StevenWhiting.com

A place for info I've learnt in IT & stuff. (I get a little kick back from affiliate ads & links, just so you are aware)

Browsing Posts tagged Groups

http://www.computerperformance.co.uk/Litmus/universal_groups.htm

Domain Local Groups (These used to be plain Local groups).

Think of domain local groups as great hosts, literally anyone can be a member, users, Global groups, Universal groups, even computers can join a domain local group. Local groups are bad travellers and only operate in their own domain.

Best practice is to use local groups to assign permissions to resources like databases and printers.
Global Groups

These are great travellers, they can wander the entire Forest. The key point is that global groups are poor hosts and can only contain members from their own domain.

Best practice is to make global group your default group, and for starters, make a group to represent each of your departments.
Universal Groups

Another question for you, why is it sometimes the radio button against create Universal group is greyed out? The answer is when the Domain is in mixed mode you cannot create universal groups (NT 4.0 BDC’s would not understand them). You need to ‘raise domain level to Windows 2000 native before you benefit from universal groups. Think of universal groups as the ultimate container for nesting groups. They are good hosts and great travellers.

Best practice is make it rule to only include global groups inside Universal groups, no individual groups.
Global Catalog Implications

As you would expect, domain local and global groups are listed in the global catalog, however the individual members are not listed. So changes in global group membership have zero impact on global catalog replication traffic.

Universal groups on the other hand, not only are listed in the global catalog but also the individual users or nested groups are also listed. Now you can see that adding users to a universal group will generate replication traffic. That is why Guy says only put global groups inside universal groups, the individual members inside the global groups are not replicated.

In Windows 2000 the situation is that one change of membership to a universal group causes the whole list to be replicated, thankfully that changed in Server 2003, now only incremental changes are replicated not the whole list.

To add a contact to a group in AD. Don’t try to add them via the group, add them to the group within their contact in AD.