Win2003's Global vs Local domain groups...

  • Thread starter Thread starter Simon Begin
  • Start date Start date
S

Simon Begin

I know Best practice tells to use Global groups & Local domain groups,
associate users with the global group, associate the resource with the Local
domain group, then associate the 2 groups together.

I'm from a Novell environment, and "best practices" doesn't exist. We used
to understand how it works, then choose what's best for us.

Back to my 2003 AD groups, nobody could tell me WHY to use BOTH groups,
instead of using only Local domain groups (even a teacher of 2003 AD
course). We have 1 tree and 1 domain, <1000 users. We will have someday
other foreign 2003 AD trees, and will need to link with them for some
applications.

Do we really need to make 2 groups, when it works very well with 1 ?
 
It is best to put the users into global groups then local groups then assign
the permission to the local groups. The reason is because you can't add
users from other domains into domain local groups. If you want to add users
from different domains they have to go in global groups. Just think UGLY
users>global groups>local groups>You assign permissions here

hth,
aaron
 
It's mainly useful where you are providing access to a resource to lots of
global groups. In the same way you group users with global groups, you can
group resources with local groups.
 
It's important to me, either I use Local+Global groups, and I double my 500
groups in AD up to 1000 groups (aaarg!) - Either I only use Local domain
groups and make administration MUCH simpler, including debugging time.

OK, I have to use Global groups if I have multiple domains. So in my
understanding, I have only 1 domain. I could use only Local domain groups,
but will need to create Global groups for (and only for) giving rights to
users in other domains. Thus when it will happen (another trusted domain) I
simply add 2 or 3 Global groups to give them access (= 503 groups instead of
1000)...

In short I still don't know WHY to use both groups everytime?
 
Back
Top