AD group scope- AGDLP?

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by theotherone, Jan 22, 2007.

  1. theotherone

    theotherone Bit Poster

    14
    0
    14
    Hey all

    Anybody else had problems understanding the differences between AD security groups ie: universal, domain local and global?:blink

    Specifically- why not just have one group scope that can do everything?

    Currently studying for the 70-290


    Thanks.
     
    Certifications: A+,N+,S+,P+,70-290, MCDST
    WIP: 70-291,Convergence+,Linux+,70-270
  2. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Thats what a universal group is for.

    If you have ever been the admin of a network with over 6000 users with multiple domains you will be glad of having limitations on what some security groups can do. 8)

    Also you need to consider old NT domains...
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  3. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    yeah i struggled with them too and learn them cause they will come up in the exam.. if you using the MS Press book look for another source because no matter how many times i read them i couldnt understand it!

    Try This

    OR this
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  4. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    That would take away the power of Sys Admins to restrict access to resources to certain groups of people.

    It is recommended that resources (shares, printers etc) are assigned permissions in a domain local group.

    Users should be a member of one or more global groups which are then added to the domain local group to be granted the resource permissions. This way you do not need to set up users individually with permissions and it makes an admins life easier if a person leaves or a new person joins the organisation. You only need to say add Joe to the Sales Global Group and he will be granted access to the same resources as all the other sales people.

    Managers may need access to other resources which sales people are not privy to, hence you could have a managers global group and add that to the domain local group which contains the more private resources.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  5. theotherone

    theotherone Bit Poster

    14
    0
    14

    Yeah I've got the MS Press book.
    Glad its not just me then!
     
    Certifications: A+,N+,S+,P+,70-290, MCDST
    WIP: 70-291,Convergence+,Linux+,70-270
  6. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    You might want to invest in a few reference books and this should be one of them.. its what helped me with this section
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.