Group Type, Group Scope

Lee HLee H Member Posts: 1,135
Hi

Can anyone explain Group Type, Group Scope Universal group and Security group, i have read what it means but i still dont completely understand, can anyone give examples of when and why you would use each of them.

Thanks

Lee H
.

Comments

  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    This is My Unserstanding of them.

    Group Types are either Security or Distribution. Distribution groups are limited to communication (Exchange). Security Groups are used to provide access resources such as shared folders, printer etc...

    Group Scopes consist of Domain Local, Global and Universal.

    Since oyu have read the definitions of the groups I will not list them and will explain their function in a scenario instead. (The Best I Can)

    Let's say you have a shared folder on your server and you need to provide a group of users access to this folder. First you create the share blah blah blah... then you would create a Domain Local Security Group and Assign the permissions to that group. Then you would create a Global Security Group and add the users that need to access that share to this Global Group and make that Global Group a part of the Domain Local Group that you assigned the permissions to. So, where does the Universal Group come into play you ask? Well, let's say that you have another Global Group in another Forest that needs access to this share as well. In this case you can create a Universal Security Group. Then, make the 2 Global Groups that need access to that share a Member Of the newly created Universal group. After that, make the Universal Group a Member of the Domain Local Group that has the persmissions to access the share.

    This is probably not going to make sense to anyone that reads it. none the less, I hope it helps.
  • evanderburgevanderburg Member Posts: 229 ■■■□□□□□□□
    First off, there are security groups and distribution groups. Distribution groups are only used for messaging. All other groups are security groups. Local groups are used to assign permissions to resources located on a local machine. Global groups can contain accounts from anywhere within the domain. Universal groups can contain accounts from anywhere in the forest.

    Here is a situation. A folder called "Files"is shared on the PC Comp1. Read and write permissions are assigned to the "Access" local group on Comp1.

    The company has 3 domains for different regions. There is the domain NA.Company.com in North America, SA.Company.com in South America, and EU.Company.com in Europe. There is a global group in each of these domains called Sales that contains all the salespeople in that respective domain. All domains are part of the forest Company.com. The company would like all salespeople in the entire organization to have access to the Files folder on Comp1. In order to do this, The Sales groups from NA.Company.com, SA.Company.com, and EU.Company.com are put in a Universal group called AllSales. The AllSales group is then put into the local group Access on Comp1. Permissions are inherited by child folders of the parent folder so all salespeople in each domain have read and write permissions to the Files folder because they are members of the Sales group which is a member of the AllSales group which is a member of the Access group which has read and write permissions.

    [Files Share]
    Access Local Group (R&W) => AllSales Universal Group => Sales Global Group => Individual Salesperson.
    "You can never know everything and part of what you know is always wrong. Perhaps even the most important part. A portion of wisdom lies in knowing that. A portion of courage lies in going on anyway. " - Lan, Winter's Heart by Robert Jordan
  • Lee HLee H Member Posts: 1,135
    Hi

    I am getting real close to fully understanding this, am i right in saying On the local domain you have a domain local group with permissions to say Work folder, all users on local domain are in this domain local group, you then make a global group to which you add the domain local group, you then create a universal group to which you add te global group. Does that make any sense

    Thanks

    Lee H
    .
  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    Not quite but almost.

    You are going to use the Domain Local Group to assign permissions to a folder or printer or some resource that your users need. This Group is not going to contain any users.(Unless you are in a real small environment). The Members of this Group are going to have the Global Groups as it's Members.

    The Global Group is going to contain users that have similar/same needs for accessing the resource. This group will be a "Member Of" the Domain Local Group and will have Users as it's "Members".

    The Universal Group is going to organize your Global Groups that have similar/same needs for accessing the resource. This group is going to be a "Member Of" the Domain Local Group and will have Global Groups as it's "Members".

    Does that help.
  • Lee HLee H Member Posts: 1,135
    Hi

    Thanks for your reply, please tell me this is right or i will smash my head with a shovel

    You only add global groups to your domain local groups to give other domains in the tree access to resources in your local domain

    You only add global groups to universal grous to give other domains in the forest access to resources in your local domain

    Please persavere i am self studying and have no tutoring from anyone

    Thanks

    Lee H
    .
Sign In or Register to comment.