Help Understanding Group

DJohnsonRoseDJohnsonRose Member Posts: 55 ■■□□□□□□□□
Hi TE,

I am trying to study for the 70-640 but I can't seem to grasp the concept of different group scopes. I am confused icon_sad.gif

Is someone here able to give an explanation of the difference in scopes, where they are replicated, when they might be used, the important of this, a real world scenario & possibly a diagram?

Nested groups really confuses me also.

Thanks in advance for your help

Comments

  • lsud00dlsud00d Member Posts: 1,571
    I know it can be confusing but one of the ways I memorize things is by knowing the differences between them. These questions will require you to understand the differences more than the similarities.

    Domain Local- You can add members from any domain in your forest but you can give them access to the resources which are available only in the domain where you create this DL.

    Global- You can add members only from the domain where you create this DL, and this DL can be given acess to any resources in any other domains in the forest.
    For ex, you have Domain A and B. Your users in domain A , need to access a resource in Domain B. How to accomplish this?
    From your domain A ,create a Global DL--- create a Domain Local DL in domain B. Add the Domain 'A's Global DL as a member to the Domain B's Domain Local Group.. Give access to the resource in Domain B. It's done..
    Universal- Add members from any domain, access resources in any domain of the forest.

    https://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/58543e21-1a66-4844-aba0-d37740e2248b




    Group scope

    Group can include as members…

    Group can be assigned permissions in…

    Group scope can be converted to…



    Universal

    • Accounts from any domain within the forest in which this Universal Group resides
    • Global groups from any domain within the forest in which this Universal Group resides
    • Universal groups from any domain within the forest in which this Universal Group resides

    Any domain or forest

    • Domain local
    • Global (as long as no other universal groups exist as members)



    Global

    • Accounts from the same domain as the parent global group
    • Global groups from the same domain as the parent global group

    Member permissions can be assigned in any domain

    Universal (as long as it is not a member of any other global groups)



    Domain local

    • Accounts from any domain
    • Global groups from any domain
    • Universal groups from any domain
    • Domain local groups but only from the same domain as the parent domain local group

    Member permissions can be assigned only within the same domain as the parent domain local group

    Universal (as long as no other domain local groups exist as members)


  • DJohnsonRoseDJohnsonRose Member Posts: 55 ■■□□□□□□□□
    So for arguments sake. If I have a forest with BWM.COM and UK.BMW.COM & US.BMW.COM as child domains in one tree and AUDI.COM and the same child domains in another tree. If I create a DL group in UK.BMW.COM, I am able to add users from anywhere including UK.AUDI.COM to this DL but it only grants them access to resources in UK.BMW.COM?

    Also am I right in saying that a global group is essentially a domain local group in reverse?
  • lsud00dlsud00d Member Posts: 1,571
    So for arguments sake. If I have a forest with BWM.COM and UK.BMW.COM & US.BMW.COM as child domains in one tree and AUDI.COM and the same child domains in another tree. If I create a DL group in UK.BMW.COM, I am able to add users from anywhere including UK.AUDI.COM to this DL but it only grants them access to resources in UK.BMW.COM?

    Also am I right in saying that a global group is essentially a domain local group in reverse?

    Yes, and you can say in a sense that global groups are domain local groups, backwards.
  • DJohnsonRoseDJohnsonRose Member Posts: 55 ■■□□□□□□□□
    Thank you, thanks to you I now understand.

    Can you give a scenario where someone would use nested groups?
  • GDL-LCGDL-LC Member Posts: 25 ■□□□□□□□□□
    Thank you, thanks to you I now understand.

    Can you give a scenario where someone would use nested groups?

    Build in group for remote server logon.
    Group for Helpdesk staff

    Add Helpdesk to the remote server logon granting the entire helpdesk group, remote access.

    -think that's right.


    One we use at work is:

    Group of mechanics for just South west
    Group of mechanics for just South east
    Group for all mechanics in the south - containing the two groups above.
  • DJohnsonRoseDJohnsonRose Member Posts: 55 ■■□□□□□□□□
    Im reading that some people place DL's in GG's and some in UG's? What would then happen?
  • cruwlcruwl Member Posts: 341 ■■□□□□□□□□
    There was an acronym in the MS press 2008 R2 book to help remember the order. But i cant think of it.

    Got to love google, this is from wikipidia:

    AGDLP (an abbreviation of "account, global, domain local, permission") briefly summarizes Microsoft's recommendations for implementing role based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP (for "account, global, universal, domain local, permission") and AGLP (for "account, global, local, permission") summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.
Sign In or Register to comment.