none
Global Groups vs Universal Groups vs Domain Local - Differences in brief?

    Question

  • Hi folks.  I'm working on my 70-640 test prep and I'm running into the differences in the different types of groups and I'm getting a little confused.  I've always just used universal groups and never had any problems and was wondering why use something like a global group instead of a universal group.  Also, what is the piont of the domain local group?  I've never used it and I'm having a hard time based on what I've read in telling the differences.  Thanks.
    Wednesday, July 01, 2009 1:31 PM

Answers

  • universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.

    global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.

    domain local grop is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.
     
    Please also see this http://support.microsoft.com/kb/231273

    http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
    http://technetfaqs.wordpress.com
    Wednesday, July 01, 2009 1:50 PM
  • In addition to information provided by Syed and Meinolf, you might want to also keep in mind the following (addressing more specifically the questions you asked):
    - universal group membership is replicated to all Global Catalogs (i.e. it has forest-wide replication scope). This can be beneficial (since it provides efficient way to retrieve group members) - but has its drawbacks (it increases volume of replication traffic).
    - domain local groups do not have any limitations regarding their membership - i.e. they can contain accounts the same domain/forest or any trusted domain/forest. This does not apply to domain global groups (they can contain only accounts from the same domain) or universal groups (they can contain only accounts from the same forest).

    hth
    Marcin

    Wednesday, July 01, 2009 2:06 PM
  • Hello,

    check here the different group scopes:
    http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, July 01, 2009 1:47 PM

All replies

  • Hello,

    check here the different group scopes:
    http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, July 01, 2009 1:47 PM
  • universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.

    global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.

    domain local grop is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.
     
    Please also see this http://support.microsoft.com/kb/231273

    http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
    http://technetfaqs.wordpress.com
    Wednesday, July 01, 2009 1:50 PM
  • In addition to information provided by Syed and Meinolf, you might want to also keep in mind the following (addressing more specifically the questions you asked):
    - universal group membership is replicated to all Global Catalogs (i.e. it has forest-wide replication scope). This can be beneficial (since it provides efficient way to retrieve group members) - but has its drawbacks (it increases volume of replication traffic).
    - domain local groups do not have any limitations regarding their membership - i.e. they can contain accounts the same domain/forest or any trusted domain/forest. This does not apply to domain global groups (they can contain only accounts from the same domain) or universal groups (they can contain only accounts from the same forest).

    hth
    Marcin

    Wednesday, July 01, 2009 2:06 PM
  • Hi,
    I am wondering about the use of Universal groups in Server 2008.

    We have have one tree and one domain and don't forsee any additonal domains or trees or federation or anything in the nearby future (even though one can never be sure ;-).

    We have learned that best practise is to put users in a global group and then put the global groups in a domain local group and finally to use the DL group to assign permission to folders in the filesystem.

    Now, why can't we just skip the extra DL groups and use Universal groups all the way. That is put the user into a universal group and then use that group to assign permissions in the filesystem (or in the AD as well)? We have a lot of groups and would be nice if we didn't have to use that extra layer of DL groups.

    What could be bad about this strategy in a 2008 environment? Is there a performance issue? Could it come back and bite us if we add an additional domain? Does it impact administration delegation of groups or something?

    Thanks for any insight you can provide in this matter!

    Best regards
    Fredrik Lindberg 
    Just a simple hacker
    Thursday, November 05, 2009 7:52 AM
  • Hello,

    universal groups make sense if you have multiple domains in the forest, for a single forest domain, working with global and local groups is really enough.

    In large environments you have also to keep in mind that replication of each change has to be done to any GC before you should change settings again. Also logon over slow/bad WAN links can be unsucceful when no GC can be located.

    Distribution groups you can only use with e-mail applications and they cannot be listed in discretionary access control lists (DACLs), because they are not security enabled. If you need a group for controlling access to shared resources, you need to create a security group.

    http://technet.microsoft.com/en-us/library/dd861330.aspx
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Saturday, November 07, 2009 8:55 PM
  • Hi, and thanks for your response.

    Still I am not sure why we should use the recommended use of Global Groups put into a Domain Local group that finally is used for assigning permission to e.g filesystem object.

    If I don't use the Domain local group, and instead use either Universal or Global groups directly to assign permissions to a folder, what are the disadvantages?
    You are pointing out that changes to a universal group has to be replicated to any GC before changing it again, and that the GC need to be located during logon (and if you cant reach the GC isnt that always a bad thing?), so that is one such disadvantage. Since we don't have any slow links or multiple domains it wouldnt affect us very much.

    Could there be any other reason why you should always use a domain local group to give permission in the filesystem and then populate that group with Global/Universal groups?

    Thanks again for your response!
    Best regards
    Fredrik Lindberg
    Just a simple hacker
    Wednesday, November 11, 2009 10:06 AM
  • Hi all,

    Sorry for the bump but I have exactly the same question as Fridden. Why do we still bother using Domain Local groups when Global groups can be assigned to filesystem objects? Is it a hangover from NT4.0?

    Wal.
    • Edited by Wallive Thursday, February 11, 2010 1:09 AM Clarification
    Thursday, February 11, 2010 1:08 AM
  • Hi All !

    I am working on excactly this problem these days and cannot find any other. Clarification would be really a very good thing!!

    BTW, I found this in technet:

    Because a domain local group is associated with an access token built when a member of that group authenticates to a resource in that domain, unnecessary network traffic (carrying of membership information) is avoided . (If, instead, you assigned a global group permission to access the printer, the global group can end up in a user's token anywhere in the forest , causing unnecessary network traffic.)

    But it is not explained [this was from here:
    http://technet.microsoft.com/en-us/library/bb727067.aspx ]

    I even cannot see, when to use ether of this groups. In our company, we have only one domain for the whole world [with several DCs per country].

    Regards,
    scamb
    Tuesday, February 23, 2010 4:34 PM
  • I wish someone had more info on this.  My questions are:

     

    1. Why it is not a good idea to use Globla group to assign permissions?

    2. Can I add users directly to Domain Local Group and use to assing permissions. My users and resources are in the same domain.

    Wednesday, August 04, 2010 1:59 PM
  • I tend to name Global groups to describe a business function, and Domain Local groups to describe a resource.  It just helps to keep it clearer in my head.

    There's nothing to stop you adding users directly to Domain Local groups in a single domain setup, but problems may arise if there are ever changes to your organisation that require the introduction of additional domains.

    Best practice isn't always about the current infrastructure, it's there to avoid potential problems later on.

    Best wishes,
    Bod.

    • Edited by Wayne Joyce Monday, August 09, 2010 9:18 AM typo
    Monday, August 09, 2010 9:10 AM
  • In a single domain forest, most folks use global groups for both assigning of permissions and grouping of user & computers.  So in our situation we only use domain global groups.  So there is no problem assigning permissons to global groups.

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, August 09, 2010 12:22 PM
  • Hi all,

    This is indeed a fall-back to the NT4 "best-practice" way of doing things - who remembers UGLAP? Users added to Domain Global Group added to Domain Local group Assigned Permissions [on object]?

    With Windows 2000 and AD came the advent of the Universal Group, and the pneumonic UUGALP: Users added to Domain Universal Group, added to Domain Global Group, added to Domain Local group, Assigned Permissions [on object]?

    Don`t forget - all of this is predicated on the principle of multidomain forests - the largest scenario. However, in most instances this just does not happen as only global or multi-site enterprise entities will use that sort of model - and not always then!!

    Don`t get too hung up on the UGLAP part - as long as you use Domain Local at the object level the rest can often be forestalled.

    Adrian


    Wednesday, November 27, 2013 12:38 PM
  • In addition to what others have already replied the diffrent group scopes take up diffrance space in a users token depending on the following.

    1. Domain Local Groups always take up 40 bytes
    2. Universal Groups take up 40 bytes if the groups are from _another_ domain than then user resides in, if the Universal Group and the user resides in the same domain it takes up 8 bytes in the token.
    3. Global Groups always take up 8 bytes in the token.
    4. If any of the groups have sIDHistory they take up an additional 40 bytes peer sIDHistory entry.

    Domain Local Groups is more or less a must over forest trusts.


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 27, 2013 1:05 PM