Global & Local Domain Group 4

[Skittle]

I am trying to understand when to use Local Domain Groups and when to use Global Groups. I'm a little confused about them so would appeciate a little guidence.

Example
-------

If I have a single domain and I want to group 20 users together so that permissions can be allocated to a share.

Question 1)
Am I correct that I could create a Global Group (GG1) with my 20 users OR a Local Domain Group (LDG1) with my 20 users. Either group could then be assigned to the share with a set of permissions?

Question 2)
If I am correct, when would you use a Global Group instead of a Local Domain Group?

Question 3)
A similar question to question 2.
Would you only use a Global Group when you want the group
to be visible outside of the domain to another domain?







Dazed and confused
(N+, MCAD .NET)

 

[swabs]

Domain Local groups--- users can be from any domain (including users from other trusted domains. Domain Local Groups can only be used on ACLs in that particular domain. So a reason to use a group like this would be that you have a share in your domain that you want to allow another Trusted company's employees to access. You can then create a Domain Local group that will include the Trusted Company's accounts and change the access-list on that share to allow the Trusted company employees to have read access.

Domain Global Groups-- users can only be from your local domain. Domain Global groups can be used on ACLs in other domains within a forest. So you would create a domain global group if you wanted accounts from your domain to have access to a share that lives in another domain within your forest.

 

[Teknoratti]

The known acronym to use when it comes to security groups are A > G > U > DL > P

Accounts go into globl groups which go into Universal groups which go into Domain Local groups and that's where permissions are set.

It's done for ease of managablilty. You want to have accounts from each domain in their own global group. Not only that but you can only have accounts from the domain from which the domain local group was defined. After this is done you would want to take each of those global groups and populate them inside a universal group(not applicable if your environment has Win NT)

 

[Skittle]

Thanks for the info.

I think I get it. It's a question of visibility.

A global group can be used outside of it's domain.
Consider a global group called GG1 defined in my domain D1 and a second domain (D2) which needs to allocate a share to my D1 list of users.

To do this, the D2 domain would either have to allocate the permissions to the share by adding each individual user from D1 OR could do it via GG1 from D1. The GG1 is clearly the better option.

However in a single domain environment it doesn't really matter wether you use a Global Group or a Local Domain Group...I think.



Dazed and confused
(N+, MCAD .NET)

 

[BenyG]

swabs,

Great definition - 1 star for you!

Benjamin

 

[Skittle]

Can somebody confirm my previous posting is correct - just to convince me I have understood this properly?

Thanks



Dazed and confused
(N+, MCAD .NET)

 

[Teknoratti]

Skittle,

You were correct.

 

[Skittle]

Excellent!!

Thanks dude.

Dazed and confused
(N+, MCAD .NET)