Universal Security Groups
- I am a student pursuing MCSE Server 2003 Certification, and I am confused about when to use Universal Security Groups versus Global Security Groups in cross domain scenarios. (AGLP vs. AGULP)
I know that when the domain/forest functional level does not support Universal groups they are not available and AGLP would prevail. But I get mixed messages about the appropriate use of Universal groups.
I have seen references to the impact of Universal groups on Global Catalog Servers and to slow (56 kbs) WAN links between domains, but nothing definative.
Is it ever inappropriate to use Universal groups when the functional level does support them?
Answers
Hi,
In addition, here are some good articles for your reference:
Group scope
http://technet.microsoft.com/en-us/library/cc755692.aspx
Group Type and Scope Usage in Windows
http://support.microsoft.com/kb/231273
Universal Group
Universal groups can be used anywhere in the same Windows forest. They are only available in a Native-mode enterprise. Universal groups may be an easier approach for some administrators because there are no intrinsic limitations on their use. Users can be directly assigned to Universal groups, they can be nested, and they can be used directly with access-control lists to denote access permissions in any domain in the enterprise.
Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely.
Global Group
Global groups are the primary scope of groups into which users are placed in Mixed-mode domains. Global groups can be placed only in the security descriptors of resource objects that reside in the same domain. This means that you cannot restrict access to an object based solely on user membership in a global group from another domain.
Global group membership for a user is evaluated when that user logs on to a domain. Because global group membership is domain-centric, changes in global group membership do not impose global catalog replication throughout an entire enterprise.
In a Native-mode domain, global groups can be nested within each other. This may be useful when administrators have nested organizational units, and want to delegate Organizational Unit (OU) administrative functionality in a gracefully decreasing manner down an OU tree. In this situation, a global group tree can be used as a parallel construct, for the assignment of such decreasing privileges.
Hope the information is helpful.
- Marked As Answer byJoson ZhouMSFT, ModeratorWednesday, November 26, 2008 6:01 AM
All Replies
- Hi,
The members of a global group must all belong to the same domain. If you want to create a group containing users from multiple domains, you must create a universal group. Universal groups can contain accounts, global groups, and other universal groups.
There can also be replication drawbacks if universal groups are used, because universal groups and all of their members are listed in the global catalog. So, replication traffic will occur whenever the members of a universal group change. Global groups are listed in the global catalog but their members are not and so replication traffic will not occur when the members of a global group change.
Have a nice day! The Masterplan - MCSE,MCITP-EA http://winmasterplan.blogspot.com Hi,
In addition, here are some good articles for your reference:
Group scope
http://technet.microsoft.com/en-us/library/cc755692.aspx
Group Type and Scope Usage in Windows
http://support.microsoft.com/kb/231273
Universal Group
Universal groups can be used anywhere in the same Windows forest. They are only available in a Native-mode enterprise. Universal groups may be an easier approach for some administrators because there are no intrinsic limitations on their use. Users can be directly assigned to Universal groups, they can be nested, and they can be used directly with access-control lists to denote access permissions in any domain in the enterprise.
Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely.
Global Group
Global groups are the primary scope of groups into which users are placed in Mixed-mode domains. Global groups can be placed only in the security descriptors of resource objects that reside in the same domain. This means that you cannot restrict access to an object based solely on user membership in a global group from another domain.
Global group membership for a user is evaluated when that user logs on to a domain. Because global group membership is domain-centric, changes in global group membership do not impose global catalog replication throughout an entire enterprise.
In a Native-mode domain, global groups can be nested within each other. This may be useful when administrators have nested organizational units, and want to delegate Organizational Unit (OU) administrative functionality in a gracefully decreasing manner down an OU tree. In this situation, a global group tree can be used as a parallel construct, for the assignment of such decreasing privileges.
Hope the information is helpful.
- Marked As Answer byJoson ZhouMSFT, ModeratorWednesday, November 26, 2008 6:01 AM
- Thank you both for your replies. It is still not clear to me based on conflicting information presented in the two links:
1.) (From the knowledgebase link)
"Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely.
2.) (From the technet library link)
"When to use groups with universal scope
Use groups with universal scope to consolidate groups that span domains. To do this, add the accounts to groups with global scope, and then nest these groups within groups that have universal scope. When you use this strategy, any membership changes in the groups that have global scope do not affect the groups with universal scope.For example, in a network with two domains, Europe and United States create a group that has global scope called GLAccounting in each domain, create a group with universal scope called UAccounting that has as its members the two GLAccounting groups, UnitedStates\GLAccounting and Europe\GLAccounting. The UAccounting group can then be used anywhere in the enterprise. Any changes in the membership of the individual GLAccounting groups will not cause replication of the UAccounting group."
- Hi,
As it says in the first link, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely, statement that is also find in the technet library link, where the UAccounting universal group has two GLAccounting global groups (and the members of this universal group will change very rarely, because those groups are assigned to two big geographic regions). When you add users, you add them to the specific global groups, not to the universal group, so "any changes in the membership of the individual GLAccounting groups will not cause replication of the UAccounting group".
Hope I was clear!
Have a nice day! The Masterplan - MCSE,MCITP-EA http://winmasterplan.blogspot.com- Unmarked As Answer byDustyKeys Tuesday, December 02, 2008 11:35 PM
- Marked As Answer byJoson ZhouMSFT, ModeratorWednesday, November 26, 2008 6:01 AM
- That was my understanding based on Microsoft's best practice of AGULP (i.e. not AULP):
Accounts-->Global Security Groups-->Universal SecurityGroups-->Domain Local Security Groups
-->Permissions.
Thanks. There are some other considerations to take into account, like external trusts to domains in other forests. You should also read the Universal Group Limitations KB article at NetworkAdminKB.com
http://networkadminkb.com/kb/Knowledge%20Base/Universal%20Group%20Limitations.aspx
