none
LG GG or UG groups

    Question

  • I hope someone can break a tie here for us talking about Groups. I grew up on the folder get a LG, LG into GG(with user accounts) and then GG into UG if you need the UG. My partner grew up with GG directly to the folder with user accounts and it has worked for hime with no problems. So my question to everyone is Why am I creating all these LG accounts if it works without it? Also I am seeing alot of SG as names of groups and is that a Domain Local group or a Global Group or both becasue they are both security groups? Please let me know how you use these in your environment.


    Thanks

    Friday, June 15, 2012 8:16 PM

Answers

All replies

  • Normalyy, you don use iniversal group becasue universal group membership is replicated to all the dC's(GC) in the forest where as for GG, only group name is replicated. Consider, you got 1000 users as a member of universal group, then adding/modifying the group scope will invite change to be replicated to all the DC's with GC role in the forest & this way it can invite more traffic, hence its recommended to use GG group instead of universal.

    You should always follow AGDULP (Accounts, Global, Universal, Domain Local, Permissions) method for assigning permission & it is known as best practices.

    If you use GG in UG, then there will be less trafic while replication since GG will have members in it not, so only GG will be replicated.

    You need to understand the scope of the groups why we need DLG,GG or UG.

    Active Directory group scope

    http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx

    http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Saturday, June 16, 2012 6:46 AM
  • Hello,

    we don't use Universal groups until now, we have not a multi domain environment, where i see the most option to work with them. And Awinish already gave you the information about the way you should handle them.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, June 17, 2012 2:46 PM