Information Technology Reference
In-Depth Information
Some administrators create a domain local group for each level of access to each shared
resource. For example, you have a shared folder called SalesDocs that requires two levels of
access by different groups: Read access and Modify access. You could create two domain local
groups named SalesDocs-Read-DL, with Read permission, and SalesDocs-Mod-DL, with
Modify permission. By using this group-naming standard, you have identified the resource,
access level, and group scope. Next, you need only add the global or universal groups contain-
ing users to the correct domain local group. Keep in mind that the “local” in domain local refers
to where resources this group scope is assigned to can be located. You can't, for example, add a
domain local group from Domain A to the DACL of a resource in Domain B.
Global Groups As mentioned, a global group is used mainly to group users from the same
domain with similar access or rights requirements. A global group's members can be user
accounts and other global groups from the same domain. However, a global group is considered
global because it can be made a member of a domain local group in any domain in the forest or
trusted domains in other forests. Global groups can also be assigned permissions to resources in
any domain in the forest or trusted domains in other forests.
A common use of global groups is creating one for each department, location, or both. In a
single-domain environment, global groups are added to domain local groups for assigning
resource permissions. You might wonder why user accounts aren't simply added directly to a
domain local group, bypassing global groups altogether. In a single-domain environment, you
can do this, but this approach has some drawbacks:
• Domain local group memberships can become large and unwieldy, particularly for
resources to which many users from several departments must have access. Examine
Figure 5-16 and consider which group you would rather manage.
User
User
Sales1-G
global group
Mkt1-G
global group
User
User
Adv1-G
global group
SalesDocs-Mod-DL
(domain local group)
User
User
User
User
User
User
User
User
User
User
User
User
MktDocs-Mod-DL
(domain local group)
Figure 5-16
Global groups are easier to manage
 
Previous Page
Next Page
MCTS Guide to Microsoft Windows Server 2008 Active Directory Configuration
Search WWH ::




Custom Search
Home