No announcement yet.

Global Group-Vs.Universal Group issue

  • Filter
  • Time
  • Show
Clear All
new posts

  • Global Group-Vs.Universal Group issue

    Dear all,
    I have here a complicated questions, regarding the Active Directory Groups Ė in terms of Group Scope .
    I have here one forest, with multiple domain trees as following :-
    1- XYZ.COM
    2- A.XYZ.COM
    3- B.XYZ.COM
    4- C.XYZ.COM
    5- TEL.COM
    6- SA.TEL.COM
    7- UK.TEL.COM
    And each one of the domains ( 1-4 ) are trusting each others .
    Each one of the Domains ( 5-7 ) are trusting each others.
    Domain ( XYZ.COM ) are Trust ( TEL.COM ).
    Now the questions needs to be corrected if I was wrong are the following :-
    1- We have a printer called PRIN1, located on ( XYZ.COM ) and it is under this domain , we want to let some type of user in this domain only ( ) to access ( PRIN1 ) only, while we donít want other users to access ( PRIN1 ) and be able to print.
    We configured a Group called ( GPRIN1 ) and it is scope is ( Domain Local Group ) , and we put under the ( Member ) TAB, all the users who required access to print on the Printer ( PRIN1 ), and under the TAP ( MEMBER OF ), we did not ADD anything.
    A) My question is, are we make it true in terms of ( Domain Local Group ) ? or not ?

    2nd question is including two parts as following:-
    First Part we have a printer called ( PRIN2 ) , located on ( A.XYZ.COM ) , and we want some specific users in Domain ( XYZ.COM ) to be able to print on ( PRIN2 ) only which is located on ( A.XYZ.COm ) .
    we asked the Admin in ( XYZ.COM ) to create a group called ( G1 ) and it is scope is ( Global Group ) , and add all the users who want them to be able to print on ( PRIN2 ) , under TAP ( MEMBERS ) only .
    under the TAP ( MEMBER OF ), we did not ADD anything.
    Part 2, the users on ( A.XYZ.COM ), want to be able to Print on ( PRIN2) as well, so we asked the admin of ( A.XYZ.COM ) to make a group name it ( DL1 ) and under the TAP (Member ), we asked him to add all the users from his local domain ( A.XYZ.COM ) and also he should put the Global Group of domain ( XYZ.COM ) which it is name is ( G1 ) under it.
    My question here, is Part 1 & Part 2 are corrected , or not ?

    But, I did not use any Universal Group. My 3rd question is, when I can use it ?

    Please help me to understand it and what we did is correct or not.

  • #2
    Re: Global Group-Vs.Universal Group issue

    Preferred strategy in your environment is AGUdLP:

    Accounts go into a Global Group (in their domain)
    Global Groups from several domains go into a Universal Group
    Universal Group goes into a Domain Local group in the resource domain (the one the printer is in)
    Permissions on the printers are given to the DL group

    If you want, you can skip the UG and use AGdLP
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **