<snip>
Ok, I'll give it a shot, hope this clears things up
You create Global
groups to organize users based on a *common need* of theirs - for
example, all users from Accounting that need to print to LaserJet1. In
this case the common need is *printing*, it may also be accessing a
specific share. Global groups server as a bus for the users - you *pack*
them in a common object (vehicle) so they are easy to *transport* and to
*manipulate* as a whole. That's why they have *global* scope - you can
use them throughout your forest but they can contain only members from
their own forest.
Domain Local, on the other hand, are used for defining access to
resources. Since resources reside in the domain, these groups are
*locked* inside their domain - they can contain members from anywhere in
the forest. The idea behind this, as actually is with local groups, is
to define the permissions at the resource only once and never go there
again, if possible - just close the link between "permission" and
"user" by putting Globals into DLs.
Often, especially in large organization, it happens that a group of
users must have the same permissions to a resource as another group. In
my example, consider that Sales should also print to LaserJet1. If you
granted Accounting directly permissions on the print queue you'll have
to go again and repeat this for Sales. Moreover, you might even not have
any permissions on this printer because you've just been delegated
permissions in AD to create and manage groups so someone else has to do
the permissions part for you. Now imagine you have played a lot to grant
special NTFS permissions to, say 50 files. Would you like to do this
again manually for Sales? Probably not.
And if you extrapolate this example to an large enterprise with hundreds
of users, groups and resources things start getting pretty complicated.
That's what I meant by "most flexible in the long run" - even if now you
don't see the benefit of AGDLP, just take the time to create the DLs and
in the comming months and years it will pay off, that's guaranteed.
I hope I managed to shed some light on the AGDLP matter (it certainly
turned out longish
) Feel free to ask further if you still don't feel
convinced.
P.S.: The only exception to this strategy is permissions in AD - you
should always use Global or Universal groups there.
HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.