Information Technology Reference
In-Depth Information
• If the company ever adds a domain, you need to redesign group memberships to grant per-
missions to cross-domain resources. This task is necessary because a domain local group
can't be a member of a group or assigned permission to a resource in another domain.
In multidomain environments where departments are represented in more than one domain,
departmental global groups from each domain can be aggregated into a universal group, which is
then made a member of a domain local group for resource access. For example, in Figure 5-17,
both the US and UK coolgadgets.com domains have a global group called Sales. These global
groups are added to the universal group Sales-U in the coolgadgets.com parent domain; Sales-U
is then made a member of the domain local group assigned permissions to the shared folder. Keep
in mind that the shared resource could be located in any of the three domains, as long as the
domain local group is in the same domain as the shared resource. The universal group in this
example can be added to a domain local group in any domain in the forest as well as trusted
domains in other forests.
5
Sales-U
universal group
SalesDocs-Mod-DL
SalesDocs
shared folder
Coolgadgets.com
US-Sales-G
global group
UK-Sales-G
global group
US.coolgadgets.com
UK.coolgadgets.com
Figure 5-17
Using global and universal groups
Universal Groups
A
universal group
is special in a couple of ways. First, a universal
group's membership information is stored only on domain controllers configured as global cat-
alog servers. Second, they are the only type of group with a truly universal nature:
• User accounts, global groups, and universal groups from any domain in the forest can be a
member.
• They can be a member of other universal groups or domain local groups from any domain
in the forest.
• They can be assigned permissions to resources in any domain in the forest.
Because universal groups' membership information is stored only on global catalog servers,
plan the placement of domain controllers configured as global catalog servers carefully. When
users log on, a global catalog server must be available to determine their memberships in any
Search WWH ::
Custom Search