Microsoft
Software
Hardware
Network
Question : Domain Local group vs Global group
Hi,
I came accross this text on MS web site about using groups in AD
http://www.microsoft.com/t
echnet/pro
dtechnol/
w
indowsserv
er2003/lib
rary/Serve
rHelp/9510
7162-47eb-
4891-832f-
0c0b15b7c8
58.mspx
When to use groups with domain local scope
Groups with domain local scope help you define and manage access to resources within a single domain. These groups can have as their members:
Groups with global scope
Groups with universal scope
Accounts
Other groups with domain local scope
A mixture of any of the above
For example, to give five users access to a particular printer, you could add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you would again have to specify all five accounts in the permissions list for the new printer.
With a little planning, you can simplify this routine administrative task by creating a group with domain local scope and assigning it permission to access the printer. Put the five user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the five users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer.
--------------------------
--
Why can't i just use a Gloabal group with five users and assign it Printer permissions.
It says i have to add the Global group to Domain local group and assign permissions on it.
thanks
Answer : Domain Local group vs Global group
Certainly.
A good example is if you have an accounting share and there are many different global groups that need access to this share. Rather than adding many different global groups to give the same access (lets say Read permissions) to this share you can create one Domain Local group named "DL Accounting Read" and put all of the global groups that need read access to the share within this group. This allows for setting permissions for multiple groups though one easily managed group on the permissions and security tab of the share. This helps because you can then avoid the situation of where a user is a member of more than one global group and one of those global groups permissions are configured incorrectly you have to go through each one to figure out which. Overall it makes management much easier. Although this is a best practice, if you have a small enough environment that will not be expanding quickly you can manage permissions through Global Groups just as effectively. But if your environment is mid-size to large you will definately want to put in the extra time initially as using A-G-DL-P will make your life much easier.
I hope this helps, there are also many support articles in Microsofts Knowledge Base that will cover this as well.
Best of luck!
Mitch
Random Solutions
Can we put 255.255.255.255 as the subnet mask ?
When Browsing to <a rel="nofollow" href="https://localhost/owa" target="_blank">https://localhost/owa</a> on an Exchange 2K7 server, I receive Service Unavailable.
Windows and Gigabit network utilization.
Barracuda Load Balancer Issue
Cannot Browse Computers in My Network Places
Procurve 2824 vlans and subnets problem
When using BLOCKED SCRIPT nUser.MapNetworkDrive "I:", "\\Server\Share", how do you make the drive persistant?
Wireless Connection Drops in Windows XP - Event IDs 8033 & 4202
detail about JRA Recordings in Weblogic
What is G-Mode?