Win2003's Global vs Local domain groups...

S

Simon Begin

I know Best practice tells to use Global groups & Local domain groups,
associate users with the global group, associate the resource with the Local
domain group, then associate the 2 groups together.

I'm from a Novell environment, and "best practices" doesn't exist. We used
to understand how it works, then choose what's best for us.

Back to my 2003 AD groups, nobody could tell me WHY to use BOTH groups,
instead of using only Local domain groups (even a teacher of 2003 AD
course). We have 1 tree and 1 domain, <1000 users. We will have someday
other foreign 2003 AD trees, and will need to link with them for some
applications.

Do we really need to make 2 groups, when it works very well with 1 ?
 
A

aaron

It is best to put the users into global groups then local groups then assign
the permission to the local groups. The reason is because you can't add
users from other domains into domain local groups. If you want to add users
from different domains they have to go in global groups. Just think UGLY
users>global groups>local groups>You assign permissions here

hth,
aaron
 
O

Oli Restorick

It's mainly useful where you are providing access to a resource to lots of
global groups. In the same way you group users with global groups, you can
group resources with local groups.
 
S

Simon Begin

It's important to me, either I use Local+Global groups, and I double my 500
groups in AD up to 1000 groups (aaarg!) - Either I only use Local domain
groups and make administration MUCH simpler, including debugging time.

OK, I have to use Global groups if I have multiple domains. So in my
understanding, I have only 1 domain. I could use only Local domain groups,
but will need to create Global groups for (and only for) giving rights to
users in other domains. Thus when it will happen (another trusted domain) I
simply add 2 or 3 Global groups to give them access (= 503 groups instead of
1000)...

In short I still don't know WHY to use both groups everytime?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Querying AD Groups 2
Groups in 2003 2
NTFS Permissions Architecture - Best Practices? 6
Removing domain local groups from Wind XP local administrators gro 3
NetUserGetLocalGroups in multi-domain AD environment 2
ADMT v3 global group migration/copy 1
Local Groups Not Visible 2
Domain Local Groups not accesssible 1

Top