RE: [ActiveDir] Univ group best practice

[Joe]

Everyone says this "as the UG is replicated via the GC anyways." but I personally don't like it because it seems to want to force you to think the group doesn't exist on normal DCs and it does, but it is also replicated across the GC's.   Actually looking at it that way, the best place is the domain where most of the user's are versus where it will most be used (my earlier statement) because it will always be in your token then when you log on since you have to authenticate at a DC for your own domain.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Tuesday, November 04, 2003 9:43 AM To: [EMAIL PROTECTED] I'd place them where they're managed.  I.e. if a delegated admin of a sub-domain is managing a resource that is supposed to be secured with a UG, then place the UG in an OU where he is delegated enough permissions to manage the group. Usually, this also equates to hosting the UG in the domain where most users come from. But UGs can be placed into any domain, as the UG is replicated via the GC anyways. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Montag, 3. November 2003 15:59 To: [EMAIL PROTECTED] Subject: [ActiveDir] Univ group best practice We’re just getting started with universal groups (for security, not distribution) and I’m just wondering as a best practice, where should they be located? We have a so-called empty root, and a few sub-domains, so where does it make the most sense to place the Universal Groups as they are created? Thanks!   Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do