Quick Question, I was teaching a class the other day when the question came up about what group scope should you use for delegated permissions of an OU. I was teaching an earlier class where I explained how to use Domain Local Groups on Files Shares and Printers to centralize management of these resources via AD. The question from the students was could / should they use the same principles for AD Delegation? I said no based on past experience with 3rd party delegation tools didn't like Domain Local Groups used for delegation.
This got me to thinking why and wondering what you all do and why? I know this question is open ended, and depends on your domain structure etc, but I just am trying to identify a real reason to say no, only use global groups for delegation within a domain. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
