|
Yes,
Uni's get bad documentation and a lot of people have misunderstandings around
them.
I
actually saw a post once in one of the ms.pub newsgroups where a softie
indicated that even if a domain was removed from a forest, Uni's from that
domain would still be available.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, November 07, 2003 3:11 AM To: [EMAIL PROTECTED] Absolutely, which is why I was slightly surprised to see
the following in the Windows Server 2003 Help under the heading "Global Catalog
Replication":
" When you first create a universal group, you do so from
any domain that is set to the domain functional level of Windows 2000 or higher.
The universal group temporarily resides in the domain directory partition from
where the group was created until the global catalog queries the domain for
changes. Once the global catalog acquires the new object, changes are replicated
to other global catalogs in the forest."
I think the Help wording here is incorrect (or at best
misleading). The group doesn't "temporarily reside in the domain
directory partition" - it always resides in the domain directory
partition. I think what the writer meant to say was that the
membership of the UG is only known to the domain directory partition, until such
time as the membership is first replicated to the GC.
Objects don't "live" in the GC. The GC simply holds a
subset of information (partial attribute set) about the objects that exist
in each of the domain naming contexts in the
forest.
Just my 2 cents.
Tony
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Freitag, 7. November 2003 06:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Univ group best practice yes, it should be clear, that a UG is a "normal" group
object just like a global and local group and as such is stored in the Domain
Naming Context. Ofcourse it's member attribute is replicated to the
Partial Attribute Set of the GCs, which is not the case for Global and Local
groups.
However, the group won't only be added to the token of
users of the same domain, it will be added to users of any domain at logon time
=> this is why you require to contact a GC at logon (and you won't be able to
logon without a GC being available unless you've specified this not to be a
requirement via the reg-hack - this has obviously been improved in 2003 with the
UG membership caching).
This is different with Local Groups - Local Groups from
other domains won't be added to your token until you are requesting
authentication to a resource in another domain and then contact one of the other
domain's DCs. And global groups obviously don't have that problem, as they're
scoped only to contain objects from within the same domain.
As such, you'll have less hassle from a security
perspective (e.g. setting up permissions to delegate management of a UG),
if you place the UG into the same domain/OU of the resource's administrator and
grant the appropriate permissions. This will also enable this poor admin
to edit the group in ADUC without having to change the focus between various
domains to connect to a DC with a writable naming context for that
group...
/Guido From: Joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 00:39 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Univ group best practice Everyone says this "as the UG is replicated via the GC
anyways." but I personally don't like it because it seems to want to force you
to think the group doesn't exist on normal DCs and it does, but it is also
replicated across the GC's.
Actually looking at it that way, the best place is the
domain where most of the user's are versus where it will most be used (my
earlier statement) because it will always be in your token then when you log on
since you have to authenticate at a DC for your own domain.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Tuesday, November 04, 2003 9:43 AM To: [EMAIL PROTECTED] I'd place them where they're managed. I.e. if a
delegated admin of a sub-domain is managing a resource that is supposed to be
secured with a UG, then place the UG in an OU where he is delegated enough
permissions to manage the group. Usually, this also equates to hosting
the UG in the domain where most users come from. But UGs can be placed into any
domain, as the UG is replicated via the GC anyways. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Montag, 3. November 2003 15:59 To: [EMAIL PROTECTED] Subject: [ActiveDir] Univ group best practice We’re just getting started with universal groups (for security, not distribution) and I’m just wondering as a best practice, where should they be located? We have a so-called empty root, and a few sub-domains, so where does it make the most sense to place the Universal Groups as they are created? Thanks!
Mark
Creamer
|
- [ActiveDir] Univ group best practice Creamer, Mark
- RE: [ActiveDir] Univ group best p... Joe
- RE: [ActiveDir] Univ group best p... Mulnick, Al
- RE: [ActiveDir] Univ group best p... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Univ group best p... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Univ group be... Tony Murray
- Joe
