Re: Universal Groups

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "P" <p@xxxxx>
• Date: Wed, 27 Sep 2006 13:03:57 +0800

---

Okay.. this is a single domain spread over multiple sites to GC's at each
site.. so technically its not a problem but its still not a great idea..

I was wondering if long term local/global groups would dissapear and it
would just be a universal group world..

regards

paul

"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:5Dwltdd4GHA.1864@xxxxxxxxxxxxxxxxxxxxxxxx

Hi,

Two Points:

1. We use domain local group for security reason.Groups with domain local
scope help you define and manage access to resources within a single
domain. These groups can have as their members:

Groups with global scope
Groups with universal scope
Accounts
Other groups with domain local scope
A mixture of any of the above

For example, to give five users access to a particular printer, you could
add all five user accounts in the printer permissions list. If, however,
you later want to give the five users access to a new printer, you would
again have to specify all five accounts in the permissions list for the
new
printer.

With a little planning, you can simplify this routine administrative task
by creating a group with domain local scope and assigning it permission to
access the printer. Put the five user accounts in a group with global
scope
and add this group to the group having domain local scope. When you want
to
give the five users access to a new printer, assign the group with domain
local scope permission to access the new printer. All members of the group
with global scope automatically receive access to the new printer.


2. When using Universal group,client will contact GC to check permission.
It will lead to the performance issue if you don't have a GC in current
site.

Thanks.



Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

From: "P" <p@xxxxx>
Subject: Universal Groups
Date: Tue, 26 Sep 2006 16:38:52 +0800
Lines: 25
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-RFC2646: Format=Flowed; Original
Message-ID: <e1a6scU4GHA.1492@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: 203.19.211.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl

microsoft.public.windows.server.migration:25141

X-Tomcat-NG: microsoft.public.windows.server.migration

Hi

Just wondering, in a win2003 native forest, is there any negative
administrative overheads using universal groups exclusively? (ie no more
global/local)

The reason I ask is that I have a major intraforest migration I have to

do,

and ADMT is a little too smart for its own good in the sense that it
converts domain local groups to universal and then back to local when the
members are migrated. But the resource server is also the domain

controller

and thus the DCPromo will happen much later. Therefore I need to keep the
local groups as universal until the complete conversion is finished.

Given that I'm running win2003 native AD, and given that on completion of
this process its all a single forest/domain, do I actually improve
performance by converting back to domain local?

p.s I have something like 30000 (don't ask) local groups to move from one
domain to another.

thanks

Paul

.

---

• Follow-Ups:
  • Re: Universal Groups
    • From: Vincent Xu [MSFT]

• References:
  • Universal Groups
    • From: P
  • RE: Universal Groups
    • From: Vincent Xu [MSFT]

• Prev by Date: Re: Security Translation on ADMT2.0 problem
• Next by Date: RE: WinR2, FSMT and Printer Migration utility 3.1
• Previous by thread: RE: Universal Groups
• Next by thread: Re: Universal Groups
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Universal Groups ... Groups with global scope ... For example, to give five users access to a particular printer, you could ... add all five user accounts in the printer permissions list. ... local scope permission to access the new printer. ... (microsoft.public.windows.server.migration) Re: "x.constructor == Foo" vs "x instanceof Foo" ... The second declaration for `a' overwrites the reference with one to another ... Javascript variables that aren't declared in a function scope ... named functions defined in the global scope ... (comp.lang.javascript) Re: Restricting A Function To Be In Scope of Constructor Method ... scope) function is just an external function no fricking matter what, ... External functions know nothing about custom objects they appertain to ... Static protected method constructor of a class constructor. ... completely independent from the Global scope. ... (comp.lang.javascript) Re: A "does global variable exist" function ... irrelevance of such a function (a simple typeof test should be ... is impossible to use eval to run code with global scope, ... that this question is not asking for a script injection solution ... constructor) in a nested local scope without pollution from the ... (comp.lang.javascript) Variable Scope in Include Files ... file that declares a constant DAY_NUM. ... but then I get a new one where index.php refers to ... I was assuming that any constant had global scope and therefore when I ... (comp.lang.php)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.migration  > 2006-09