|
Home > Archive > microsoft.public.cert.exams.mcse > June 2002 > GROUPS QUESTION: ?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
GROUPS QUESTION: ?
|
|
| TEKGALAHAD 2002-06-22, 6:49 pm |
| Active Dir supports 3 types of groups:
DOMAIN LOCAL GROUP:
GLOBAL GROUP:
UNIVERSAL GROUP:
im having trouble understanding the purpose of each group and the
logic or reason of why they are set up. There must be some simple way
to explain this...
thanks,
tekgalahad@yahoo.com
| |
|
| Global groups are in a single domain
Domain Local are in a domain on the Domain controler.
Universal groups can span accross many domains.
You add someone to a group in their OU which would be a global group and
then add them to the domain local. If you need users from other domains
then add them to a Universal Group so the can cross domains.
Remember: AGDLP
Add the user to a Group
Add the Group to the Domain Local Group
Assign Permissons
"TEKGALAHAD" <tekgalahad@yahoo.com> wrote in message
news:69ca4f15.0205291311.e857921@posting.google.com...
> Active Dir supports 3 types of groups:
> DOMAIN LOCAL GROUP:
> GLOBAL GROUP:
> UNIVERSAL GROUP:
> im having trouble understanding the purpose of each group and the
> logic or reason of why they are set up. There must be some simple way
> to explain this...
> thanks,
> tekgalahad@yahoo.com
| |
| Ben Smith [MS] 2002-06-22, 6:49 pm |
| In article <69ca4f15.0205291311.e857921@posting.google.com>,
tekgalahad@yahoo.com says...
> Active Dir supports 3 types of groups:
> DOMAIN LOCAL GROUP:
> GLOBAL GROUP:
> UNIVERSAL GROUP:
> im having trouble understanding the purpose of each group and the
> logic or reason of why they are set up. There must be some simple way
> to explain this...
> thanks,
> tekgalahad@yahoo.com
>
A good question. You can use the groups to create a role based security
model for assigning permissions.
Create global groups based on job function (I.e. All_Sales_Managers)
Create domain local groups based on security access requirements (I.e.
SALES_DATA_READ)
Place accounts into global groups and global groups into domain local
groups.
In an environment that has job functions spread across domains you can
also use Universal Groups and place global groups from each domain in
the Universal Groups and add the Universal groups to the domain local
groups. (I.e. create a Universal group called All_Managers and and the
global groups domain1\All_Sales_Managers, domain2\All_HR_Managers, etc..
to the group.
The idea here is that:
* Security is applied close to the resource, not close to the security
principle.
* Security will scale as users, resources and domains are added
* Security is based on role, not individuals
* Security is modular
--
Ben Smith
Microsoft Training and Certification
Are you secure? http://www.microsoft.com/security
This posting is provided “AS IS” with no warranties, and confers no
rights.
| |
|
| Nice explanation Ben.
>-----Original Message-----
>In article
<69ca4f15.0205291311.e857921@posting.google.com>,
>tekgalahad@yahoo.com says...
>> Active Dir supports 3 types of groups:
>> DOMAIN LOCAL GROUP:
>> GLOBAL GROUP:
>> UNIVERSAL GROUP:
>> im having trouble understanding the purpose of each
group and the
>> logic or reason of why they are set up. There must be
some simple way
>> to explain this...
>> thanks,
>> tekgalahad@yahoo.com
>>
>
>
>A good question. You can use the groups to create a role
based security
>model for assigning permissions.
>
>Create global groups based on job function (I.e.
All_Sales_Managers)
>Create domain local groups based on security access
requirements (I.e.
>SALES_DATA_READ)
>
>Place accounts into global groups and global groups into
domain local
>groups.
>
>In an environment that has job functions spread across
domains you can
>also use Universal Groups and place global groups from
each domain in
>the Universal Groups and add the Universal groups to the
domain local
>groups. (I.e. create a Universal group called
All_Managers and and the
>global groups domain1\All_Sales_Managers, domain2
\All_HR_Managers, etc..
>to the group.
>
>The idea here is that:
>* Security is applied close to the resource, not close to
the security
>principle.
>
>* Security will scale as users, resources and domains are
added
>
>* Security is based on role, not individuals
>
>* Security is modular
>
>--
>Ben Smith
>Microsoft Training and Certification
>Are you secure? http://www.microsoft.com/security
>
>This posting is provided "AS IS" with no warranties, and
confers no
>rights.
>.
>
| |
| Bruce Walker 2002-06-22, 6:49 pm |
|
"TEKGALAHAD" <tekgalahad@yahoo.com> wrote in message
news:69ca4f15.0205291311.e857921@posting.google.com...
> Active Dir supports 3 types of groups:
> DOMAIN LOCAL GROUP:
> GLOBAL GROUP:
> UNIVERSAL GROUP:
> im having trouble understanding the purpose of each group and the
> logic or reason of why they are set up. There must be some simple way
> to explain this...
> thanks,
> tekgalahad@yahoo.com
groups can get UGLY
----> Users go into Global groups
-----> Global Groups go into domain Local groups
----> domain Local groups get assigned Your resources
::shares ; files; devices ; printers
I always have trouble with Microsoft and logic in the same thought.
**** when I go, I want to go like my grandfather,
I want to leave peaceful, quiet, gentle,
Not like the other screaming people in the car...
| |
|
| Seems to me that this is the same way MS intended NT 4 groups to be used.
The difference being what used be called "local groups" are now called
"Domain Local Groups"
Right?, Wrong?
-Fred
"Bruce Walker" <rbwalker1@mindspring.com> wrote in message
news:ad4umb$k2g$1@slb6.atl.mindspring.net...
>
> "TEKGALAHAD" <tekgalahad@yahoo.com> wrote in message
> news:69ca4f15.0205291311.e857921@posting.google.com...
> > Active Dir supports 3 types of groups:
> > DOMAIN LOCAL GROUP:
> > GLOBAL GROUP:
> > UNIVERSAL GROUP:
> > im having trouble understanding the purpose of each group and the
> > logic or reason of why they are set up. There must be some simple way
> > to explain this...
> > thanks,
> > tekgalahad@yahoo.com
>
> groups can get UGLY
> ----> Users go into Global groups
> -----> Global Groups go into domain Local groups
> ----> domain Local groups get assigned Your resources
>
> ::shares ; files; devices ; printers
>
> I always have trouble with Microsoft and logic in the same thought.
>
>
> **** when I go, I want to go like my grandfather,
> I want to leave peaceful, quiet, gentle,
> Not like the other screaming people in the car...
>
>
| |
|
|
"FS" <spam@spamme.com> wrote in message
news:ELvJ8.29917$wj7.10606570@twister.socal.rr.com...
> Seems to me that this is the same way MS intended NT 4 groups to be used.
> The difference being what used be called "local groups" are now called
> "Domain Local Groups"
>
> Right?, Wrong?
Right, except you did not have Universal groups in NT4
Cheers
Mike
| |
|
|
"Bruce Walker" <rbwalker1@mindspring.com> wrote in message
news:ad4umb$k2g$1@slb6.atl.mindspring.net...
> groups can get UGLY
> ----> Users go into Global groups
> -----> Global Groups go into domain Local groups
> ----> domain Local groups get assigned Your resources
>
> ::shares ; files; devices ; printers
The exact acronym we were taught on my boot camp :-)
I will just add one little point which does not seemed to have been
mentioned.
Universal groups are stored on catalogue servers (GC) and can be
very slow, this can also lead to problems if a GC is not available
when you login. By default, you will only have one GC per forest
although one can obviously add more, ideally at least one per site.
Cheers
Mike
| |
| Bruce Walker 2002-06-22, 6:49 pm |
| You are correct, I am due the adjustment
this acronym needs to account for Universal Groups
I was trying to keep it simple,
Groups are no longer simple.
We need to account for Universals. Good shot, Mike !
"Mike" <no@spam.com> wrote in message news:uvAje2BCCHA.2440@tkmsftngp05...
>
> "Bruce Walker" <rbwalker1@mindspring.com> wrote in message
> news:ad4umb$k2g$1@slb6.atl.mindspring.net...
>
> > groups can get UGLY
> > ----> Users go into Global groups
> > -----> Global Groups go into domain Local groups
> > ----> domain Local groups get assigned Your resources
> >
> > ::shares ; files; devices ; printers
>
> The exact acronym we were taught on my boot camp :-)
>
> I will just add one little point which does not seemed to have been
> mentioned.
>
> Universal groups are stored on catalogue servers (GC) and can be
> very slow, this can also lead to problems if a GC is not available
> when you login. By default, you will only have one GC per forest
> although one can obviously add more, ideally at least one per site.
>
> Cheers
> Mike
>
>
| |
| Daniel Wilson 2002-06-22, 6:49 pm |
| To add one point, Universal Groups are available only in Native Mode, not
Mixed Mode.
--
Daniel Wilson, BSCS, MCSE
CompuSoft Solutions and The Worthwhile Company
www.worthwhile.com
Your complete e-business solution partners.
Phone: 864-233-9029 Fax: 509-757-5264
"Ben Smith [MS]" <bensmi@microsoft.com> wrote in message
news:MPG.175ef83cb5f0944498990e@msnews.microsoft.com...
> In article <69ca4f15.0205291311.e857921@posting.google.com>,
> tekgalahad@yahoo.com says...
> > Active Dir supports 3 types of groups:
> > DOMAIN LOCAL GROUP:
> > GLOBAL GROUP:
> > UNIVERSAL GROUP:
> > im having trouble understanding the purpose of each group and the
> > logic or reason of why they are set up. There must be some simple way
> > to explain this...
> > thanks,
> > tekgalahad@yahoo.com
> >
>
>
> A good question. You can use the groups to create a role based security
> model for assigning permissions.
>
> Create global groups based on job function (I.e. All_Sales_Managers)
> Create domain local groups based on security access requirements (I.e.
> SALES_DATA_READ)
>
> Place accounts into global groups and global groups into domain local
> groups.
>
> In an environment that has job functions spread across domains you can
> also use Universal Groups and place global groups from each domain in
> the Universal Groups and add the Universal groups to the domain local
> groups. (I.e. create a Universal group called All_Managers and and the
> global groups domain1\All_Sales_Managers, domain2\All_HR_Managers, etc..
> to the group.
>
> The idea here is that:
> * Security is applied close to the resource, not close to the security
> principle.
>
> * Security will scale as users, resources and domains are added
>
> * Security is based on role, not individuals
>
> * Security is modular
>
> --
> Ben Smith
> Microsoft Training and Certification
> Are you secure? http://www.microsoft.com/security
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
| |
| Roger Abell 2002-06-22, 6:49 pm |
| It all revolves around two properties of each group type:
scope - where is the group visible/usable
nesting - what group type can be a member of what type
Nail these two for all group types.
Then, recommendations will show design/usage patterns,
and these two will show them as selections from the larger
possibilities. BTW do not forget machine local groups.
--
Roger Abell
MVP (Windows Platform) Associate Expert
The Expert Zone - www.microsoft.com/windowsxp/expertzone
"TEKGALAHAD" <tekgalahad@yahoo.com> wrote in message
news:69ca4f15.0205291311.e857921@posting.google.com...
> Active Dir supports 3 types of groups:
> DOMAIN LOCAL GROUP:
> GLOBAL GROUP:
> UNIVERSAL GROUP:
> im having trouble understanding the purpose of each group and the
> logic or reason of why they are set up. There must be some simple way
> to explain this...
> thanks,
> tekgalahad@yahoo.com
| |
| Laura A. Robinson 2002-06-22, 6:50 pm |
| On Thu, 30 May 2002 20:02:29 -0400, while I was adjusting my tinfoil
hat to keep out the alien rays, Daniel Wilson said in
<u7ZMcZDCCHA.1432@tkmsftngp04>:
>
> To add one point, Universal Groups are available only in Native Mode, not
> Mixed Mode.
>
More specifically, universal *security* groups are only available in
native mode domains, while universal *distribution* groups are
available in both mixed and native mode. ;-)
Laura
--
One man's mundane and boring existence is another man's Technicolor.
-Tick, Strange Days
| |
| Laura A. Robinson 2002-06-22, 6:50 pm |
| On Thu, 30 May 2002 22:04:11 +0100, while I was adjusting my tinfoil
hat to keep out the alien rays, Mike said in <uvAje2BCCHA.2440
@tkmsftngp05>:
> Universal groups are stored on catalogue servers (GC)
They're stored in the domain partition for the domain where they're
created and tagged for replication to the Global Catalog.
> and can be
> very slow,
What do you mean by this?
> this can also lead to problems if a GC is not available
> when you login.
A GC is required for login when you are using an account that is in a
native mode domain, are logging on using a UPN, and/or are in a
multi-domain forest.
> By default, you will only have one GC per forest
> although one can obviously add more, ideally at least one per site.
Not only *can*, but _should_.
Laura
--
One man's mundane and boring existence is another man's Technicolor.
-Tick, Strange Days
|
|
|
|
|