Hello Graham - as always: "it depends"... and this is mostly about if you're in a single domain or multi-domain forest.
in a single domain, the group-scope obviously doesn't matter - you can even nest groups of the same type to achieve any nesting, if you need it. Nesting still makes sense at times, e.g. when you grant differnt admins-groups different permissions to an OU, but in the end, all of the Admins should have read permissions to the whole OU (assuming you're hiding something for normal users) => I typically have an "PREFIX-AllAdmins" group for each OU representing an Administrative Unit and this group contains all other admin groups for that unit (e.g. user-admins, client-admins, helpdesk etc.). Scope for all groups can be local as you're likely not going to set permissions via these groups to other objects in AD. in a multi-domain environment, the sope of the groups are obviously more important - if permissions are to be applied for objects from different domains and these permissions are granted on the configuration container (e.g. for Exchange), you'll want to use universal groups, as a local group can't grant the required permission on the same data in the config container hosted on a DC in another domain... However, even in multi-domain forests, you often just need access to data of in your own domain NC, so that local groups are usually fine to use. At last - also for multi-domain-forests - you have to consider visibility: if you want to see the memberships of your AD groups on the users (i.e. memberOf tab) for any groups in the forest, then you may want to choose UGs just for that reason. If you don't care, then local groups will be fine and cause less replication traffic (but more headaches during recovery of deleted members). HTH Cheers, Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Thursday, September 02, 2004 2:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] windows 2000 directory permissioning this post relates to the general tenet of permissioning of AD objects - ou's et al - and seeking views on how ACL's are applied to OU (or for that matter any directory object I suppose) all the delegation references seem to indicate that group objects should be used as ACE's - totally happy with this however the main issue i seek views is the SCOPE of these groups - on days where we used ACL's to set permissions on NTFS directories we were given the tenet of "use LOCAL GROUPS" to set permissions, add global groups to the local groups . - AGLP being the well known acronym if we reference the raft of delegation guides these seem to propose the use of GLOBAL groups as the entity that is added to the ACL i have no problem with this but it just seems to "go against the grain" of the methodology of the NTFS permissioning ?? is this perhaps borne out of subtlety in the way the Windows 2000 LSA manages directory objects vs NTFS permissions ?? final point that i think relevant references the way in which 'DNS Admins" - this is in fact a group but which is LOCAL in scope views will be gladly received GT List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
