Re: Domain Local Security vs Global Security vs Universal Security Groups
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sat, 21 Oct 2006 01:00:58 -0700
It is not really an issue of whether anyone knows, or not, but of the
huge scale that would be a complete answer. Perhaps if you were
to review some of the information in the resource kit documentation
www.reskit.com
and then post more narrow questions(s).
For an example of how non-simple some aspects of group usage
can be, take a look at a recent thread we had on
microsoft.public.windows.server.active_directory
with subject
Best practive to clean up AD groups
that started on
Thursday, October 12, 2006 2:31 AM
In the particular example with two domains that you presented,
you cannot use a domain local group except in its domain (hence
it is local to that domain). So yes, you can use a domain local on
a member of the same domain, but whether you should or when is
an entire further discussion. Globals can be seen/used outside of
their domain, and have limitation that they can only contain objects
(users or other groups) that are defined in their own domain (hence
a global group can represent some part of its domain globally
throughout the forest).
"Kshaeta" <visual.eyes@xxxxxxxxx> wrote in message
news:eSuQWf58GHA.4552@xxxxxxxxxxxxxxxxxxxxxxx
Nobody knows the answer to this?
Kshaeta wrote:
I've read lots on these, and I still don't really understand them.
I know how they work together, how certain ones can't be part of others,
etc. But I don't really understand how they work, or where and when to
use them.
Where are DLS (Domain Local Security) groups used, and why?
How about Global Groups? Universal Groups?
Is there any good documentation that explains how these are used and why?
One reason I ask, is say for this problem. I have two security groups,
within my domain, and two servers in my domain. One server is a domain
server (DOM), the other is a member server (MEM).
I have 2 security groups. The difference between the two is one is a
DLS group, the other is a GS group. The DLS one doesn't allow the
security group to be set on servers other than the domain servers. That
is, if you are on DOM and you create a directory, you can grant it
"Information Systems_DLS" security, or "Information Systems_GS" security.
But if you log on to MEM, and try that it won't work. You need to grant
it "Information Systems_GS". The option to grant any DLS doesn't even
show up in the security selection on the member server.
I don't really grasp this. Should "Domain level Security" allow you to
grant that security group to any member server?
Thanks for any info.
bil
--
Bill Tkach
MSP, A+
visual{period}eyes{period}this{at}gmail{period}com
.
- References:
- Prev by Date: Re: Nosey, power hungry boss...
- Next by Date: Re: Nosey, power hungry boss...
- Previous by thread: Re: Domain Local Security vs Global Security vs Universal Security Groups
- Next by thread: Security Tab Missing
- Index(es):
Relevant Pages
|
