Options

A Good way to Remember Group Nesting

AndreLAndreL Member Posts: 55 ■■□□□□□□□□
in Server 70-290
Since group nesting and group membership can be so confusing I thought of a better way of remembering this stuff. Instead of memorizing what you can do remember what you can't. Cause there are less can'ts then cans
Like this ..

Universal groups can't be in mixed mode domain levels
Universal can't have GG as members if they are nested in another GG
Universal can't have DL as members if they are nested in another DL
(I also think that applies to converting)
GG to DL can't happen without first converting to universal, then to DL."

GG can't have members outside its domain
DL can't have permissions outside its domain
DL can't have DL from out side domin

DL can't be seen out side its own domain

Group Nesting Can't be done in Mixed mode

Groups can't contain more than 5,000 members

Please correct me if I'm wrong on any points also post if I missed any can'ts with group scope abilities.
· Share on FacebookShare on Twitter

Comments

  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    AndreL wrote: »
    Universal groups can't be in mixed mode or inter mode domain levels
    Universal can't have GG as members if they are nested in another GG

    Which mode is which, you ask?

    2000 Mixed. Everything (It's mixed) NT, 2000, 2003
    2000 Native. 2000 is in the title, so that must be part of it, and 2003 is in all of them
    2003 interim. 2003 is involved, and 2000 is in 2000 native, so this must be 2k3 and NT
    2003 Only 2003

    Universal groups (and varior other items) aren't available in any of the functional levels that involves NT. Once I sit down on Saturday I am going to jot that little table down, just for easy and quick reference.

    Also keep in mind, that the functional level is dependant on DC's. You can use 2003 DFL, and still use a windows 2000 file or web server.

    Thanks AndreL, I will print this off and include it with my notes.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    I also have in my notes that a global can be a member of another global when in the same domain.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    AndreLAndreL Member Posts: 55 ■■□□□□□□□□
    thank you I'll change my notes (post)
    · Share on FacebookShare on Twitter
  • Options
    RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Good posts guys! I would like to suggest a book that has a very good explanation of why the AGULP method is a best practice and why it should be used and a good explanation of some odd stuff with NTFS permissions:

    Amazon.com: Professional Windows Desktop and Server Hardening (Programmer to Programmer) (9780764599903): Roger A.…
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    If you can only remember one of the restrictions, it seems that not being able to nest a universal inside of a GG is the big one to remember. Probably because it is the method that everyone wants to use.

    http://ptgmedia.pearsoncmg.com/images/0789736489/samplechapter/0789736489ch3.pdf
    Sample chapter 3 from a book. I don't know what book, but it does seem to be good. Table 3-1 looks like a good summary.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    earweedearweed Member Posts: 5,192 ■■■■■■■■■□
    It looks like an exam cram book. I've found those to be very helpful. I have the exam cram books for the 70-640/642 and they explain things in a different way than the MS Press books.
    No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives.
    · Share on FacebookShare on Twitter
  • Options
    RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Amazon.com: MCSA/MCSE 70-290 Exam Prep: Managing and Maintaining a Microsoft Windows Server…

    I can tell from the ISBN and from having shopped a few pixels in my time. Sorry, I know - stupid meme.
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    "If the domain functionality level of your domain is Windows 2000 mixed or Windows Server 2003 interim, [AKA you have Windows NT DC's] you cannot change a group’s scope. Universal groups are not available at that domain functionality level, and you cannot change a group’s scope from domain local to global, or vice versa.

    If the domain functionality level is Windows 2000 native or Windows Server 2003, [NO NT DC's] you can change a group’s scope, but only if the group is not a member of another group and has no group members that would be illegal for groups of the new scope."

    An excerpt from the chapter 3 pdf that I liked. I added in the information in the []'s.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Typo in Table 1? It says that both universals and globals can be granted access to resources in "any domain in the forest and any domain in any other forest that trusts the local domain."

    Is that right?
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Devilsbane wrote: »
    I also have in my notes that a global can be a member of another global when in the same domain.

    I see why our note differ. GG's can only contain other GG's when in 2000 Native or 2003 DFL. (When NT DC's are not involved)

    Darn you Microsoft!!!
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Does anyone actually remember and use this? Or is it just something that you cram for for the test and then forget it afterwords? Then just look it up on the rare occasion that you are implementing new groups?

    I suppose it isn't too hard, because if you are using the 2003 DFL (and in 2010, I don't know why you wouldn't be) you can safely forget about all of the restrictions imposed by mixed and interim.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Devilsbane wrote: »
    Does anyone actually remember and use this? Or is it just something that you cram for for the test and then forget it afterwords? Then just look it up on the rare occasion that you are implementing new groups?

    I suppose it isn't too hard, because if you are using the 2003 DFL (and in 2010, I don't know why you wouldn't be) you can safely forget about all of the restrictions imposed by mixed and interim.

    This is just something you study for the test. In the real world you can always look it up if you need to, but if previous admins have stuck to AGULP it almost does not matter.
    · Share on FacebookShare on Twitter
  • Options
    AndreLAndreL Member Posts: 55 ■■□□□□□□□□
    With AGP I have a MS book that says the disadvantage to them are performance degrades cause GG are not cached. - What does that mean.

    Also it say "DL's should not be used to assign permission to ADog in aforest with more tahn oone domain because DL's cannot be evaluated in other domains." And right above it, the book talks about AGDLP's and AGUDLP. And when descriping them "and then grant permissions to the DL grp."
    Now I'm gusseing that you don't just give permisson to a DL grp and let it sit there (ADLP), you use the AGDLP strategies or AGUDLP.
    This is just something you study for the test. In the real world you can always look it up if you need to, but if previous admins have stuck to AGULP it almost does not matter.

    With that, ... aren't you suppose to use U grp sparingly cause it helps reduce replication to between domains. Also I remember something about universal grp and GC's, I think you can only convert them to DL or GG on a GC. Am I right about that
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    AndreL wrote: »

    With that, ... aren't you suppose to use U grp sparingly cause it helps reduce replication to between domains. Also I remember something about universal grp and GC's, I think you can only convert them to DL or GG on a GC. Am I right about that

    Any changes to membership to a universal causes immediate replication. So if you have users as member, every time you hire or fire someone, you just caused replication to all of your DC's.

    If you add some global groups to them, you are free to change the members of the globals without causing replication. If you would add a new global, or remove an existing global, then you will be causing that replication to occur.

    That is why universals would ideally only hold groups that are going to rarely change.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.