Question : Domain Local,Global and Universal groups in Windows 2003

Hi Experts,
Can someone please explain the difference, purpose and use of Domain Local, Global and Universal groups in layman's terms. I'm trying to understand this concept and it's not sinking in. It'll be much appreciable if you can give examples as well. (Perhaps a sample company)

Thanks for your help

Answer : Domain Local,Global and Universal groups in Windows 2003

Microsoft recommends putting accounts into global groups which go into domain local groups to assign permissions

AGDLP

When using Universal Groups it is

AG U DLP

Here is an example domain

3 domains in contoso.com

ny.contoso.com
la.contoso.com
dal.contoso.com

ny.contoso.com resources (typical of all)

3 shared folders
NYOpsShare
NYSalesShare
NYSupportShare
3 shared printers
NYOpsPrint
NYSalesPrint
NYSupportPrint

3 global security groups
NYOpsGSG
NYSalesGSG
NYSupportGSG

75 users
25 in NYOps
25 in NYSales
25 in NYSupport

SO, to share the folders and printers, you would do the following
Create 6 domain local groups
NYOpsShareDLG
NYSalesShareDLG
NYSupportShareDLG
NYOpsPrintDLG
NYSalesPrintDLG
NYSupportPrintDLG

Lets Say that you want to add all of the ops from the 3 sites into the ops resources (same for sales and support)

Your resources would look like this:

NYOpsShareDLG
NYOpsGSG
LAOpsGSG
DALOpsGSG
NYSalesShareDLG
NYSalesGSG
LASalesGSG
DALSalesGSG
NYSupportShareDLG
NYSupportGSG
LASupportGSG
DALSupportGSG
NYOpsPrintDLG
NYOpsGSG
LAOpsGSG
DALOpsGSG
NYSalesPrintDLG
NYSalesGSG
LASalesGSG
DALSalesGSG
NYSupportPrintDLG
NYSupportGSG
LASupportGSG
DALSupportGSG

Where this works well is when you start adding user accounts

Lets say that you add 50 users to the ops groups in all 3 sites
All you need to do is add the users to the approriate Site Ops GSG and the permissions are set for your other resources.

This lowers the administrative overhead and replication burden on AD. Instead of replicating each individual user as part of a resource, it only has to grab the changes for the global group.

Random Solutions

Countdown Graphic

Install PoPToP VPN on SuSE 10

ODBC Auto Connect

In Outlook 2007 is there a way to customize the calendar so that the birthdays that are in the contacts don't show up on the candar?

Bootcamp, VM Ware, Windows Vista Premium/Ultimate

Setting up Internet Authentication Service with Mac addresses

Using ASPStateTempSessions table to store Web Sessions

Microsoft Movie Maker/editing Extras???

minimums Files to boot a custom small Win Xp system

Using port 8080 as default port