Along the same lines, the DL groups should primarily contain global groups and not individuals right? Anyone have a doc on a "security group creation standard"? Funny, over 10 years of admin and I haven't had to deal with this particular issue, usually it's been smaller scale or simply not on my plate...
Dave Lum - Systems Engineer [EMAIL PROTECTED] - (971)-222-1025 "When you step on the brakes your life is in your foot's hands" From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 29, 2008 5:40 PM To: NT System Admin Issues Subject: RE: AD groups Domain local, global, universal I disagree. If you want to scale the management of your groups, I would stick to Users -> Global ->DL -> Resources. The global groups should be functional/role based, and the DL groups should be resource based. That makes it easy to see what /roles/ have access to things, as well as what users are in what roles. Cheers Ken From: James Winzenz [mailto:[EMAIL PROTECTED] Sent: Wednesday, 30 April 2008 7:08 AM To: NT System Admin Issues Subject: RE: AD groups Domain local, global, universal No need for domain local if only users from the domain will be accessing the share. Global Security group, add members to the group, assign appropriate NTFS permissions to the group on the network share. The old NT4 strategy was AGDLP (Accounts à Global groups, Global groups à Domain Local groups, permissions à Domain Local groups). You don't need the Domain Local part any more, especially since both the server and the accounts are in the same domain. James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services ________________________________ From: David Lum [mailto:[EMAIL PROTECTED] Posted At: Tuesday, April 29, 2008 1:01 PM Posted To: NTSysadmin Conversation: AD groups Domain local, global, universal Subject: AD groups Domain local, global, universal Scenario: Two domains, domain.local and a child domain called subdomain. All users in the company are in subdomain.domain.local, Exchange servers are in subdomain as well. Effectively *everything* is in subdomain I have a share \\ServerA.subdomain.domain.local\share <file:///\\ServerA.subdomain.domain.local\share> and I want to create a security group to access this share. I'll name it _Servername\Share. A quick Goggle-fu refresher makes me think in my case the security groups should be domain local and distribution lists should be global. I have a separate forest (otherdomain.local) that sometimes subdomain.domain accounts hit, but I don't think it has any bearing on this decision. Comments? Dave Lum - Systems Engineer [EMAIL PROTECTED] - (971)-222-1025 "When you step on the brakes your life is in your foot's hands" CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
