groups. However, there's reasons you dont. For a single domain environment you would never use Universal groups, period. The reason you want to assign permissions to Domain Local groups and then add Global groups to Domain Local groups is for auditing purposes. You can also add Universal groups from any domain into a Domain Local group, but for a single domain you aren't really worried about this.. except for unexpected future growth.

Also the reason you don't add members to Universal groups is because it eats up more space on your GC. Every time a member is added/removed it has to update the GC with all the members. Whereas if you just add global groups to Universal groups your GC is smaller and the GC is only updated when groups add/leave the Universal group, not when members are added/removed grom the Global groups which are members of the Universal group.

There will be a time, not if - it will happen, when somebody asks you, "Who all has access to these folders on this server?" And if you are assigning permissions directly to users or to global groups then you have to go through every folder and find out who's assigned. However, if you are assigning Read/Write etc.. to a Domain Local group and then adding members/groups to the Domain Local group you can easily print out a list. It's better to make a Security Group for 1 user than it is to directly assign permissions to someone on the resource.


wow i typed alot, anyways i hope that helps.

You typed a lot yeah, but that's the kind of response that's worth waiting for on forums! Great stuff, cheers mate.

I now fully understand that the reason I couldn't get the universal groups working because I was doing it wrong. I was simply trying to go the members tab and litterally add users from multiple domains into it.

Now what i need to do, is just create global groups in each domain, add the users to the global groups, nest the global groups into the universal group and then nest the universal group in the domain local group that has all the permissions assigned to it

I have just tried this now. I have one universal group in domain1 called 'universal test' If I go to the members tab on this group, it won't let me add anything from the other domain, only the domain I created it in. If I go to the 'member of' tab of any of the two global groups, it sees both domains, but when I search for the 'universal test' group it doesnt show up. However, I can nest global groups in domain local groups fine

I thought it was to do the forest functional level at first but BOTH Servers are 2003 and the domain and forest levels are 2003.

UncleCid

My instructor pretty much told me, what aordal said, in class. The use of nesting is mainly for organization and auditing. When multiple servers have multiple System Admin's it can get confusing without out the proper use of group nesting.

I was under the impression you use universal groups for cross-forest trusts, site, and anytime where you have users that need functions in mutiple or many domains in your forest, since they are stored in Global Catalog.
It should be noted that your universal groups are going to be wanted to be static, so your changes do not slow down your network when replicating. Also i think universal groups are helpful when facilitating searches, but i'm not sure.


Your domain local groups are like your "standard" permissions and user rights that you will want Per domain. It's easier to keep track of what going on when you have your security/GPO setup with these local groups because you can locate problems faster. And they can't be put into other groups so it's like they "stay put."
Not to mention, if you are going to be having "foriegn" accounts that come and go, it's 1000 times easier to just drop a group, filled with the users, in a domain local group for a month and pull it out of that domain local group with all the right permissions and settings still in place for the next time. Pulling and putting users from one place to another and worrying about settings can get confusing.


I wonder how much group nesting for large companies can be a headache, esspecially when someone before you screwed it up.

edit: Aww i posted too late.

Mishra

mr2nut wrote:

Mishra wrote:

mr2nut wrote:

Fair does. So you can never put users straight into domain local groups, always put them in globals or universals and then nest these in domain locals groups.

You CAN put users into domain local groups but they can only be in the domain that those groups belong to.

Basically domain local groups can be used for permissions on all domains but only have users from the domain it resides.

Global groups are flipped. They can be used for permissions on only the domain it resides but have users from all domains.

You said "can never" so I'm just making sure you know that you can but it isn't the recommended.

You sure you got that the right way around?

domain local = users from any domain but permission for only the domain it is created

global group = users from only the domain it is created, but permissions to any domain in the forest.

Yeah sorry meant the other way around. Sometimes I rush posts if I am at work. Sorry

I just wanted to say that you CAN put users in those groups...

mr2nut

Mishra wrote:

mr2nut wrote:

Mishra wrote:

mr2nut wrote:

Fair does. So you can never put users straight into domain local groups, always put them in globals or universals and then nest these in domain locals groups.

You CAN put users into domain local groups but they can only be in the domain that those groups belong to.

Basically domain local groups can be used for permissions on all domains but only have users from the domain it resides.

Global groups are flipped. They can be used for permissions on only the domain it resides but have users from all domains.

You said "can never" so I'm just making sure you know that you can but it isn't the recommended.

You sure you got that the right way around?

domain local = users from any domain but permission for only the domain it is created

global group = users from only the domain it is created, but permissions to any domain in the forest.

Yeah sorry meant the other way around. Sometimes I rush posts if I am at work. Sorry

I just wanted to say that you CAN put users in those groups...

lol it's ok, just testing me were you hey, at least it keeps me on my toes and thinking.

So basically, MS would never recommend you put members directly in a domain local group, but always put members in globals and nest in domain local right?

aordal

Yep. Initially it sucks to setup, because everytime someone wants access to a share you have to do a search in AD for a group (this is where group naming consistency comes in handy) and if it's not there you have to create a new group and give it permissions.

But in the long run, it'll save you tons of time with auditing and assigning permissions to resources that already have groups assigned.