when to use universal groups

  • Thread starter Thread starter Bert Moos
  • Start date Start date
B

Bert Moos

dear w2k gurus,
i've understand the basic concepts of global and domain local groups. can
anybody give me a link, to see any examples for the use of universal groups.

thanx alot
bert
 
Bert Moos said:
dear w2k gurus,
i've understand the basic concepts of global and domain local groups. can
anybody give me a link, to see any examples for the use of universal
Click to expand...
groups.


You can use Universal groups pretty much anytime it is legal but here are
some
principles:

Universals can contain Globals and Users from ANY domain (in forest
or trusted)
Universals should seldom change (entire group is replicated to each
GC)
USUALLY put users in Globals and add (a few) Globals to the
Universals
(perhaps not as big a deal in Win2003)

Globals can only contain users from SAME domain, so when collecting up
(groups of)
users from multiple domains, use universals

Universals are MOSTLY to make Active Directory group designs SCALE better
(in
the thousands, up to hundreds of thousands of users -- or more-- using group
nesting.)

Put the Universal (or the Globals if you not using Universals) in a Domain
Local AT the
Resource location. Permissions are placed on the Locals AT THE RESOURCE
domain.
 
-----Original Message-----
use of universal
groups.


You can use Universal groups pretty much anytime it is legal but here are
some
principles:

Universals can contain Globals and Users from ANY domain (in forest
or trusted)
Universals should seldom change (entire group is replicated to each
GC)
USUALLY put users in Globals and add (a few) Globals to the
Universals
(perhaps not as big a deal in Win2003)

Globals can only contain users from SAME domain, so when collecting up
(groups of)
users from multiple domains, use universals

Universals are MOSTLY to make Active Directory group designs SCALE better
(in
the thousands, up to hundreds of thousands of users -- or more-- using group
nesting.)

Put the Universal (or the Globals if you not using Universals) in a Domain
Local AT the
Resource location. Permissions are placed on the Locals AT THE RESOURCE
domain.

--
Herb Martin


.
Click to expand...

Bert,

And just to clarify, what Herb means by "anytime it is
legal" is that the domain mode needs to be in WIN2000
NATIVE Mode.

And Herb did make a very good point about placing the
user account objects in Global Security Groups and
placing them ( the groups ) in the Universal Group. This
has to do with the point above that. You can experience
something called 'Token Explosion' if you simply place
all of the individual user account objects directly
inside the Universal Group and this changes a great
deal. This is because, as Herb stated, that the
Universal Group is 'replicated' to all Global Catalog
Servers...the entire group!

HTH,

Cary
 
-----Original Message-----
use of universal
groups.


You can use Universal groups pretty much anytime it is legal but here are
some
principles:

Universals can contain Globals and Users from ANY domain (in forest
or trusted)
Universals should seldom change (entire group is replicated to each
GC)
USUALLY put users in Globals and add (a few) Globals to the
Universals
(perhaps not as big a deal in Win2003)

Globals can only contain users from SAME domain, so when collecting up
(groups of)
users from multiple domains, use universals

Universals are MOSTLY to make Active Directory group designs SCALE better
(in
the thousands, up to hundreds of thousands of users -- or more-- using group
nesting.)

Put the Universal (or the Globals if you not using Universals) in a Domain
Local AT the
Resource location. Permissions are placed on the Locals AT THE RESOURCE
domain.

--
Herb Martin


.
Click to expand...

Bert,

And just to clarify, what Herb means by "anytime it is
legal" is that the domain mode needs to be in WIN2000
NATIVE Mode.

And Herb did make a very good point about placing the
user account objects in Global Security Groups and
placing them ( the groups ) in the Universal Group. This
has to do with the point above that. You can experience
something called 'Token Explosion' if you simply place
all of the individual user account objects directly
inside the Universal Group and this changes a great
deal. This is because, as Herb stated, that the
Universal Group is 'replicated' to all Global Catalog
Servers...the entire group!

HTH,

Cary
 
-----Original Message-----
use of universal
groups.


You can use Universal groups pretty much anytime it is legal but here are
some
principles:

Universals can contain Globals and Users from ANY domain (in forest
or trusted)
Universals should seldom change (entire group is replicated to each
GC)
USUALLY put users in Globals and add (a few) Globals to the
Universals
(perhaps not as big a deal in Win2003)

Globals can only contain users from SAME domain, so when collecting up
(groups of)
users from multiple domains, use universals

Universals are MOSTLY to make Active Directory group designs SCALE better
(in
the thousands, up to hundreds of thousands of users -- or more-- using group
nesting.)

Put the Universal (or the Globals if you not using Universals) in a Domain
Local AT the
Resource location. Permissions are placed on the Locals AT THE RESOURCE
domain.

--
Herb Martin


.
Click to expand...

Bert,

And just to clarify, what Herb means by "anytime it is
legal" is that the domain mode needs to be in WIN2000
NATIVE Mode.

And Herb did make a very good point about placing the
user account objects in Global Security Groups and
placing them ( the groups ) in the Universal Group. This
has to do with the point above that. You can experience
something called 'Token Explosion' if you simply place
all of the individual user account objects directly
inside the Universal Group and this changes a great
deal. This is because, as Herb stated, that the
Universal Group is 'replicated' to all Global Catalog
Servers...the entire group!

HTH,

Cary
 
Back
Top