Home
Certification Preparation
Microsoft
MCTS / MCITP on Windows 2008 General
Help understanding Group Scopes
xkaijinx
Hi all, I am very confused on understanding each of the group scopes: Global, Domain local, and Universal
My current understanding is...
Global - Can only use user/group accounts from the same domain, yet these can access resources throughout all domains in the forest
Domain Local - Can only use user accounts from same domain, but can use groups from any domain in the forest. Can only use resources in the same domain it exists
Universal - Can use user/group accounts from any domain in the forest, can use resources from anywhere in the forest.
Just still feel hazy on this, any tips much appreciated!
Find more posts tagged with
Comments
jmritenour
Almost - domain local can include accounts as well as groups from any domain in the forest.
It sounds over complicated, but best design is to place accounts into global groups in their respective domain, then place the global groups from the different domains into a domain local group in the domain the resource resides. That way, you are keeping accounts in a group that is native to their domain, and only granting access to resources from a group that is native to it's domain.
Universal groups, when used, should be placed in between the global and domain local group.
More info, as well as scenarios for the various scopes can be found at
Group scope: Active Directory
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
