1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Group Scope and Nesting

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by Rover977, Nov 18, 2007.

Click here to banish ads and support Certforums by becoming a Premium Member
  1. Rover977

    Rover977 Byte Poster

    Re study for 70-290, I have a quick question re nesting of Active Directory groups of different scope which I wonder if anyone can help with. Its maybe a bit of an obscure question, but it would help me understand the different types of group scope (I'm finding the Microsoft self-paced training guide a bit confusing on this topic).

    Basically what I am wondering is what happens if a global group is nested inside a domain local group. The domain local group allows access only to resources in its local domain, but a global group allows access to resources from any domain in the forest. So is the global group restricted by this membership of the domain local group, ie to the domain local group's local domain only, so that the global group members can no longer access resources from other domains ?

    Cheers for any info.
    Certifications: A+, Network+, Cisco CCNA
    WIP: Maths
  2. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    You use domain local groups for the local resources.. shares printers etc in the doman.

    you add to that groups that contain users.. so that those groups can access the local resources.

    for example, you add to the domain local group, a global group that contains the users that are allowed access to the local domain resources.
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  3. vlb

    vlb Byte Poster

    to answer your question mate.... being part of a domain local group doesnt restrict any global group permissions.

    unless of course their is deny permissions lol.
    Certifications: MCDST, MCP 70-294
  4. Rover977

    Rover977 Byte Poster

    OK, I have got confused with regards to what I have read re domain local groups, namely that "members can access resources only in local domain" (page 8-5 MS Self-Paced book for 70-294).

    That's of course unless these members happen to be nested inside a global group - but nobody said that!

    This is an example of the VIVO principle in computing, ie. vagueness in vagueness out - a vague description leads to a vague understanding!

    Cheers anyway for the replies.
    Certifications: A+, Network+, Cisco CCNA
    WIP: Maths

Share This Page