Re: Quick Question - Whats the differance. . .

A general rule of thumb is that

Users go into Global Groups
Global Groups go into Local groups
Local Groups are assigned access to resources

As already mentioned Server local groups can only be used to grant access to
resources that are local to that Server, and can contain users or groups from
their Domain and any trusted Domain. Domain Local groups can be used to grant
access to resources on any server within the Domain, but can also contain
users and groups from it's domain and any trusted Domain.

An example of when to use the groups.

The Server local group is used to permission the resource on the Server.
Reason - the Server Owner/Administrator owns and administers this group, and
controls what it has access to on their server. The Server owner does not
need to have any rights over AD to do this.

The Domain Local group is created and the Server Owner Adds this to the
Server Local group. Accounts Administrators can administer this group in AD
and add/remove global groups/Users to the resource as necessary, without
needing any rights to the Server.

In a large organisation where this type of segregation of duties is more
common there is perhaps more need for this model. In a smaller organisation,
where server owners/Domain Administrators are one and the same, arguably you
could do without Server local groups and just use domain local groups for
assigning access to Server Based resorces.

This is just one example of how to use these groups, you will see plenty of
other suggestions on the web. And how your organisation uses the groups
depends on what you need to achieve eg. for cluster Servers you would more
likely want to use Domain Local groups as these would span the cluster nodes.

I have found a couple of links that discuss group usage, although I find
alot of them leave out Server Local groups altogether.

http://www.mcpmag.com/columns/article.asp?EditorialsID=181
http://support.microsoft.com/?kbid=231273
http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1025717,00.html

HTH

Jody

"Nick" wrote:

> Can you please give me an example when you would Local Domain Groups.
>
> Also would you add Global Groups to this.
>
> Any links with further information would be good
>
> Thanks for the responce
>
>
>
> "Nick" <Nick@xxxxxxxxxxxxx> wrote in message
> news:3ek1peF3ic4eU1@xxxxxxxxxxxxxxxxx
> > Whats the differance between Local Server Groups and Local Domain Groups.
> >
> > When would you use Local Domain Groups.
> >
> > Thanks
> >
> >
>
>
>
.

Relevant Pages

  • Re: Everyone, Users, and Guests
    ... Gloabal Guests or Local Guests groups for any type of access if you ... >Global Groups go into Local Groups, ... >Local Groups are given permissions to resources. ...
    (microsoft.public.win2000.security)
  • RE: file share migration
    ... migrate local groups from one server to another. ... You are right that the File Server Migration Wizard does not support ... MSVR-Migrator Key Benefits ...
    (microsoft.public.windows.server.migration)
  • Re: Quick Question - Whats the differance. . .
    ... > Local Groups are assigned access to resources ... > As already mentioned Server local groups can only be used to grant access ... > resources that are local to that Server, and can contain users or groups ... > where server owners/Domain Administrators are one and the same, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Copy local Groups -- Get SID
    ... that the local Groups on the Windows NT 4.0 Server ... > contains global groups of the domain. ... > can read the SIDs of my old local groups to create these groups on the ...
    (comp.lang.perl.misc)
  • Re: Migrating security & sharing permissions and local groups
    ... What is the reason here for use of local groups? ... You can still move existing shares from one server to another. ... Microsoft MVP - Windows Security ... I need to migrate these folders and files along with the ...
    (microsoft.public.windows.server.general)
Loading