Global Groups vs Universal Groups vs Domain Local - Differences in brief?

모든 응답

• 

  

  3

  로그인하여 투표

  Hello,
  
  check here the different group scopes:
  http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

  ---

  Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

  • 답변으로 표시됨 Joson Zhou 2009년 7월 3일 금요일 오전 6:00

  2009년 7월 1일 수요일 오후 1:47
• 

  

  11

  로그인하여 투표

  universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.
  
  global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.
  
  domain local grop is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.
   
  Please also see this http://support.microsoft.com/kb/231273
  
  http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

  ---

  http://technetfaqs.wordpress.com

  • 답변으로 표시됨 Joson Zhou 2009년 7월 3일 금요일 오전 6:00

  2009년 7월 1일 수요일 오후 1:50
• 

  

  6

  로그인하여 투표

  In addition to information provided by Syed and Meinolf, you might want to also keep in mind the following (addressing more specifically the questions you asked):
  - universal group membership is replicated to all Global Catalogs (i.e. it has forest-wide replication scope). This can be beneficial (since it provides efficient way to retrieve group members) - but has its drawbacks (it increases volume of replication traffic).
  - domain local groups do not have any limitations regarding their membership - i.e. they can contain accounts the same domain/forest or any trusted domain/forest. This does not apply to domain global groups (they can contain only accounts from the same domain) or universal groups (they can contain only accounts from the same forest).
  
  hth
  Marcin

  • 답변으로 표시됨 Joson Zhou 2009년 7월 3일 금요일 오전 6:00

  2009년 7월 1일 수요일 오후 2:06
• 

  

  0

  로그인하여 투표

  Hi,
  I am wondering about the use of Universal groups in Server 2008.
  
  We have have one tree and one domain and don't forsee any additonal domains or trees or federation or anything in the nearby future (even though one can never be sure ;-).
  
  We have learned that best practise is to put users in a global group and then put the global groups in a domain local group and finally to use the DL group to assign permission to folders in the filesystem.
  
  Now, why can't we just skip the extra DL groups and use Universal groups all the way. That is put the user into a universal group and then use that group to assign permissions in the filesystem (or in the AD as well)? We have a lot of groups and would be nice if we didn't have to use that extra layer of DL groups.
  
  What could be bad about this strategy in a 2008 environment? Is there a performance issue? Could it come back and bite us if we add an additional domain? Does it impact administration delegation of groups or something?
  
  Thanks for any insight you can provide in this matter!
  
  Best regards
  Fredrik Lindberg 

  ---

  Just a simple hacker

  2009년 11월 5일 목요일 오전 7:52
• 

  

  1

  로그인하여 투표

  Hello,
  
  universal groups make sense if you have multiple domains in the forest, for a single forest domain, working with global and local groups is really enough.
  
  In large environments you have also to keep in mind that replication of each change has to be done to any GC before you should change settings again. Also logon over slow/bad WAN links can be unsucceful when no GC can be located.
  
  Distribution groups you can only use with e-mail applications and they cannot be listed in discretionary access control lists (DACLs), because they are not security enabled. If you need a group for controlling access to shared resources, you need to create a security group.
  
  http://technet.microsoft.com/en-us/library/dd861330.aspx

  ---

  Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

  2009년 11월 7일 토요일 오후 8:55
• 

  

  0

  로그인하여 투표

  Hi, and thanks for your response.
  
  Still I am not sure why we should use the recommended use of Global Groups put into a Domain Local group that finally is used for assigning permission to e.g filesystem object.
  
  If I don't use the Domain local group, and instead use either Universal or Global groups directly to assign permissions to a folder, what are the disadvantages?
  You are pointing out that changes to a universal group has to be replicated to any GC before changing it again, and that the GC need to be located during logon (and if you cant reach the GC isnt that always a bad thing?), so that is one such disadvantage. Since we don't have any slow links or multiple domains it wouldnt affect us very much.
  
  Could there be any other reason why you should always use a domain local group to give permission in the filesystem and then populate that group with Global/Universal groups?
  
  Thanks again for your response!
  Best regards
  Fredrik Lindberg

  ---

  Just a simple hacker

  2009년 11월 11일 수요일 오전 10:06
• 

  

  0

  로그인하여 투표

  Hi all,
  
  Sorry for the bump but I have exactly the same question as Fridden. Why do we still bother using Domain Local groups when Global groups can be assigned to filesystem objects? Is it a hangover from NT4.0?
  
  Wal.

  • 편집됨 Wallive 2010년 2월 11일 목요일 오전 1:09 Clarification

  2010년 2월 11일 목요일 오전 1:08
• 

  

  0

  로그인하여 투표

  Hi All !
  
  I am working on excactly this problem these days and cannot find any other. Clarification would be really a very good thing!!
  
  BTW, I found this in technet:
  
  Because a domain local group is associated with an access token built when a member of that group authenticates to a resource in that domain, unnecessary network traffic (carrying of membership information) is avoided . (If, instead, you assigned a global group permission to access the printer, the global group can end up in a user's token anywhere in the forest , causing unnecessary network traffic.)
  
  But it is not explained [this was from here: http://technet.microsoft.com/en-us/library/bb727067.aspx ]
  
  I even cannot see, when to use ether of this groups. In our company, we have only one domain for the whole world [with several DCs per country].
  
  Regards,
  scamb
  

  2010년 2월 23일 화요일 오후 4:34
• 

  

  0

  로그인하여 투표

  I wish someone had more info on this.  My questions are:

   

  1. Why it is not a good idea to use Globla group to assign permissions?

  2. Can I add users directly to Domain Local Group and use to assing permissions. My users and resources are in the same domain.

  2010년 8월 4일 수요일 오후 1:59
• 

  

  2

  로그인하여 투표

  I tend to name Global groups to describe a business function, and Domain Local groups to describe a resource.  It just helps to keep it clearer in my head.

  There's nothing to stop you adding users directly to Domain Local groups in a single domain setup, but problems may arise if there are ever changes to your organisation that require the introduction of additional domains.

  Best practice isn't always about the current infrastructure, it's there to avoid potential problems later on.

  Best wishes,
  Bod.

  • 편집됨 Wayne Joyce 2010년 8월 9일 월요일 오전 9:18 typo

  2010년 8월 9일 월요일 오전 9:10
• 

  

  0

  로그인하여 투표

  In a single domain forest, most folks use global groups for both assigning of permissions and grouping of user & computers.  So in our situation we only use domain global groups.  So there is no problem assigning permissons to global groups.

   

  --
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security+, BS CSci
  2008, Vista, 2003, 2000 (Early Achiever), NT4
  http://www.pbbergs.com    Twitter @pbbergs

  Please no e-mails, any questions should be posted in the NewsGroup This
  posting is provided "AS IS" with no warranties, and confers no rights.

  2010년 8월 9일 월요일 오후 12:22
• 

  

  0

  로그인하여 투표

  Hi all,

  This is indeed a fall-back to the NT4 "best-practice" way of doing things - who remembers UGLAP? Users added to Domain Global Group added to Domain Local group Assigned Permissions [on object]?

  With Windows 2000 and AD came the advent of the Universal Group, and the pneumonic UUGALP: Users added to Domain Universal Group, added to Domain Global Group, added to Domain Local group, Assigned Permissions [on object]?

  Don`t forget - all of this is predicated on the principle of multidomain forests - the largest scenario. However, in most instances this just does not happen as only global or multi-site enterprise entities will use that sort of model - and not always then!!

  Don`t get too hung up on the UGLAP part - as long as you use Domain Local at the object level the rest can often be forestalled.

  Adrian

  
  

  • 편집됨 Adrian Jordan 2013년 11월 27일 수요일 오후 12:39

  2013년 11월 27일 수요일 오후 12:38
• 

  

  0

  로그인하여 투표

  In addition to what others have already replied the diffrent group scopes take up diffrance space in a users token depending on the following.

  1. Domain Local Groups always take up 40 bytes
  2. Universal Groups take up 40 bytes if the groups are from _another_ domain than then user resides in, if the Universal Group and the user resides in the same domain it takes up 8 bytes in the token.
  3. Global Groups always take up 8 bytes in the token.
  4. If any of the groups have sIDHistory they take up an additional 40 bytes peer sIDHistory entry.

  Domain Local Groups is more or less a must over forest trusts.

  ---

  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

  2013년 11월 27일 수요일 오후 1:05
• 

  

  0

  로그인하여 투표

  Group Scope Differences are clearly explained here. Please go through below link.

  Differences are explained clearly

  
  

  • 편집됨 Vijaya Reddy PR 2017년 7월 31일 월요일 오후 1:11

  2017년 7월 31일 월요일 오후 1:10
• 

  

  0

  로그인하여 투표

  We just have the one domain, but I've had to set a load of security groups as Universal because for some weird reason the decision was made over at MS to only allow Universal security groups to be mail enabled.
  
  We needed to do that to about 4 security groups. Those groups need to be members of other groups, which in some cases need to be members of further groups still.
  As you can't make a universal group a member of a global or domain group, and you can't make a global a member of a domain group, as soon as you need one Universal group everything above it in the membership tree needs to be made Universal as well.
  
  Completely daft.
  I'm just glad we're as small as we are, it must turn into a right headache for anyone for whom making everything Universal generates prohibitive amounts of replication traffic.

  2017년 11월 20일 월요일 오후 3:27
• 

  

  0

  로그인하여 투표

  universal groups (they can contain only accounts from the same forest). ..... I am  not sure this  is 100 percent based  on the simple fact that  if  you  have a hybrid  configuration - on premise and  365 you  need to change the  group from  global to universal  for it  control  sharepoint 365 sites. ....

  Thoughts .....

  ---

  New information, changes your outlook ....

  2018년 11월 29일 목요일 오후 6:06
• 

  

  0

  로그인하여 투표

  "As you can't make a universal group a member of a global or domain group, and you can't make a global a member of a domain group, as soon as you need one Universal group everything above it in the membership tree needs to be made Universal as well."

  This is just wrong.  A local domain group can contain universal, global and local domain groups, so yes, you can make a universal group a member of a local domain group, and yes, you can make a global group a member of a local domain group.

  Your mistake is in making your security groups email enabled.  This is what distribution groups are for.  Since a universal group can contain both universal and global groups, you could have created a universal distribution group and added your global security groups to that.

  2019년 9월 26일 목요일 오후 4:21