I hope someone can break a tie here for us talking about Groups. I grew up on the folder get a LG, LG into GG(with user accounts) and then GG into UG if you need the UG. My partner grew up with GG directly to the folder with user accounts and it has worked for hime with no problems. So my question to everyone is Why am I creating all these LG accounts if it works without it? Also I am seeing alot of SG as names of groups and is that a Domain Local group or a Global Group or both becasue they are both security groups? Please let me know how you use these in your environment.
Normalyy, you don use iniversal group becasue universal group membership is replicated to all the dC's(GC) in the forest where as for GG, only group name is replicated. Consider, you got 1000 users as a member of universal group, then adding/modifying the group scope will invite change to be replicated to all the DC's with GC role in the forest & this way it can invite more traffic, hence its recommended to use GG group instead of universal.
You should always follow AGDULP (Accounts, Global, Universal, Domain Local, Permissions) method for assigning permission & it is known as best practices.
If you use GG in UG, then there will be less trafic while replication since GG will have members in it not, so only GG will be replicated.
You need to understand the scope of the groups why we need DLG,GG or UG.
Active Directory group scope
Awinish Vishwakarma - MVP - Directory ServicesMy Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
we don't use Universal groups until now, we have not a multi domain environment, where i see the most option to work with them. And Awinish already gave you the information about the way you should handle them.
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.