Global Group or Universal Group
Hello,
what is the difference between Global and Universal groups ?
If someone could explain it in an easy way it would be great. let's say that I have a couple of domains within 1 site do I really benefit if I create a universal group or it is much better used when you have multiple sites.
Also when a user tries to logon it contacts the DC or the GC server because I read that in the case of Universal groups a GC server has to contacted.
Re: Global Group or Universal Group
A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. For more information visit this page - http://support.microsoft.com/kb/884417
Re: Global Group or Universal Group
Also, if the GC is not available, then it wont be able to enumerate Universal group memberships, and will deny the logon request, because there is a possibility that the user might be a part of a universal group that has been denied to a resource, and hence the system will not allow the logon.
Re: Global Group or Universal Group
so if I understood correct if I want to give access to a particular folder within the network I can just create a single universal group with many global groups from different domains nested inside and on the folder sharing option just give only a single permission for the universal group instead of a permission for each and every global group.
When Marcin said ; The membership is replicated across the forest (as part of GC replication) what did he meant exactly since if I check on the other domain controllers I do not find the universal group that I have created. Some of the other domain controllers are also GC servers but in the domain and users list the universal group still is not there.
Thank you for your help
Re: Global Group or Universal Group
When you will follow the AGUDLP guideline, you will have to first create a Domain Local Group, add it to the resource and assign permissions. After that you need to add the Global groups from any domain or any universal groups. Also, I didnt understand you when you checked other domain controllers? Have you tried to check ADUC and you are saying that the Universal group will not exist?