Skip to main content

AD Group Scope

Some people are having difficulties to differentiate between Universal, Global and Domain Local groups (including me, sometimes).  The table below illustrates the differences between those group scopes.

Some lesson learnt :-
  • Global groups can be added to Domain Local groups (from the same domain or crossed-domain), but not vice versa
  • For Global groups, you only can add accounts from its domain and its parent Global groups
  • In order to add accounts from any domain, you need to have Local Domain groups, Global groups won’t allow you to do so.
  • Converting a group to Domain Local, add those crossed-domain users, and convert it back to Global group won’t do the trick.
  • Domain Local groups cannot be added to Domain Local groups from any domain except for its domain and the parent.

Group scope
Group can include as members…
Group can be assigned permissions in…
Group scope can be converted to…
Universal
·      Accounts from any domain within the forest in which this Universal Group resides
·      Global groups from any domain within the forest in which this Universal Group resides
·      Universal groups from any domain within the forest in which this Universal Group resides
Any domain or forest
·      Domain local
·      Global (as long as no other universal groups exist as members)
Global
·      Accounts from the same domain as the parent global group
·      Global groups from the same domain as the parent global group
Member permissions can be assigned in any domain
Universal (as long as it is not a member of any other global groups)
Domain local
·      Accounts from any domain
·      Global groups from any domain
·      Universal groups from any domain
·      Domain local groups but only from the same domain as the parent domain local group
Member permissions can be assigned only within the same domain as the parent domain local group
Universal (as long as no other domain local groups exist as members)


noteNote
The information in this table implies that the domain functional level is set to either Windows 2000 native or Windows Server 2003. When the domain functional level is set to Windows 2000 mixed or Windows Server 2003 interim, security groups with universal scope cannot be created, although distribution groups with universal scope are still permitted.


source : http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
Labels:

Comments

Post a Comment

Popular posts from this blog

How To Change NetBIOS Name of A Computer

So yes... After 4 months without new contents, so I started with this. It looks easier to do (well, it is), but before you do that, you may want to read this  to understand the difference between hostname and netBIOS, then starts to explore on when to use them, their limitations etc etc. I won't discuss here (or maybe not today). So let's back to the topic.   Description : Changing NetBIOS Name of A Computer. ComputerName : NetBIOS : How To Do :  Go to Start > Run , and type REGEDIT  Browse to Computer > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > ComputerName > ComputerName At the right side, double click at ComputerName string, and put correct Value data . Press OK .  Then you will get this Reboot your computer / VM. Once it is up, double check your netBIOS name. New name shall be reflected
3 comments
Read more

Session Settings Not Listed in Citrix Web Interface web site.

In previous post , I mentioned on what need to be done by users in case the publsihed applications did not successfully launched in seamless mode. However, in some cases, users might not be able to see the option. This post will help to solve it. Issues : Session Settings preference is not listed in Citrix Web Interface web site. This is due to the option is not enabled. It can be checked at Citrix Web Interface Management Console. Troubleshooting   Launch Citrix Web Interface Management Console . Browse to Citrix Web Interface > XenApp Web Sites . You will see lists of created Sites.  Right click at the required farm URL.  Choose S e ssion Preference  This window will appeared. Browse to Remote Connnection > Display . You will see the option " Allow users to customize window size " is unchecked . Resolution : Check the option " Allow users to customize window size ", and press OK  Get users to refresh the Web
2 comments
Read more

Microsoft Assessment and Planning (MAP) Toolkit - Extract Report (3/4)

As mentioned in  the first post , this KB series is about Microsoft Assessment and Planning (MAP) Toolkit. There are 4 main steps : Install MAP Toolkit and its basic configuration Collect inventory Data  Extract Report Extract Advanced Report Once inventory data collected, we can generate reports. From the inventory data collected earlier, we can use options in the toolkit to generate the report. For this example, we re going to discover Windows 10 Readiness This KB is about  how to generate report from collected inventory data. At Overview page, select the targeted scenario category. In this example, it is Desktop . At this page, select specific scenario that we after. In this example, it is Windows 10 Readiness.     It is possible to customize assessment properties. The properties will set the threshold of the assessment, such as, threshold for minimum CPU speed, acceptable free disk, as well as minimum assigned RAM. To do so, select Customize assessment pr
Post a Comment
Read more