Printable View
Hello,
what is the difference between Global and Universal groups ?
If someone could explain it in an easy way it would be great. let's say that I have a couple of domains within 1 site do I really benefit if I create a universal group or it is much better used when you have multiple sites.
Also when a user tries to logon it contacts the DC or the GC server because I read that in the case of Universal groups a GC server has to contacted.
A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. For more information visit this page - http://support.microsoft.com/kb/884417
Also, if the GC is not available, then it wont be able to enumerate Universal group memberships, and will deny the logon request, because there is a possibility that the user might be a part of a universal group that has been denied to a resource, and hence the system will not allow the logon.
so if I understood correct if I want to give access to a particular folder within the network I can just create a single universal group with many global groups from different domains nested inside and on the folder sharing option just give only a single permission for the universal group instead of a permission for each and every global group.
When Marcin said ; The membership is replicated across the forest (as part of GC replication) what did he meant exactly since if I check on the other domain controllers I do not find the universal group that I have created. Some of the other domain controllers are also GC servers but in the domain and users list the universal group still is not there.
Thank you for your help
When you will follow the AGUDLP guideline, you will have to first create a Domain Local Group, add it to the resource and assign permissions. After that you need to add the Global groups from any domain or any universal groups. Also, I didnt understand you when you checked other domain controllers? Have you tried to check ADUC and you are saying that the Universal group will not exist?
FFL is Windows server 2008
I was wrong since I tought that if I would create a Universal Group in 1 domain it would show itself up automatically in the ADUC list of all other domains.
Now thanks to you I undertood the AGUDLP guideline and may I ask, If I have a small network environment I can avoid using Universal groups at all and just place global groups into domain local group right and assign permission to it only and it would work the same right ?