About global and local groups

[alman]

Hi,

I would like to understand why in several sites and manuals it is advised, in order to grant the authorization to the resources of a domain, to create a local domain group that contains the global groups as members. Wouldn't it be simpler to assign the authorizations directly to global groups since they have the possibility?

Thanks

ps: I'm italian, please excuse me for my terrible english

Edited October 13, 2006 by alman

[allen2]

Permission using local domain group cannot be set on a share on a member server.

They can be used on any DC.

If you're using trust relationship between domains, you'll see that you can only add users from other domain to a local domain group.

So if you have only DCs, using global domain group is not needed.

[Zartach]

There are various groups in the 2003 AD namely:

Universal groups

Global goups

Domain Local groups

Where the Domain Local groups are effectively replacing the local groups from Windows NT, in the old model MSFT used the accurate way of assigning permissions was: grant the Local group access to the object, make the Global group a member of the Local group, and place the User in the Global group.

This can now be done with the domain level group 'Domain Local groups' effectively you would store users and computers in the Global groups where the Global groups are a member of the Domain Local groups that are given permissions on objects like printers or shares.

The Universal groups can be used anywhere in the forrest to grand users permissions in other domains than that the users are a memebr of.

Domain Local groups can be granted access on specific resources that are not stored in Active Directory, (File server shares, Printer queues, etc.)

- Domain Local groups cannot be seen from another domain.

Global Groups can only be granted access to objects or be made a member of groups that reside in the same domain as the group is.

(On a sidenote, beware of using the Domain Local groups, they take up 40 bytes in the access token that kerberos is using, where as global groups only use 8 bytes. If a member has a kerberos token that exceeds 12000 bytes his GPO policies will fail and any group membership that was not within the 12000 bytes will not apply on his permissions

We had this problem when upgrading a fileserver to a cluster environment and effectively doubeling up on groups in the domain, with the Domain Locals 60% of the people using the new cluster were reporting problems and it was tracked back to the 12000 bytes tokensize. We switched the Domain locals to Globals to work around the problem. There is a fix from MSFT as well but that includes a premium patch and a domain wide registry change.)