Reference: _h_t_t_p_://www.computerperformance.co.uk/Litmus/universal_groups.htm
Amateurs: Use only Universal Groups and never Global or Domain Local
What are the two TYPES of Groups in Windows Server 2003? Hang on Guy, I thought there were three, Global, Domain Local, and Universal? Microsoft are playing games with words, the two TYPES of groups are Security and Distribution (as in Distribution List).
Microsoft have introduced the Scope attribute to explain the capabilities of groups. If you are brand new to groups it makes sense, but for old timers it takes a while to get your head around the scope concept.
Active Directory Training
As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training. In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Active Directory or go for a combination of modules. See more about Active Directory training
Domain Local Groups (These used to be plain Local groups).
Think of domain local groups as great hosts, literally anyone can be a member, users, Global groups, Universal groups, even computers can join a domain local group. Local groups are bad travellers and only operate in their own domain.
Best practice is to use local groups to assign permissions to resources like databases and printers.
Global Groups
These are great travellers, they can wander the entire Forest. The key point is that global groups are poor hosts and can only contain members from their own domain.
Best practice is to make global group your default group, and for starters, make a group to represent each of your departments.
Universal Groups
Another question for you, why is it sometimes the radio button against create Universal group is greyed out? The answer is when the Domain is in mixed mode you cannot create universal groups (NT 4.0 BDC's would not understand them). You need to 'raise domain level to Windows 2000 native before you benefit from universal groups. Think of universal groups as the ultimate container for nesting groups. They are good hosts and great travellers.
Best practice is make it rule to only include global groups inside Universal groups, no individual groups.
Global Catalog Implications
As you would expect, domain local and global groups are listed in the global catalog, however the individual members are not listed. So changes in global group membership have zero impact on global catalog replication traffic.
Universal groups on the other hand, not only are listed in the global catalog but also the individual users or nested groups are also listed. Now you can see that adding users to a universal group will generate replication traffic. That is why Guy says only put global groups inside universal groups, the individual members inside the global groups are not replicated.
In Windows 2000 the situation is that one change of membership to a universal group causes the whole list to be replicated, thankfully that changed in Server 2003, now only incremental changes are replicated not the whole list.
No comments:
Post a Comment