Goodness gratious Todd, the answer is always.... 42... Err no, the answer is always "It Depends!"
I personally like LGs and DLGs, always have all the way back to say 1996 or so. Global Groups make me itch, Univeral groups make my eyes water. You will note I wrote a command line tool for managing LG's (with the incredibly creative name of LG) but never wrote one for Global Groups. As mentioned, DLGs are nice because you can put users in any domain into them and you don't have to worry about finding a GC and resolving membership. I also like them because they are scoped closer to the resources which helps but doesn't make easy the eternal problem question... What does this group have access to? If you have a DLG or LG you know the scope (especially in a multi-domain forest or multi-trusted environment) is severely limited so you can focus on a smaller crosssection of the environment. It still is a painful exercise but chopped off hand instead of chopped off head painful. There are times when DLGs really don't make much sense or possibly won't even work. One time is when you are using DENY's to block someone's visibility to something and you have multiple domains in the forest because the DLG ACEs won't work on the foreign domain GCs. Another time is when you are adding any type of ACE to the config container. I have done it and I have gotten it to work but it requires creating the same DLG on every domain and then adding the users to each. In hindsight I wasn't happy with what was done because it wasn't very elegant but we had strict rules against Global Groups and Universal groups. Several years later and that is still in place and still working fine. Any apps that don't work with any type of group need to be reviewed and determined to see if it makes sense or not. If it doesn't, complain complain complain complain to the vendor. They shouldn't be making the decisions on how you build your environment. Even Exchange doesn't require Universal groups, it is just much happier if you use them and it is much easier for you. If you know what you are doing and understand it all very well you can get away with DLGs or GGs. However, that does not describe most AD nor Exchange admins so stick with Universal groups for Exchange related stuff kids. :) I would really like to have a universal domain local group. A group that takes users from any domain and can be used on any domain without a global catalog requirement. The issue is the linking across domains but there is no reason why MSFT can't once and for all fix this and make it so every group you are a member of gets represented in your user object in your home domain. Sure there are caveats but there are caveats with global group c(r)aching as well but they shot that out the door... Oh why do GGs make me itch? They only accept members from the domain they are in. Blech. I have never worked in a production environment that had one domain. Never. The idea of adding users to separate global groups in separate domains all to add the same permissions on a single resource bothers me (ditto for when I did this with DLGs and the config container but GGs wouldn't have helped in that case either). UGs? Mostly just to tick off Guido because he really likes Ugs and we have had a long standing feud on the topic where if I recall correctly he lambasted me from his podium at DEC 2004 and I never retaliated... hmmm. (a) Other than that I don't like the GC requirement for their resolution when talking cross domain membership. The really big environment I came from didn't have GCs everywhere (in fact only in a minority of sites) and we had enabled IgnoreGCFailures so if a DC couldn't talk to a GC, the users could still log on. Now some of the reasons for not deploying those GCs everywhere has gone away but I still don't see the need for a 6GB-10GB DIT on a DC in a site with 14 people. Of course global group c(r)aching is now available but... Well no. So what are the requirements that are enforced on you if you don't put GCs everywhere and you set up IgnoreGCFailures? Well you can't ACL with UGs except for cases where you know there is no question that a GC will be available, say for centralized data center apps. Also you absolutely can not do ___any___ Read Property DENIES based on UGs[1]. Fine, I don't like doing DENIES anyway. It is usually a sign of a POS design or app or both. joe [1] Why only worry about Read Property Denies? First to respond to me personally between the hours of say 2AM and 5AM EST (to make it interesting) may get a mention on my blog. ;o) WOO! Anyway that is a good question for people to think of and might even be a good interview question when you interview the next person who tells you they are an AD expert. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Wednesday, April 19, 2006 2:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD Quick Question, I was teaching a class the other day when the question came up about what group scope should you use for delegated permissions of an OU. I was teaching an earlier class where I explained how to use Domain Local Groups on Files Shares and Printers to centralize management of these resources via AD. The question from the students was could / should they use the same principles for AD Delegation? I said no based on past experience with 3rd party delegation tools didn't like Domain Local Groups used for delegation. This got me to thinking why and wondering what you all do and why? I know this question is open ended, and depends on your domain structure etc, but I just am trying to identify a real reason to say no, only use global groups for delegation within a domain. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
