The point in Domain local groups

Orion82698

I know 2000 pretty well, but I'm use to administering groups in NT 4.0 when it comes to group. I have been reading that you use the "A G DL P" when creating groups. I understand that you add the users to the global group, but what is the point in adding a global to a DL other than adding for a service. And, does this mean a global group in one domain can administer a service list backups on another domain. Anyone want to clear this up?

Thanks,

Chris

Orion82698

Anyone? Let me know if you don't understand my writing.

Thanks,

Chris

Webmaster

The method you describe ensures that you can keep things managable. People with similar job functions, typically need similar permissions, and can span multiple domains. That's why you group them together in global group.

Resources such as printers and shared folders, are represented by domain local groups, which permissions are assigned to. When you need to give permissions to someone or a group of people you can add the global group to the local domain group and if necessary add users with deny permissions to make an exception.

The following link is for 2003 but gives a good overview of the types of groups and how to use them:
www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ADgroups_3groupscopes.asp

I hope this helps!

Johan

hhisgett

Very good Link Johan! That helped me clear some confusion up on the same topic.

allylaurente

Domain Local Groups
Domain local security groups are most often used to assign permissions to resources. A domain local group has the following characteristics:

Open membership. You can add members from any domain.
Access to resources in one domain. You can use a domain local group to grant permissions to access resources located only in the same domain where you create the domain local group.

Hope this will help

Orion82698

Cool. Thanks guys! So, really... You wouldn't add a Domain Local group to a share, you would use the Global group for that?

Thanks,

Orion82698

Also, I have a question about this.

"For example, to give five users access to a particular printer, you could add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you would again have to specify all five accounts in the permissions list for the new printer." -Microsoft

Why wouldn't you just want to add a global group to the printer with the correct users that need access?, or give the printer "Everyone" = print (Unless you don't want everyone printing to it), but why not just the global? Wouldn't this give the users access as well? Forgive the stupidity, I'm just not understanding the point in the Domain local group.

hhisgett

You would add the required accounts to the global group and assign the group permissions to that printer. There is no need to assign individual accounts to a resource such as a printer.

Orion82698

Exactly. That's what I'm saying. Why not just create a global group, add the users to the global, then add the global to the printer and assign the permissions. Why create a Domain local, and add the global group to that domain local?

hhisgett

You "can" do that and that is how I normally have performed this same operation in the past. However, that was in a single AD domain.

This is how I understand how Global and Domain Local groups are used:

Domain Local Groups -> you assign permissions to resources with these. Global Groups should only exist here, no user accounts. Domain Local groups can contain members or groups from any domain.

Global Groups -> you add user/computer accounts to these and add them to domain local groups. You will manage user account access to those resources here. I see, while managing a single AD domain, using global groups for assigning permissions to resources not being a big issue. However, when you manage more that one AD domain, the act of placing Global Groups into Domain Local Groups become more relevant from an administration point of view. Global groups contain only local domain members. So if you have members from a trusted domain outside of your local domain that need access to resources in your local domain, a global group HAS to be created in the trusted domain that contains those members and that group will be able to be assigned to the domain local group granting those member access.


Make sense? Others that read this, please correct me if I am wrong. Again, this is how I understand this.

Orion82698

Ahhhhhhh! ok. I gotcha. So you would only use a domain local to grant access to someone or another group in a different domain. You would only use global groups if you are in the same domain. But, if you are planing to scale, you would build the domain local for the future.

I understand! Thanks for clearing that up

hhisgett

Glad I could help!