Global Group

[tejal]

HI...

i ahev problem with global group after join child domain..
i can manage child domain user from parent domain but i
have problem when i will add child domain user to parent
domain global group..and same on either side.means i can
not add user from parent domain to child domain global
group...

it is onlt on global gorup all other groups are fine..

if you pls let me know

TEjal

 

[Laura E. Hunter \(MVP\)]

This is by design. Global groups can only contain objects from the same
domain that the group is located in.

If you have a resource in DomainB, and you need to grant access to users in
both DomainA and DomainB, best practices would be to do the following:

Create a global group in DomainA. Add the users from DomainA to this group.

Create a global group in DomainB. Add the users from DomainB to this group.

Create a Domain Local group in DomainA. Add the Global Groups from DomainA
and DomainB to this Domain Local group.

Assign permissions to the resource to the Domain Local group.

http://www.microsoft.com/resources/.../proddocs/en-us/sag_ADgroups_3groupscopes.asp

 

[Simon Geary]

Assuming the domains were in native mode it would be better to add the
global groups from each domain to a universal group and assign the
permissions to the universal group. Microsoft seem to have changed their
mind about the A-G-DL-P permissions model and don't recommend you assign
permissions directly to a domain local group.

 

[Joe Richards [MVP]]

Microsoft seem to have changed their

mind about
...
don't recommend you assign
permissions directly to a domain local group.

I would say that is incorrect.

If you can use domain local groups for permissioning things, then you are free
and it is recommended to use them. The times when you can't use DLGs is when you
are using them to grant access in Active Directory on the non-domain partitions
(such as the config partition or app partitions) or denying access to anything
in AD. The issue is that either of those incidents could cause a problem if you
hit a DC that isn't the DC of the domain the group exists in.

In those cases mentioned, you need to use a global group or a Universal group.
Depeneding on your AD Architecture and placement of GCs and configuration of
your DCs, the universal group strategy may or may not work for you.


I do agree that here is a drift away from assigning users to global groups and
global groups to local groups. That was always, even in NT4, rather tedious,
overburdening, and plain and simple worked horribly in a multi-master,
multi-resource (multi-multi) environment. You will note that any multidomain AD
forest is by default a multi-multi environment. In that type of environment,
generous use of Domain Local Groups (barring caveats above which generally
indicate design issues) tends to be far easier to manage.

joe