Groups
A Group is an object that can contain another security principle as its members. And it can be a member of another group as well.
As the two domains are in the different forests, we only can add users from one
domain to domain local group in another domain. The universal group and global
group cannot contain members from another forest.
The Groups are of two types:
1. Security Groups
2. Distribution Groups
The Security Groups are of three types:
1. Domain Local Groups
2. Global Groups
3. Universal Groups
| Group Type | Can Access Resources of | Can have Members from |
| Domain Local | Own Domain (Local Resources only) | Any Domain Any Forest |
| Global | Any Domain Any Forest | Own Domain (Local Resources only) |
| Universal | Any Domain Same Forest | Any Domain Same Forest |
Group scope
http://technet.microsoft.com/en-us/library/cc755692.aspx
NOTE:
· Universal Groups can only be created when all the Domain Controllers are Windows Server 2003 Native Mode (At Least)
o No NT DC
· Also Remember A G DL P
o Add GLOBAL Groups to Domain Local Groups and then apply Permissions.
· So most of the Policies need to be Local.
· Universal / Global Groups add/increase traffic to the whole network. It will also increase the traffic on Global Catalogue’s and Infrastructure Masters.
· Also Note that Group Policy is never applied on groups but on OU’s. (Organization Units for short).
Other type of groups:
· Distribution Groups.
· No NTFS permissions are possible in Distribution Groups.
· They are used only for email and other purposes where distribution is a need.
Leave a comment