Domain Local Security vs Global Security vs Universal Security Groups

Discussion in 'Server Security' started by Kshaeta, Oct 16, 2006.

  1. Kshaeta

    Kshaeta Guest

    I've read lots on these, and I still don't really understand them.

    I know how they work together, how certain ones can't be part of others,
    etc. But I don't really understand how they work, or where and when
    to use them.

    Where are DLS (Domain Local Security) groups used, and why?
    How about Global Groups? Universal Groups?

    Is there any good documentation that explains how these are used and why?

    One reason I ask, is say for this problem. I have two security groups,
    within my domain, and two servers in my domain. One server is a domain
    server (DOM), the other is a member server (MEM).
    I have 2 security groups. The difference between the two is one is a
    DLS group, the other is a GS group. The DLS one doesn't allow the
    security group to be set on servers other than the domain servers. That
    is, if you are on DOM and you create a directory, you can grant it
    "Information Systems_DLS" security, or "Information Systems_GS"
    security. But if you log on to MEM, and try that it won't work. You
    need to grant it "Information Systems_GS". The option to grant any DLS
    doesn't even show up in the security selection on the member server.

    I don't really grasp this. Should "Domain level Security" allow you to
    grant that security group to any member server?

    Thanks for any info.

    Kshaeta, Oct 16, 2006
    1. Advertisements

  2. Kshaeta

    Kshaeta Guest

    Nobody knows the answer to this?

    Kshaeta, Oct 19, 2006
    1. Advertisements

  3. It is not really an issue of whether anyone knows, or not, but of the
    huge scale that would be a complete answer. Perhaps if you were
    to review some of the information in the resource kit documentation
    and then post more narrow questions(s).

    For an example of how non-simple some aspects of group usage
    can be, take a look at a recent thread we had on
    with subject
    Best practive to clean up AD groups
    that started on
    Thursday, October 12, 2006 2:31 AM

    In the particular example with two domains that you presented,
    you cannot use a domain local group except in its domain (hence
    it is local to that domain). So yes, you can use a domain local on
    a member of the same domain, but whether you should or when is
    an entire further discussion. Globals can be seen/used outside of
    their domain, and have limitation that they can only contain objects
    (users or other groups) that are defined in their own domain (hence
    a global group can represent some part of its domain globally
    throughout the forest).
    Roger Abell [MVP], Oct 21, 2006
  4. Kshaeta

    Kshaeta Guest

    Thanks Roger.
    I guess my question was "does anyone know why these Domain Local System
    (DLS) groups behave like this", for my specific instance. I would
    assume a DLS group would allow me to use such a group on any server in
    the domain. However, I can ONLY use them on the Domain servers
    themselves. Seemed weird to me that you would only be able to grant DLS
    access on the Domain Servers itself.

    Anyway, I changed our Domain level from Windows 2000/NT Mixed mode, to
    Windows 2000 mode, and the issue went away. They now work the way I
    expect them to... within the entire domain.

    I guess my English is not very good, because I thought I wrote out the
    problem quite clearly. But I guess I asked too many at once.

    Anyway, thanks again Roger. I now see why MVP's are the top of the pile.


    Kshaeta, Jan 11, 2007
  5. Thanks for your followup, nice comment, and I am also sorry
    that I overlooked domain mode as part of your issue (pretty
    much everyone is at W2k if not one of the W2k3 modes by
    now) limiting scope of DL groups, resulting in the questions.


    Roger Abell [MVP], Jan 20, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.