Group Scope - Which one?

[Guest]

When I create a new object group in my Active Directoryunder Group Scope, what is the difference between

Domain Loca
Globa
Universa

We don't have multiple domains

 

[Herb Martin]

When I create a new object group in my Active Directoryunder Group Scope,

what is the difference between:

It is a complicated discussions, but there are two MAIN differences
in Security Group distinctions:

1) Visibility (where are group can be seen)
2) Containment (what a group can contain)

It also varies a bit from Mixed to Native mode.

Domain Local

Visible only within the same domain, but can basically contain
every other kind of group or user.

Global

Visible on all TRUSTING domains and all machines of the
same domain.

Can contain items ONLY from the same domain.
(No group containment except in native mode where
group nesting can allow Global to contain a Global to contain etc....

Universal

Visible throughout the trusting domains.
Can contain anything except Local groups.

We don't have multiple domains

It simplifies some of the above....

Think of it this way:

Global group is a "group of users"
(Domain) Local group is granting permission to a "group of resources"

That is the biggest distinction that most admins could NOT tell you.

Put users in Globals, grant permissions through the Locals. Place the
Globals
in the locals as needed.

 

[Herb Martin]

My users can see Security or Distribution Groups in Global Address List?

Is that what you mean?

Not really but it's related.

I was referring to the Security groups for Permission and
rights assignment but it applies to addressing also.

 

[Paul Bergson {MCT, MCSE}]

There are best practices setup using these groups as well as some groups can
contain others. For the most part just ignore Universal groups if you are
in a single domain, its value has two functions one for multiple domains the
other for authentication with Global Catalogs .

Use Global Catalogs to group your users and use Domain Local to provide
access to resources. For example:

You have a share named contracts that you want to provide access to Halle
Berry and Yogi Bear. You create a global group named G_Hollywood and you
make Halle and Yogi members of this global group. Then create a Domain
Local group named DL_contract. Browse to the share and go to the security
tab and provide the Share and NTFS permissions to the DL_contract group.
Finally make the G_Hollywood group a member of the DL_contract group. Once
Yogi and Halle log off and log back on they will have access to the
resource.

Group users in Global groups and provide access via Domain Local Groups.


Paul Bergson MCT, MCSE, CNE, CNA, CCA

When I create a new object group in my Active Directoryunder Group Scope,

what is the difference between:

 

[Cary Shultz [A.D. MVP]]

Paul,

Nice to see that someone else names groups similarly to the way I do. I
typically name my Local Security Groups LSG_Hollywood and my Global
Security Groups GSG_Hollywood and my Universal Security Groups
USG_Hollywood. The Distribution Groups would be LDG_xxx, GDG_xxx and
UDG_xxx respectively. I have found this to be extremely useful as you can
1) tell immediately what type of group this is and 2) have the same name (
Hollywood in my example ) for multiple groups....

Cary

 

[Guest]

Pau

Thanks for the feedback. I understand what you mean in the set-up but the only thing I want to ask you is

Why not only make Halle Berry and Yoga Bear members of the G_Holywood Global Group and give that group access to the contract share?

I'll explain my scenario for you

We have one main folder called " Group_Shares" and that is shared for Change access to everyone. Within this folder we have a folder for each department i.e "Admin, Marketing, Payroll, Accounts, etc." that we don't enable the share permissions but change the NTFS permissions for that specific departments.

We then create Global Groups i.e. "Admin, Marketing, Payroll, Accounts, etc." and make users of those department members of that groups

We then took the Global groups and gave them NTFS permissions as I've explain above so that they can access only their departments folders?

thanks for any feedback

 

[Paul Bergson {MCT, MCSE}]

Agreed

One way of looking at this is an example of delegating control within a

large enterprise. (There are other reasons, but I find this one way of
explaining helpful).

For example, your admins are (as we all are) overworked and underpaid.

Therefore you decide to grant a set of users the abillity to reset
passwords, modify group ownership, etc. Mundane stuff. The less technical
the better. Now, you grant access to a resource based on a domain local
group. If the marketing manager wants access to the accounting folders,
this group can simply add the marketing manager to the domain local group
that has access to the resource. Instead of having to have access to the
server which holds the files and add the marketing manager(s) to the DACL.

By doing this, this team don't require as many rights accross servers in

your domain -which keeps the security guys happy...

 

[Joe Richards [MVP]]

So what do you do with Security Groups that are also used as DL's? GDSG_Hollywood?

)

 

[Joe Richards [MVP]]

In active directory you have:

1. Two group types

Distribution Group
Groups that have a SID but it is not placed in the security token
Security Group
Groups that have a SID and it is placed in the security token.

Distribution Groups can be used for permissioning objects and other SD type
securable resources. Distribution groups can not. However Distribution groups
could be used to secure items in custom applications that look up the user's
memberships. Say Websphere for instance could use Distribution Groups for roles
or securing access as it doesn't look at nor care about the security token.


2. Three group scopes

Universal Group
o Can use it in any domain of the forest.
o Can have a member from any domain in the forest.

Global Group
o Can use it in any domain of the forest.
o Can only have members from domain it exists in.

Domain Local Group
o Can only use the domain it exists in.
o Can have a member from any domain in the forest.



When working with permissions, you need to be very careful with using Denies
with Domain Local Groups and Universal Groups as there are times when they are
not in the security token and something you have specifically denied access to
can be unsecured.

When working with grants you don't have to be as worried but you should still be
concerned because people may not get access to something that they should. IMHO
that is much better than the first case.


In a single domain forest you can use any of the three groups scopes pretty much
interchangably. As you add more domains, you have to be careful. I generally
don't recommend global groups for anything, they are, IMO, for legacy support of
the old trust models, specifically the single-master, multi-resource model.
All AD forests are a Multi-Master, Multi-Resource model. This means that
security principals from any domain can be added to resources on any other
domain. To properly manage that you should use Universal Groups or Domain Local
Groups and permission the resource directly with the group (Uni or DLG).

If you have a very distributed environment with a smaller percentage of GCs you
should try to stick with Domain Local Groups because a GC is not required for
inclusion of the group into the security tokens on objects you are trying to
access. If you are permissioning things like the config container objects
though, you should use Universal groups.

joe

 

[Cary Shultz [A.D. MVP]]

Joe,

I *typically* try to stay away from that where possible. But, I guess that
I would use something like what you suggested.

Cary

 

[Joe Richards [MVP]]

Yeah.

A good example would be something used to permission things inside of Exchange,
such as permissioning calendars or other MAPI Role type items.

Of course someone could always mail enable something like Domain Admins to send
emails to them as well but I would expect that that would normally be a lesser
case. However, I expect that may pick up with people wanting to force auditing
of group memberships and access more often. If you have something permissioned
with a certain group, it would be nice and easy to tear through the ACL and pull
out the groups and generate emails to those groups to tell people to verify
accesses on a regular basis.