Windows Server TechCenter >
Windows Server Forums
>
Directory Services
>
Global Groups vs Universal Groups vs Domain Local - Differences in brief?
Global Groups vs Universal Groups vs Domain Local - Differences in brief?
- Hi folks. I'm working on my 70-640 test prep and I'm running into the differences in the different types of groups and I'm getting a little confused. I've always just used universal groups and never had any problems and was wondering why use something like a global group instead of a universal group. Also, what is the piont of the domain local group? I've never used it and I'm having a hard time based on what I've read in telling the differences. Thanks.
Answers
- universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.
global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.
domain local grop is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.
Please also see this http://support.microsoft.com/kb/231273
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
http://technetfaqs.wordpress.com- Marked As Answer byJoson ZhouMSFT, ModeratorFriday, July 03, 2009 6:00 AM
- Hello,
check here the different group scopes:
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byJoson ZhouMSFT, ModeratorFriday, July 03, 2009 6:00 AM
In addition to information provided by Syed and Meinolf, you might want to also keep in mind the following (addressing more specifically the questions you asked):
- universal group membership is replicated to all Global Catalogs (i.e. it has forest-wide replication scope). This can be beneficial (since it provides efficient way to retrieve group members) - but has its drawbacks (it increases volume of replication traffic).
- domain local groups do not have any limitations regarding their membership - i.e. they can contain accounts the same domain/forest or any trusted domain/forest. This does not apply to domain global groups (they can contain only accounts from the same domain) or universal groups (they can contain only accounts from the same forest).
hth
Marcin- Marked As Answer byJoson ZhouMSFT, ModeratorFriday, July 03, 2009 6:00 AM
All Replies
- Hello,
check here the different group scopes:
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byJoson ZhouMSFT, ModeratorFriday, July 03, 2009 6:00 AM
- universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.
global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.
domain local grop is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.
Please also see this http://support.microsoft.com/kb/231273
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
http://technetfaqs.wordpress.com- Marked As Answer byJoson ZhouMSFT, ModeratorFriday, July 03, 2009 6:00 AM
In addition to information provided by Syed and Meinolf, you might want to also keep in mind the following (addressing more specifically the questions you asked):
- universal group membership is replicated to all Global Catalogs (i.e. it has forest-wide replication scope). This can be beneficial (since it provides efficient way to retrieve group members) - but has its drawbacks (it increases volume of replication traffic).
- domain local groups do not have any limitations regarding their membership - i.e. they can contain accounts the same domain/forest or any trusted domain/forest. This does not apply to domain global groups (they can contain only accounts from the same domain) or universal groups (they can contain only accounts from the same forest).
hth
Marcin- Marked As Answer byJoson ZhouMSFT, ModeratorFriday, July 03, 2009 6:00 AM
- Hi,
I am wondering about the use of Universal groups in Server 2008.
We have have one tree and one domain and don't forsee any additonal domains or trees or federation or anything in the nearby future (even though one can never be sure ;-).
We have learned that best practise is to put users in a global group and then put the global groups in a domain local group and finally to use the DL group to assign permission to folders in the filesystem.
Now, why can't we just skip the extra DL groups and use Universal groups all the way. That is put the user into a universal group and then use that group to assign permissions in the filesystem (or in the AD as well)? We have a lot of groups and would be nice if we didn't have to use that extra layer of DL groups.
What could be bad about this strategy in a 2008 environment? Is there a performance issue? Could it come back and bite us if we add an additional domain? Does it impact administration delegation of groups or something?
Thanks for any insight you can provide in this matter!
Best regards
Fredrik Lindberg
Just a simple hacker - Hello,
universal groups make sense if you have multiple domains in the forest, for a single forest domain, working with global and local groups is really enough.
In large environments you have also to keep in mind that replication of each change has to be done to any GC before you should change settings again. Also logon over slow/bad WAN links can be unsucceful when no GC can be located.
Distribution groups you can only use with e-mail applications and they cannot be listed in discretionary access control lists (DACLs), because they are not security enabled. If you need a group for controlling access to shared resources, you need to create a security group.
http://technet.microsoft.com/en-us/library/dd861330.aspx
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. - Hi, and thanks for your response.
Still I am not sure why we should use the recommended use of Global Groups put into a Domain Local group that finally is used for assigning permission to e.g filesystem object.
If I don't use the Domain local group, and instead use either Universal or Global groups directly to assign permissions to a folder, what are the disadvantages?
You are pointing out that changes to a universal group has to be replicated to any GC before changing it again, and that the GC need to be located during logon (and if you cant reach the GC isnt that always a bad thing?), so that is one such disadvantage. Since we don't have any slow links or multiple domains it wouldnt affect us very much.
Could there be any other reason why you should always use a domain local group to give permission in the filesystem and then populate that group with Global/Universal groups?
Thanks again for your response!
Best regards
Fredrik Lindberg
Just a simple hacker
