alman Posted October 13, 2006 Share Posted October 13, 2006 (edited) Hi, I would like to understand why in several sites and manuals it is advised, in order to grant the authorization to the resources of a domain, to create a local domain group that contains the global groups as members. Wouldn't it be simpler to assign the authorizations directly to global groups since they have the possibility? Thanks ps: I'm italian, please excuse me for my terrible english Edited October 13, 2006 by alman Link to comment Share on other sites More sharing options...
allen2 Posted October 13, 2006 Share Posted October 13, 2006 Permission using local domain group cannot be set on a share on a member server. They can be used on any DC.If you're using trust relationship between domains, you'll see that you can only add users from other domain to a local domain group.So if you have only DCs, using global domain group is not needed. Link to comment Share on other sites More sharing options...
Zartach Posted October 16, 2006 Share Posted October 16, 2006 There are various groups in the 2003 AD namely:Universal groupsGlobal goupsDomain Local groupsWhere the Domain Local groups are effectively replacing the local groups from Windows NT, in the old model MSFT used the accurate way of assigning permissions was: grant the Local group access to the object, make the Global group a member of the Local group, and place the User in the Global group. This can now be done with the domain level group 'Domain Local groups' effectively you would store users and computers in the Global groups where the Global groups are a member of the Domain Local groups that are given permissions on objects like printers or shares.The Universal groups can be used anywhere in the forrest to grand users permissions in other domains than that the users are a memebr of.Domain Local groups can be granted access on specific resources that are not stored in Active Directory, (File server shares, Printer queues, etc.) - Domain Local groups cannot be seen from another domain. Global Groups can only be granted access to objects or be made a member of groups that reside in the same domain as the group is.(On a sidenote, beware of using the Domain Local groups, they take up 40 bytes in the access token that kerberos is using, where as global groups only use 8 bytes. If a member has a kerberos token that exceeds 12000 bytes his GPO policies will fail and any group membership that was not within the 12000 bytes will not apply on his permissionsWe had this problem when upgrading a fileserver to a cluster environment and effectively doubeling up on groups in the domain, with the Domain Locals 60% of the people using the new cluster were reporting problems and it was tracked back to the 12000 bytes tokensize. We switched the Domain locals to Globals to work around the problem. There is a fix from MSFT as well but that includes a premium patch and a domain wide registry change.) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now