RE: [ActiveDir] group structure -universal groups
I'm late but I agree with Guido and Tony here... If using Exchange, place the users directly in the UG. It will make sure your expansion is done correctly and it gets away from the whole nest this in that and then this scenario. If you aren't using Exchange, try to stay away from Uni groups, usually aren't necessary... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 27, 2004 7:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] group structure -universal groups yes, for DLs this would definitely be an issue - in a multi-domain forest be sure only to use UGs as DLs... (and DON'T nest GGs into the UGs). In a single domain forest it doesn't matter. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, July 27, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] group structure -universal groups Daniel Well, one option would be to simply skip the Global Group part and add your accounts directly to the UG. A problem with UGs in Windows 2000 AD was that they potentially created a lot of replication traffic between GCs. Any change to a UG membership would result in the whole membership being replicated. Windows 2003 AD offers Linked Value Replication (LVR), which allows individual group membership changes to be replicate, rather than the whole attribute. This is clearly much more efficient and removes this limitation on the use of UGs. In any case, wouldn't having Global Groups nested in UGs cause a problem for Distribution Groups expansion? For example, how would a GC from DomainA manage to successfully expand a distribution group that contains Global Groups from DomainB? Tony _ From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Montag, 26. Juli 2004 22:08 To: [EMAIL PROTECTED] Subject: [ActiveDir] group structure -universal groups Hello, I have a question regarding group structure and administration of such. We run a multi-domain AD environment with basically an empty root domain and 2 child domains where the users live. The problem is if we structure groups the way it is recommended (accounts into Global groups which are then placed into Universal Groups which are then placed into Domain Local groups in the domain where the resource lives and permissions applied using the Domain local group. The problem is we prefer our distribution lists (universal groups) to be managed/administered by the users/owner of the list. All distribution lists are composed of individual users presently (came from an NT 4 domain) and if we follow the recommended group practices we will nest the Global group(s) from both domains inside the Universal groups and remove the individual users presently in them and effectively they will have the same members, but when the owners try to modify the members through their Outlook client they will only see the Global group(s) and not the members of the group who will receive the messages sent to the distribution list. Is there a better way to administer permissions in a multi domain Active Directory environment or do we set every owner of a distribution list up with rights and a tool to manage the global groups effectively adding these users to the Universal groups by nesting the global groups? Any feedback is appreciated, thank you. Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] group structure -universal groups
yes, for DLs this would definitely be an issue - in a multi-domain forest be sure only to use UGs as DLs... (and DON'T nest GGs into the UGs). In a single domain forest it doesn't matter. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, July 27, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] group structure -universal groups Daniel Well, one option would be to simply skip the Global Group part and add your accounts directly to the UG. A problem with UGs in Windows 2000 AD was that they potentially created a lot of replication traffic between GCs. Any change to a UG membership would result in the whole membership being replicated. Windows 2003 AD offers Linked Value Replication (LVR), which allows individual group membership changes to be replicate, rather than the whole attribute. This is clearly much more efficient and removes this limitation on the use of UGs. In any case, wouldn't having Global Groups nested in UGs cause a problem for Distribution Groups expansion? For example, how would a GC from DomainA manage to successfully expand a distribution group that contains Global Groups from DomainB? Tony _ From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Montag, 26. Juli 2004 22:08 To: [EMAIL PROTECTED] Subject: [ActiveDir] group structure -universal groups Hello, I have a question regarding group structure and administration of such. We run a multi-domain AD environment with basically an empty root domain and 2 child domains where the users live. The problem is if we structure groups the way it is recommended (accounts into Global groups which are then placed into Universal Groups which are then placed into Domain Local groups in the domain where the resource lives and permissions applied using the Domain local group. The problem is we prefer our distribution lists (universal groups) to be managed/administered by the users/owner of the list. All distribution lists are composed of individual users presently (came from an NT 4 domain) and if we follow the recommended group practices we will nest the Global group(s) from both domains inside the Universal groups and remove the individual users presently in them and effectively they will have the same members, but when the owners try to modify the members through their Outlook client they will only see the Global group(s) and not the members of the group who will receive the messages sent to the distribution list. Is there a better way to administer permissions in a multi domain Active Directory environment or do we set every owner of a distribution list up with rights and a tool to manage the global groups effectively adding these users to the Universal groups by nesting the global groups? Any feedback is appreciated, thank you. Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] group structure -universal groups
Daniel Well, one option would be to simply skip the Global Group part and add your accounts directly to the UG. A problem with UGs in Windows 2000 AD was that they potentially created a lot of replication traffic between GCs. Any change to a UG membership would result in the whole membership being replicated. Windows 2003 AD offers Linked Value Replication (LVR), which allows individual group membership changes to be replicate, rather than the whole attribute. This is clearly much more efficient and removes this limitation on the use of UGs. In any case, wouldn't having Global Groups nested in UGs cause a problem for Distribution Groups expansion? For example, how would a GC from DomainA manage to successfully expand a distribution group that contains Global Groups from DomainB? Tony _ From: Cariglia, Daniel [mailto:[EMAIL PROTECTED] Sent: Montag, 26. Juli 2004 22:08 To: [EMAIL PROTECTED] Subject: [ActiveDir] group structure -universal groups Hello, I have a question regarding group structure and administration of such. We run a multi-domain AD environment with basically an empty root domain and 2 child domains where the users live. The problem is if we structure groups the way it is recommended (accounts into Global groups which are then placed into Universal Groups which are then placed into Domain Local groups in the domain where the resource lives and permissions applied using the Domain local group. The problem is we prefer our distribution lists (universal groups) to be managed/administered by the users/owner of the list. All distribution lists are composed of individual users presently (came from an NT 4 domain) and if we follow the recommended group practices we will nest the Global group(s) from both domains inside the Universal groups and remove the individual users presently in them and effectively they will have the same members, but when the owners try to modify the members through their Outlook client they will only see the Global group(s) and not the members of the group who will receive the messages sent to the distribution list. Is there a better way to administer permissions in a multi domain Active Directory environment or do we set every owner of a distribution list up with rights and a tool to manage the global groups effectively adding these users to the Universal groups by nesting the global groups? Any feedback is appreciated, thank you. Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] group structure -universal groups
Hello, I have a question regarding group structure and administration of such. We run a multi-domain AD environment with basically an empty root domain and 2 child domains where the users live. The problem is if we structure groups the way it is recommended (accounts into Global groups which are then placed into Universal Groups which are then placed into Domain Local groups in the domain where the resource lives and permissions applied using the Domain local group. The problem is we prefer our distribution lists (universal groups) to be managed/administered by the users/owner of the list. All distribution lists are composed of individual users presently (came from an NT 4 domain) and if we follow the recommended group practices we will nest the Global group(s) from both domains inside the Universal groups and remove the individual users presently in them and effectively they will have the same members, but when the owners try to modify the members through their Outlook client they will only see the Global group(s) and not the members of the group who will receive the messages sent to the distribution list. Is there a better way to administer permissions in a multi domain Active Directory environment or do we set every owner of a distribution list up with rights and a tool to manage the global groups effectively adding these users to the Universal groups by nesting the global groups? Any feedback is appreciated, thank you.