Question on Group Scopes...
yapchien Member Posts: 3 ■□□□□□□□□□
In a MS Book I read it says converting a group scope from universal to domain local has no restriction at all as long as it is in native mode. But what if the universal group is a member of another universal group ? Then after the conversion a domain local group become a member of the universal group ? This doesn't make sense right since domain local group can only be a member of the domain local group in the same domain ? I hope someone actually understand my question and could reply me and tell me if my thinking is right or wrong. Thanks in advance.
I don't have a W2k3 domain right now because my electricity failed and it somehow corrupted my registry and I hadn't yet got my recovery disks made. If I still had it I would try out your scenerio for real. I ordered my 180-day evaluation version of W2k3 Server from M$. Do you have a domain set up so that you could try what you're asking?
Hope this takes care of your question. Best of luck on the exam!
Yeah, that is what I wrote. And did that for a reason of course. MS also says that there are no restrictions when it comes to converting a Univeral group to DL. But, I see your problem. I have to startup my Win2k3 lab, and will let you know the test results in a couple of minutes. But I think Janmike is right, I think it will popup a message saying it can't be done because the group is a member of another universal group.
Uno Windows 2003 Server with ADS. Two Universal security groups: test1 and test2. Test1 is a member of Test2.
Result of attempt to convert Test1 to Domain Local:
Although MS says....
...I am going to rewrite that line in our TechNotes, as obviously the MS documentation is incomplete and wrong; there are restrictions.
I apologize if that line in my TechNotes caused the initial confusion, I think it is the only combination I didn't actual test, as I did test changing group scopes extensively for the TechNotes as well as one of our Windows 2003 practice questions.
It looks like Microsoft did not try this combination either and I think that has a lot to do with common practice and the huge difference in functionality of a universal and a domain local group. The MS recommended way is to group users together in a global group, add that global group to a universal group and than assign the universal group to a domain local group. Because domain local groups are meant to assign permissions to, and universal groups are meant for grouping global groups and users from different domains, you would not likely encounter a situtation from the above test setup.