Announcement

Collapse
No announcement yet.

combine Security and distrub groups

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • combine Security and distrub groups

    We just upgraded our environment to native 2003 (A Little late)
    we are trying to clean up AD and make universal groups and get rid of security and distribution groups.

    What would be the best way o go about this with the least disruption to business?

    Any suggestions would be helpful.

    thanks in advance

  • #2
    Re: combine Security and distrub groups

    I would recommend the following formula.

    A G U DL P

    Create 'Domain Local' Groups for your resources that need to be accessed. This will be the group that permissions would be assigned to. Use a naming convention that tells you the type of group it is. Eg. DL-Printer1FullControl

    Create a Universal Group only if you have multiple domains that need access to the resource, so you would add relevant users to a Global Group and add that to the Universal Group, if applicable.

    If you can, don't use Universal Groups, they are stored in the GC and effect replication traffic. Also, ensure you only add groups to a Universal Group. Therefore, you will still need security groups. Replication doesn't occur each time a Global Group memberhip changes that are added to a Universal Group; adding and removing users for a Unversal Group triggers replication.

    Accounts are added to a Global Group.

    You can use a Security group as a distribution list as well, so if it fits with your model, you may not need distribution lists.

    I don't use Universal Groups in my environment. I use A G DL P.

    Also, with regards to existing security groups, take advantage of group nesting. Now you are Windows 2003 native, you can place groups inside each other.

    More than likely you have Global groups. These can be placed in to local, Universal and domain local groups as well as another Global group in the same domain.

    Domain local groups can be nested in local and other domin locals in the same domain.

    Universal Groups can be nested in any group apart from a Global group.
    Last edited by Virtual; 10th February 2009, 23:56.

    Comment


    • #3
      Re: combine Security and distrub groups

      Universal groups are only useful in a multi-domain environment for security, but for Exchange 2007, new distribution groups have to be universal in scope (if you migrated from e2K3 you may have non-universal distribution groups

      But in general I concur with Virtual's advice (straight from the MCSE courses ) of using AGULP as your strategy
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: combine Security and distrub groups

        Originally posted by mlabs View Post
        we are trying to clean up AD and make universal groups and get rid of security and distribution groups.
        Hi Mlabs,

        I am not sure what you exactly want. Security and Distribution are group types and Universal is a group scope.
        Unless I have read this wrong, you can't replace a type with a scope.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: combine Security and distrub groups

          How big is your AD? Universal groups may increase replication plus you may not even need them. I think it is generally best to only add groups as members of universal groups rather than users as well.
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: combine Security and distrub groups

            thanks all

            Comment


            • #7
              Re: combine Security and distrub groups

              Right you are Ossian. A G U DL P drummed in to me from the courses. Hopefully, I will be doing this myself, I hope, if I pass my MCT assessment this month. Finger's crossed.

              Comment

              Working...
              X