Universal or Global Groups?

slideoff

I just passed the 70-290 exam today with score of 814... to be honest I was going into it thinking I was going to fail bad but could not reschedule it last night.

I still don't know when to use universal groups. I figure Universal would be good to use in forests with non related domain names.. Here is a scenario that I am making up that will help me understand this, let me know what you think:

In the domain forest techexams.net there are 2 domains, domain1.techexams.net and domain2.techexams.net.

Each domain has a global group created which all of their developers. They are named domain1-developers-global and domain2-developers-global which names are respective to each domain they belong to.

Each domain has 10 servers. Each server has a developers folder that is shared to a domain local group called developers-local-share.

All developers need to have access to the developers folder on all servers in both domains. How can you configure this with the least administrative effort?

---

Well I figure I would just add domain1-developers-global and domain2-developers-global to the domain local group developers-local-share... Am I right? Why would I take the extra step to add the 2 domain global groups to a universal group, and then the universal group to the domain local group?

94jedi

I don't think you can add them directly because they come from different domains.

Someone please correct me if I'm wrong. Otherwise, there would be no need for the Univ. group.

NetAdmin2436

You would use a universal group if you want groups from different domains in the forest to be members of the same group. It's basically for administration and simplicity when dealing with very large networks. Global groups can only contain members from same domain. Young Jedi is right

Group scope: Active Directory

slideoff

Thanks guys for clearing that up for me. I guess in the real world I'd probably be lazy and just add the 2 global groups without nesting them in a universal group if its just two domains, but I guess that wouldn't be the Microsoft way, or the proper way if other domains were added in the future.

jojopramos

If I may add... another thing is that you will use universal group to minimize replication through sites specially in windows 2003 forest functional level where only changes happens on the global groups nested to universal will occur. (most especially when sites have low bandwidth connection)

User accounts - Global Groups - Universal Group - Domain Local - Access to Resources.....

jojopramos

Another thing guys.... you should have 2 separate Domain Local for each domain domain1.techexams.net and domain2.techexams.net...

From Microsoft:

Global Group:Members can come only from local domain
Members can access resources in any domain
Domain Local:Members can com from any domain
Members access resources only in local domain (assign permission to gain access to resources that are located only in the same domain where you create the Domain Local group... )

syndrax

I was wondering about Global and Universal groups as well. I'm currently using MeasureUp as well as the MS Press book and came across the following question. Is the answer they give correct? Because I would think that you would have to use a Universal group to give access to the share if the users come from different domains?

You are the network administrator of bdctrain.com. The environment consists of a forest root domain and two child domains called us.bcdtrain.com and eu.bcdtrain.com. One of the file servers in the us.bcdtrain.com domain hosts a shared folder called Software. You create the following groups:

Group Domain Group Type

Developers bcdtrain.com global security
US_Developers us.bcdtrain.com global security
EU_Developers eu.bcdtrain.com global security
BCD_Developers bcdtrain.com global distribution
Developers_Data us.bcdtrain.com domain local

All three global security groups have been added to Developers _Data. This group has been assigned Change share permission for Software.

Your company has recently acquired a new company called fi-print.com. A new root domain and one child domain have been added to the existing forest to accommodate the new company.

The Fi-print.com domain has a group of users that requires access to the Software share.

What should you do?
Add the users to Developers.
Add the user accounts to BCD_Developers. Add BCD_Developers to Developers_Data.
Add the user accounts from fi-print.com to Developers_Data.
Create a universal group called FI_Developers. Add the user accounts and all global groups. Add FI_Developers to Developers_Data.
Create a global group called FI_Developers. Add the user accounts. Add the group to Developers_Data.




Question 2 Explanation:
You should create a new global group in the fi-print.com domain that contains all user accounts belonging to the developers department. This global group should then be added to the domain local group called Developers_Data.

You cannot add the user accounts from fi-print.com to the Developers group. This is a global security group and therefore can only contain user accounts from the domain in which the group was created.

You can add the user accounts from fi-print.com to Developers_Data. However, it is recommended that user accounts be organized into global groups instead of adding individual user accounts to domain local groups.

Creating a universal group is not necessary.

BCD_Developers is a distribution group used for sending e-mail messages, not for assigning permissions.