No announcement yet.

Security Groups

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Groups

    Microsoft Recommends A->G->DL->P i.e. Accounts be added to Global Groups and Global groups to Local groups and local groups be assigned permissions. My question as given to me by my customer is Why so? Why this is a recommendation , why should not we give permissions directly to Global groups in Single domain or multiple domain scenarios.

    Is there any performance reason or any oveload or replication reason?
    Also he needs details or document defining how these authorization mode i.e. when a user access a resource from where the info about his global group and local group membership is fetched , and whetehr it is related to network or resources usage?

  • #2
    A-G-DL-P has it's good reasons, most of them can be found on related books or articles. However, on a small, one-domain forest, there seems to be a duplication of groups, when most permission settings can either be done with A-G-P or A-DL-P.

    The reason for the G-DL is made more obvious in large scale AD infrastructures, where one might need to give 1000 users from domain A permissions on 100 different resources on domain A, B and C. Then you'll want to gather all the users in one G, and have the G placed in the DL groups on the required resources.

    Furthermore, nesting of G-G-G etc. is also useful in large domains, where you want to have 1000 sales users, 2000 dev users, and 1300 mgmt users to have permissions on many different resources. Again, you'd place the users in 3 different G, then nest the 3 G in one G, and place the one G in all the required DL.

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services