Help with Group Memberships

Amir21

I'm a little confused with which type of group scope can be a member of another with regards to domain local, global, and universal group scopes. Anyone come up with a handy way of memorizing it? Thanks.

ptilsen

Domain local groups are used to grant permissions within just the "local" domain. They can contain accounts and groups from any domain. Use domain local groups to assign rights and delegate access to printers, file shares, and other resources. They cannot be joined to groups in other domains, and hence are restricted to the "local" domain.

Global groups are used to grant permissions within any domain. They can only contain accounts and groups from the same domain. However, global groups can be joined to domain local groups in any domain. Hence, they are available "globally".

Universal groups are available "universally", and can take any universal and global groups or accounts from any domain and can join unversal or domain local groups in any domain.

So, you join your users and/or computer accounts to global groups. You join your your global groups to your domain local groups, regardless of how many domains you have. You assign NTFS ACLs, printer ACLs, and SMB share ACLs to your domain local groups.

Alternatively, you assign users to your Universal groups and assign the groups to your resources. Universal groups simplify management since you don't need to worry about group members.

In practice, a good access control design doesn't necessarily involve assigning you user groups directly to your resources. As a result, Universal Groups aren't necessarily desirable as a way to reduce the quantity of groups. That said, that is outside the scope of any MCTS or MCITP exams.

Amir21

So I can make global groups part of universal groups and also make global groups part of domain local groups to which I'm assigning permissions to. Do I have that right?

Domain Local -- Assign permissions to resources
Global Groups -- Assign Roles
Unversal Groups -- ???

Would it make sense to use Universal groups to "group" Global groups across the forest?

ptilsen

Amir21 wrote: »

So I can make global groups part of universal groups and also make global groups part of domain local groups to which I'm assigning permissions to. Do I have that right?

Yes.

Amir21 wrote: »

Domain Local -- Assign permissions to resources

Yes.

Amir21 wrote: »

Global Groups -- Assign Roles

Roles as in accounts or other groups containing accounts, yes.

Amir21 wrote: »

Unversal Groups -- ???

Assign virtually anything for virtually any purpose.

Amir21 wrote: »

Would it make sense to use Universal groups to "group" Global groups across the forest?

Yes. Universal groups can help consolidate and centralize what will otherwise be a difficult mess of groups across a large forest.

Take the following example:
Say you assign ten users in domain A to global group Outbound Sales and ten users in domain B to global group Inbound Sales. You then assign global groups Outbound Sales and Inbound Sales to universal group Sales. You assign universal group Sales directly to resources.

Without universal groups, you instead must assign those global groups to domain local groups for each domain in which they need resources. If you have 50 domain local groups across 50 domains in which there are resource to which you want to assign Sales, this means adding both Inbound & Outbound sales groups to each of those 50 groups for 100 group membership changes. If you use Universal Groups, this number is only 50, and you can even assign the Sales group directly and circumvent the domain local group (as I said, you don't necessarily want to do this for many reasons). If it were three groups instead of two, you're now talking about 150 changes. Four is 200, and so on. Universal groups consolidate this and keep the number at 50 across the entire forest.

Amir21

Thanks for clearing things up for me. I Appreciate it.