Options
Help Understanding Group
DJohnsonRose
Member Posts: 55 ■■□□□□□□□□
Hi TE,
I am trying to study for the 70-640 but I can't seem to grasp the concept of different group scopes. I am confused
Is someone here able to give an explanation of the difference in scopes, where they are replicated, when they might be used, the important of this, a real world scenario & possibly a diagram?
Nested groups really confuses me also.
Thanks in advance for your help
I am trying to study for the 70-640 but I can't seem to grasp the concept of different group scopes. I am confused
Is someone here able to give an explanation of the difference in scopes, where they are replicated, when they might be used, the important of this, a real world scenario & possibly a diagram?
Nested groups really confuses me also.
Thanks in advance for your help
Comments
-
Optionslsud00d
Member Posts: 1,571
I know it can be confusing but one of the ways I memorize things is by knowing the differences between them. These questions will require you to understand the differences more than the similarities.
Domain Local- You can add members from any domain in your forest but you can give them access to the resources which are available only in the domain where you create this DL.
Global- You can add members only from the domain where you create this DL, and this DL can be given acess to any resources in any other domains in the forest.
For ex, you have Domain A and B. Your users in domain A , need to access a resource in Domain B. How to accomplish this?
From your domain A ,create a Global DL--- create a Domain Local DL in domain B. Add the Domain 'A's Global DL as a member to the Domain B's Domain Local Group.. Give access to the resource in Domain B. It's done..
Universal- Add members from any domain, access resources in any domain of the forest.
https://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/58543e21-1a66-4844-aba0-d37740e2248b
Group scope
Group can include as members…
Group can be assigned permissions in…
Group scope can be converted to…
Universal- Accounts from any domain within the forest in which this Universal Group resides
- Global groups from any domain within the forest in which this Universal Group resides
- Universal groups from any domain within the forest in which this Universal Group resides
Any domain or forest- Domain local
- Global (as long as no other universal groups exist as members)
Global- Accounts from the same domain as the parent global group
- Global groups from the same domain as the parent global group
Member permissions can be assigned in any domain
Universal (as long as it is not a member of any other global groups)
Domain local- Accounts from any domain
- Global groups from any domain
- Universal groups from any domain
- Domain local groups but only from the same domain as the parent domain local group
Member permissions can be assigned only within the same domain as the parent domain local group
Universal (as long as no other domain local groups exist as members)
-
OptionsDJohnsonRose
Member Posts: 55 ■■□□□□□□□□
So for arguments sake. If I have a forest with BWM.COM and UK.BMW.COM & US.BMW.COM as child domains in one tree and AUDI.COM and the same child domains in another tree. If I create a DL group in UK.BMW.COM, I am able to add users from anywhere including UK.AUDI.COM to this DL but it only grants them access to resources in UK.BMW.COM?
Also am I right in saying that a global group is essentially a domain local group in reverse? -
Optionslsud00d
Member Posts: 1,571
DJohnsonRose wrote: »So for arguments sake. If I have a forest with BWM.COM and UK.BMW.COM & US.BMW.COM as child domains in one tree and AUDI.COM and the same child domains in another tree. If I create a DL group in UK.BMW.COM, I am able to add users from anywhere including UK.AUDI.COM to this DL but it only grants them access to resources in UK.BMW.COM?
Also am I right in saying that a global group is essentially a domain local group in reverse?
Yes, and you can say in a sense that global groups are domain local groups, backwards. -
OptionsDJohnsonRose
Member Posts: 55 ■■□□□□□□□□
Thank you, thanks to you I now understand.
Can you give a scenario where someone would use nested groups? -
OptionsGDL-LC
Member Posts: 25 ■□□□□□□□□□
DJohnsonRose wrote: »Thank you, thanks to you I now understand.
Can you give a scenario where someone would use nested groups?
Build in group for remote server logon.
Group for Helpdesk staff
Add Helpdesk to the remote server logon granting the entire helpdesk group, remote access.
-think that's right.
One we use at work is:
Group of mechanics for just South west
Group of mechanics for just South east
Group for all mechanics in the south - containing the two groups above. -
OptionsDJohnsonRose
Member Posts: 55 ■■□□□□□□□□
Im reading that some people place DL's in GG's and some in UG's? What would then happen?
-
Optionscruwl
Member Posts: 341 ■■□□□□□□□□
There was an acronym in the MS press 2008 R2 book to help remember the order. But i cant think of it.
Got to love google, this is from wikipidia:
AGDLP (an abbreviation of "account, global, domain local, permission") briefly summarizes Microsoft's recommendations for implementing role based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP (for "account, global, universal, domain local, permission") and AGLP (for "account, global, local, permission") summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.
