Question : Domain Local group vs Global group

Hi,

I came accross this text on MS web site about using groups in AD

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/95107162-47eb-4891-832f-0c0b15b7c858.mspx

When to use groups with domain local scope
Groups with domain local scope help you define and manage access to resources within a single domain. These groups can have as their members:

Groups with global scope

Groups with universal scope

Accounts

Other groups with domain local scope

A mixture of any of the above

For example, to give five users access to a particular printer, you could add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you would again have to specify all five accounts in the permissions list for the new printer.

With a little planning, you can simplify this routine administrative task by creating a group with domain local scope and assigning it permission to access the printer. Put the five user accounts in a group with global scope and add this group to the group having domain local scope. When you want to give the five users access to a new printer, assign the group with domain local scope permission to access the new printer. All members of the group with global scope automatically receive access to the new printer.

----------------------------

Why can't i just use a Gloabal group with five users and assign it Printer permissions.
It says i have to add the Global group to Domain local group and assign permissions on it.

thanks

Answer : Domain Local group vs Global group

Certainly.
A good example is if you have an accounting share and there are many different global groups that need access to this share. Rather than adding many different global groups to give the same access (lets say Read permissions) to this share you can create one Domain Local group named "DL Accounting Read" and put all of the global groups that need read access to the share within this group. This allows for setting permissions for multiple groups though one easily managed group on the permissions and security tab of the share. This helps because you can then avoid the situation of where a user is a member of more than one global group and one of those global groups permissions are configured incorrectly you have to go through each one to figure out which. Overall it makes management much easier. Although this is a best practice, if you have a small enough environment that will not be expanding quickly you can manage permissions through Global Groups just as effectively. But if your environment is mid-size to large you will definately want to put in the extra time initially as using A-G-DL-P will make your life much easier.

I hope this helps, there are also many support articles in Microsofts Knowledge Base that will cover this as well.

Best of luck!
Mitch

Random Solutions

Low Memory Error (E0007) in ArcServe IT6.6 on NW5.0

dameware mini remote control configuration problem

Could someone recommend an order of quality and performance on an IP Phone System?

NTDS KCC Errors with Event ID 1566, 1311 & 1865

Any free SMTP account?

Vista error at logon: "The trust relationship between this workstation and the primary domain failed"

What does the WinsoxFix.exe do ?

Process between a client and a server when requesting a Web page?

pc acquires ip address but can't ping router or internet