none
can we add universal group into global group

    Question

  • can we add universal group into global group.

    (global group is the  member of universal group )

    is it possible?


    AliahMurfy
    Wednesday, March 16, 2011 3:08 PM

Answers

  • Universal groups can not be members or global groups. Only global groups can be members of other global groups.

    universal groups can be members of other universal groups or local domain groups.

    For more information, refer to this Microsoft article.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

     

    • Proposed as answer by Meinolf WeberMVP Wednesday, March 16, 2011 6:08 PM
    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Wednesday, March 16, 2011 3:21 PM
  • Hello AliahMurfy,

    As everyone said, no, you can't. A good guideline was posted by MrX and Mike Kiline (same article).

    Basically, you need to follow the AGUDLP guideline (Add users to a global group, add the global group to a Universal, add the Universal to a Domain Local Group, add the Domain Local Group to the resource, then provide permissions for the Domain Local Group to access the resource).

    This can be expanded to AGGUUDLDLP, which means you can nest Global groups into other Global Groups, nest Universal Groups into other Universal Groups, and nest Domain Local groups into other Domain Local Groups, but you can't go backwards, meaning that you can't add universals into a Global. Matter of fact, the system won't even give you the option to add the groups trying it the other way.

    Here's a depiction of what I use in class when teaching group nesting:

    • Scenario: One forest, three domains.
    • Domain and Forest Levels are at the latest levels.
    • The Accountants in each of their own domains need Full Control to the accounting database in only their domain.
    • The Accountants in all domains in the forest need Read Only to the other accounting databases in the other domains.

    How would you do this?

    • In each domain, create two Domain Local Groups, one with Read Only permissions, and the other with Full Control Permissions, and add both groups to the accounting database in the domain.
    • In each domain, create a Global Accounting Group.
    • Add the users in each domain to their respective global group.
    • Add the Global Accounting Group in each domain to their respective Domain Local Group that has been given Full Control to the database.
    • Create one Universal Accounting Group.
    • Add the Global Accounting Group from each domain to the Universal Accounting Group.
    • Add the Universal Accounting Group to the Domain Local Accounting Group that has been given Read Only to the accounting databases.

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Meinolf WeberMVP Wednesday, March 16, 2011 6:08 PM
    • Edited by Ace Fekay [MCT]MVP Thursday, March 17, 2011 2:58 AM - Corrected mistake - "This can be expanded to ADDUUDLDLP..." where I should have said, "This can be expanded to AGGUUDLDLP..."
    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Wednesday, March 16, 2011 4:28 PM
  • No,

    Global groups can be nested into Universal groups but you can't nest a universal into a global group

     

    Good table to review here:

     

    http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

    Group Scope

     

    Thanks

    Mike


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    • Proposed as answer by Meinolf WeberMVP Wednesday, March 16, 2011 6:08 PM
    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Wednesday, March 16, 2011 3:21 PM
  • As others said right UG group can't be member of Global group but vice versa is possible.

    http://www.tech-faq.com/understanding-group-types-and-scopes.html

    The recommendation is AGDLP(Assign member to Global, Global to Universal or domain local)

    http://microsys.unity.ncsu.edu/documentation/ITD-Active-Directory-Environment/Groups-Permissions.php

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Wednesday, March 16, 2011 4:04 PM
    Moderator
  • Thanks, Santhosh!

    Oops, I had to edit my post. I mistakenly wrote, "This can be expanded to ADDUUDLDLP..." where I should have said, "This can be expanded to AGGUUDLDLP..."

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Thursday, March 17, 2011 2:57 AM

All replies

  • Universal groups can not be members or global groups. Only global groups can be members of other global groups.

    universal groups can be members of other universal groups or local domain groups.

    For more information, refer to this Microsoft article.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

     

    • Proposed as answer by Meinolf WeberMVP Wednesday, March 16, 2011 6:08 PM
    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Wednesday, March 16, 2011 3:21 PM
  • No,

    Global groups can be nested into Universal groups but you can't nest a universal into a global group

     

    Good table to review here:

     

    http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

    Group Scope

     

    Thanks

    Mike


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    • Proposed as answer by Meinolf WeberMVP Wednesday, March 16, 2011 6:08 PM
    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Wednesday, March 16, 2011 3:21 PM
  • If you provide more information on what you are trying to accomplish, you'll most likely be provided with some recommendations.
    Visit: anITKB.com, an IT Knowledge Base.
    Wednesday, March 16, 2011 3:26 PM
  • As others said right UG group can't be member of Global group but vice versa is possible.

    http://www.tech-faq.com/understanding-group-types-and-scopes.html

    The recommendation is AGDLP(Assign member to Global, Global to Universal or domain local)

    http://microsys.unity.ncsu.edu/documentation/ITD-Active-Directory-Environment/Groups-Permissions.php

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Wednesday, March 16, 2011 4:04 PM
    Moderator
  • Hello AliahMurfy,

    As everyone said, no, you can't. A good guideline was posted by MrX and Mike Kiline (same article).

    Basically, you need to follow the AGUDLP guideline (Add users to a global group, add the global group to a Universal, add the Universal to a Domain Local Group, add the Domain Local Group to the resource, then provide permissions for the Domain Local Group to access the resource).

    This can be expanded to AGGUUDLDLP, which means you can nest Global groups into other Global Groups, nest Universal Groups into other Universal Groups, and nest Domain Local groups into other Domain Local Groups, but you can't go backwards, meaning that you can't add universals into a Global. Matter of fact, the system won't even give you the option to add the groups trying it the other way.

    Here's a depiction of what I use in class when teaching group nesting:

    • Scenario: One forest, three domains.
    • Domain and Forest Levels are at the latest levels.
    • The Accountants in each of their own domains need Full Control to the accounting database in only their domain.
    • The Accountants in all domains in the forest need Read Only to the other accounting databases in the other domains.

    How would you do this?

    • In each domain, create two Domain Local Groups, one with Read Only permissions, and the other with Full Control Permissions, and add both groups to the accounting database in the domain.
    • In each domain, create a Global Accounting Group.
    • Add the users in each domain to their respective global group.
    • Add the Global Accounting Group in each domain to their respective Domain Local Group that has been given Full Control to the database.
    • Create one Universal Accounting Group.
    • Add the Global Accounting Group from each domain to the Universal Accounting Group.
    • Add the Universal Accounting Group to the Domain Local Accounting Group that has been given Read Only to the accounting databases.

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Meinolf WeberMVP Wednesday, March 16, 2011 6:08 PM
    • Edited by Ace Fekay [MCT]MVP Thursday, March 17, 2011 2:58 AM - Corrected mistake - "This can be expanded to ADDUUDLDLP..." where I should have said, "This can be expanded to AGGUUDLDLP..."
    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Wednesday, March 16, 2011 4:28 PM
  • Nice Ace!
    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Wednesday, March 16, 2011 7:27 PM
  • Thanks, Santhosh!

    Oops, I had to edit my post. I mistakenly wrote, "This can be expanded to ADDUUDLDLP..." where I should have said, "This can be expanded to AGGUUDLDLP..."

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Aliah Murfy Thursday, March 17, 2011 9:09 AM
    Thursday, March 17, 2011 2:57 AM
  • Ace, you make this so easy to understand - nice!
    Thursday, January 17, 2013 8:37 PM
  • I'm glad to hear you've found it helpful!

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, January 17, 2013 10:18 PM