Question on Group Scopes...

yapchienyapchien Member Posts: 3 ■□□□□□□□□□
In a MS Book I read it says converting a group scope from universal to domain local has no restriction at all as long as it is in native mode. But what if the universal group is a member of another universal group ? Then after the conversion a domain local group become a member of the universal group ? This doesn't make sense right since domain local group can only be a member of the domain local group in the same domain ? I hope someone actually understand my question and could reply me and tell me if my thinking is right or wrong. Thanks in advance.

Comments

  • yapchienyapchien Member Posts: 3 ■□□□□□□□□□
    From your notes, it says "A universal group can be changed to a domain local group at any time." What if the universal group is a member of another universal group? Then is it still possible to changed to a domain local group since a domain local group cannot be a member of a universal group?
  • yapchienyapchien Member Posts: 3 ■□□□□□□□□□
    ermm....can anyone help me out? I am taking 70-290 exam in about a week or two time
  • janmikejanmike Member Posts: 3,076
    Lots of questions on groups around here! But, this seems to be a matter of reason to me. If a DL group can't nest in a U group, then there's no way that W2k3 Server is going to let you put one there--whether it's by direct placement or by creating a scope change. It just won't happen.

    I don't have a W2k3 domain right now because my electricity failed and it somehow corrupted my registry and I hadn't yet got my recovery disks made. If I still had it I would try out your scenerio for real. I ordered my 180-day evaluation version of W2k3 Server from M$. Do you have a domain set up so that you could try what you're asking?

    Hope this takes care of your question. Best of luck on the exam!
    "It doesn't matter, it's in the past!"--Rafiki
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    yapchien wrote:
    From your notes, it says "A universal group can be changed to a domain local group at any time."
    I'm sorry, I forgot about this post icon_redface.gif

    Yeah, that is what I wrote. And did that for a reason of course. MS also says that there are no restrictions when it comes to converting a Univeral group to DL. But, I see your problem. I have to startup my Win2k3 lab, and will let you know the test results in a couple of minutes. But I think Janmike is right, I think it will popup a message saying it can't be done because the group is a member of another universal group.

    brb...
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    Test setup:
    Uno Windows 2003 Server with ADS. Two Universal security groups: test1 and test2. Test1 is a member of Test2.

    Result of attempt to convert Test1 to Domain Local:
    ad_uni-dl_conv.gif

    Although MS says....
    Groups can be converted to domain local scope. Groups can be converted to global scope, as long as no other universal groups exists as members.
    and
    - Global to universal. This is only allowed if the group you want to change is not a member of another global scope group.
    - Domain local to universal. This is only allowed if the group you want to change does not have another domain local group as a member.
    - Universal to global. This is only allowed if the group you want to change does not have another universal group as a member.
    - Universal to domain local. No restrictions for this operation.

    Both from:
    www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ADgroups_3groupscopes.asp

    ...I am going to rewrite that line in our TechNotes, as obviously the MS documentation is incomplete and wrong; there are restrictions.

    I apologize if that line in my TechNotes caused the initial confusion, I think it is the only combination I didn't actual test, as I did test changing group scopes extensively for the TechNotes as well as one of our Windows 2003 practice questions.

    It looks like Microsoft did not try this combination either and I think that has a lot to do with common practice and the huge difference in functionality of a universal and a domain local group. The MS recommended way is to group users together in a global group, add that global group to a universal group and than assign the universal group to a domain local group. Because domain local groups are meant to assign permissions to, and universal groups are meant for grouping global groups and users from different domains, you would not likely encounter a situtation from the above test setup.
Sign In or Register to comment.