Announcement

Collapse
No announcement yet.

Application of Universal group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Application of Universal group

    Hi All,
    I think you guys will be able to help me. I am confused why universal group are in Windows 2003 AD. We can perform all our tasks by using global and domain local group. Global groups do not increase replication traffic and by global group , it is easy to assign permissions to another domain users. But what special task can be done by universal group? Universal group will add more replication traffic between domains that is it. What else they can do? Is any one know advantages of using Universal group in single or multi domain environment?

  • #2
    Re: Application of Universal group

    Universal groups are only required in a multi-domain environment, and can contain users, global groups or other universal groups from any domain in the forest
    They can go into other UGs, domain local groups or have permissions applied directly to them

    In a single domain environment, skip them and use AGdLP as your nesting strategy
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Application of Universal group

      What is advantage of having universal group in multidomain environment? All work can be performed using global group. Why and when to use universal group?

      Comment


      • #4
        Re: Application of Universal group

        Because you cannot nest global groups from different domains
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Application of Universal group

          you mean that global group can have another global group as member if from same domain but global group can not have another global group member belong to another domain. Am I right ?please correct if I am incorrect.

          Comment


          • #6
            Re: Application of Universal group

            Yes - absolutely right

            Do some searching on Microsofts preferred method of organising accounts, groups and permissions -- AGULP -- it takes more effort but makes sense in large environments
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Application of Universal group

              Thank you very much for your advices Ossian. I was confuse here that global group can nest global group from other domian or not. You made all clear. People have been asking me about group nestings. I think global and universal group well suit for large network. What do you recomend? I suggest if network consist of only one domain, then access permission should be granted to domain groups. For network with one domain only, we do not need to create global or universal group for assigning permissions on folder. What are suggestion of Techies here in this forum? My suggestion is domain group should be enough. Please correct me if I am wrong. Is there any application or advantage of creating global and universal distribution or security group in single domain environment. Please advice.

              Comment


              • #8
                Re: Application of Universal group

                If you have one domain only, do the following (MS best practice)
                User Accounts go into Global Groups
                Global Groups go into Domain Local Groups
                Permissions are given to Domain Local Groups

                This means if you add a user to a GG, it will automatically get the permissions needed
                If you want to give permissions to several people, add the correct GG to the appropriate DL group

                If you have a multidomain environment, add Universal Groups between the GGs and the DL groups
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: Application of Universal group

                  Sorry for asking too much. But this thing is bothering me that why we are making user accounts member of global group , then global group to domain local and then assigning permission on domain local group. We can directly put users into domain local group and assign permissions. Why we using group inside group? Is any body knows logic or advantage behind this nesting?. Though I understand MS is recomending it, but is there any particular reason of recomending this strategy by MS? It seems to me extra work and I am not able to think of any advantage of doing this. Thanks Ossian for replying. You have been very helpful

                  Comment


                  • #10
                    Re: Application of Universal group

                    To set it up is much more work but when it comes to changes, its easier
                    Consider a set of users with access to 10 shares
                    If the users are put into one global group then that GG is added to the DL with the share permissions, you can remove a user from all shares by simply removing them once from the GG
                    Similarly, if you want to give the same set of users access to another share, just add the GG to the DL holding the permissions

                    You can think up even more complex scenarios and see that this can simplify them -- somewhere in the forums someone says they can give a new user all the memberships they need by adding them to one group, and letting nesting do the rest

                    Trust me, it DOES work!
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: Application of Universal group

                      One reason I found behind nesting is if we nest users in global group, it provide flexibility. If network grow in future and if we need to assign permission to users . it will be easy as users already member of global group. So formula is assign users according to their job functin into global group. all resources like printers, network shares in doamin group. I will look more deep that how it will provide us more advantages in we group users in global & universal and then nest them in domain group

                      Comment

                      Working...
                      X