Types of Groups!...HELP!!

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Good morning all, not posted in a while, well finally I am getting round to sitting my 70-290 on Tuesday morning, after much gnashing of teeth and not wanting to study (partner pregnant also!)

I have a question and I need it explained before my head explodes and it probably seems really easy....

Its about Groups, Universal, Global and Domain Local.

Now, I get Universal, can only be used in Win 2000 Native mode, so thats fine.

But its the cross over between Global and Domain Local. I have asked some of the Sys Admin guys in here to explain it and they just look back at me and say "use global, use global"

Not helping!

So, I am reaching out the olive branch and asking for someone to explain to me in simple terms, when I should use a gloval group and when I should use a domain local group as I have a feeling I will get asked at least one question on the exam about this.

Thanks all.

Sven

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Global Groups allow resources within its own domain to be assigned against it. So only users within that Domain can be a member of Global

Local Groups allow resources from any domain to be assigned against it.

The idea is that you assign a resource against a local group (IE a directory access permission), then create a global group in every domain that requires access to that resource. These global groups are all then added as members of the local group.

That is, of course, best practise. In reality, quite a lot of companies simply add members directly into the local group.

 

Cheers! I think I get what your saying.

If you have 2 domains, say users in Domain A need access to a resource in Domain B, then your first create a Global Group in Domain A, add the members, then link the global group to your Domain Local Group in Domain B? (I Hope!!)

Though like you say, in reality this probably doesnt happen.

Regards

Sven

 

Thats exactly how it should be used.

The place where I used to work used the groups in that manner. It almost doubles the amount of objects in the domain, but to be honest its easier to manage. Best practice is to have the global groups all called the same name, regardless of where they are housed. But at the very least you should really have a consistent naming convention for them

 

Brilliant!

Makes sense now...doesnt help when you ask your senior IT guys and they just start waffling..!!

cheers

Exam looms ever close, Tuesday at 12pm...wish me luck, things i think will come up lots are SUS, Group Policy and Permissions.

Not my strong points

 

There is a bit more to this.
A local group can only "act on" (have permissions for) a local resource. The membership of a local group can be of any domain.
A global group (normally) gets its permissions from the local group, but can only contain members of its own domain.
A universal group "hovers" above the domains as a sort of mothership. It can hold members of all domains and can by "linked" to local groups in every domain.
Also be aware that there are Domain local groups and Local groups. The latter are on all machines not being DC's.

From here it seems like Universal is the answer to all problems.
The problem with universal groups is that they are "refreshed" using the Global Catalog server, so it could implement a lot of replication traffic.

Hope this does not make things to complex.

 

there is a great video about this (and many more) here.

Boyce

 

thanks guys, all of this has been really helpful.
I will watch the video when I get home tonight, doing nothing but studying all wknd and hoping that my partner does not go into labour 2 weeks early!...tho not a bad way to avoid an exam

 

Good luck.
Have a relax and will be ok !

 

hello everyone, i passed..!!!!!!!!!!!!!!!!!!

not an easy exam at all, sat and sweated for 3hrs before hitting on the "finish" button...scored 785...and i'll gladly take it everytime!

45 q's in total, things that came up, wsus, permissions, remote desktop and backups were the main subjects covered, plus 6 or so simulatations, i struggled with 3 of them, just got myself into a bit of a state...

however, a pass is a pass.

Now I can just look fwd to being a daddy for the first time!

I may have a small drink tonight to celebrate, but my head hurts and im tired!!!

Plan to work towards 70-291 in due course once i have forgotten the pain of studying for this one!