RE: [ActiveDir] Univ group best practice

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

yes, it should be clear, that a UG is a "normal" group object just like a global and local group and as such is stored in the Domain Naming Context.  Ofcourse it's member attribute is replicated to the Partial Attribute Set of the GCs, which is not the case for Global and Local groups.    However, the group won't only be added to the token of users of the same domain, it will be added to users of any domain at logon time => this is why you require to contact a GC at logon (and you won't be able to logon without a GC being available unless you've specified this not to be a requirement via the reg-hack - this has obviously been improved in 2003 with the UG membership caching).    This is different with Local Groups - Local Groups from other domains won't be added to your token until you are requesting authentication to a resource in another domain and then contact one of the other domain's DCs. And global groups obviously don't have that problem, as they're scoped only to contain objects from within the same domain.   As such, you'll have less hassle from a security perspective (e.g. setting up permissions to delegate management of a UG), if you place the UG into the same domain/OU of the resource's administrator and grant the appropriate permissions.  This will also enable this poor admin to edit the group in ADUC without having to change the focus between various domains to connect to a DC with a writable naming context for that group...   /Guido From: Joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 00:39 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Univ group best practice Everyone says this "as the UG is replicated via the GC anyways." but I personally don't like it because it seems to want to force you to think the group doesn't exist on normal DCs and it does, but it is also replicated across the GC's.   Actually looking at it that way, the best place is the domain where most of the user's are versus where it will most be used (my earlier statement) because it will always be in your token then when you log on since you have to authenticate at a DC for your own domain.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Tuesday, November 04, 2003 9:43 AM To: [EMAIL PROTECTED] I'd place them where they're managed.  I.e. if a delegated admin of a sub-domain is managing a resource that is supposed to be secured with a UG, then place the UG in an OU where he is delegated enough permissions to manage the group. Usually, this also equates to hosting the UG in the domain where most users come from. But UGs can be placed into any domain, as the UG is replicated via the GC anyways. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Montag, 3. November 2003 15:59 To: [EMAIL PROTECTED] Subject: [ActiveDir] Univ group best practice We’re just getting started with universal groups (for security, not distribution) and I’m just wondering as a best practice, where should they be located? We have a so-called empty root, and a few sub-domains, so where does it make the most sense to place the Universal Groups as they are created? Thanks!   Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do