Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: Re: [ActiveDir] Global vs Universal vs Domain Local groups for software distribution groups
Prev Next
You are not authorized to post a reply.

AuthorMessages
RickSheikhUser is Offline

Posts:373

06/02/2010 10:22 PM  
Barring my inexperience with SCCM, I don't quite understand what you said
about SCCM seeing a DL group differently than how it would see a GG.

Generally speaking, the options to choose DL over GG for user population
(when deviating from AGDLP model) lies in the applicability (nesting
restrictions) and requirements of use case. And IMO there is no technical
drawback in defining permissions based on GGs. It just gets messy in a muti
child domain forest.

As I am sure you are aware - whereas GGs will only accept users from the
same domain it belongs to, it can be permissioned (ACLed) across the domain.
Similarly, a DL will take an object from cross trusted domain but can only
be ACLed to native resource (same domain) where it belongs.

GGs are preferred to manage User objects because often times that translates
to lesser DLs on a resource ACL (few ACEs, less clutter) i.e one RW, one RO,
one Full Control DL with multiple GGs nested inside from same or trusted
domains.


On Wed, Jun 2, 2010 at 3:35 PM, Thomas Vuylsteke <
Thomas.Vuylsteke@realdolmen.com> wrote:

> Hey all,
>
>
>
> Perhaps not really a technical question, but I’m a bit curious of how far
> the A-G-DL-P principal reaches, here is an example to come to my question:
>
> Suppose you have a number of people who are considered to be
> “administrative personnel” (fictive example).
>
> You want to make sure these people have access to their shares, their
> printers and that they receive their applications (which are
> pushed/installed by SCCM).
>
>
>
> Now in the AGDLP I would say:
>
> · create a global group: GG_AdminstrativePersonnel
>
> · add Mr X, Lady Y, Sir Z, … to that group.
>
>
>
> Now If you want to ensure proper access to their share called Data:
>
> · Create a group “DL_Data_RW”
>
> · add GG_AdministrativePersonnel to that group.
>
>
>
> We continue with the printers, we want to make sure they can manage the
> print queue of the printer in their office:
>
> · create DL_ManageAdminPrinter
>
> · add GG_... to that group
>
>
>
> See where I’m going? What with SCCM? Applications can hardly be considered
> permissions. But I don’t see the DL_Data_RW group as a permission, I see it
> as a resource you get granted access to.Just like you can get granted access
> to an Applicaton.
>
>
>
> Are there any pro’s, contra’s, do’s, don’ts to choose between Global and
> Domain Local groups for SCCM collections? My thought was to just use the
> same principle as above, but all people I encounter say they somehow prefer
> Global.
>
>
>
> Any thoughts are appreciated!
>

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > Re: [ActiveDir] Global vs Universal vs Domain Local groups for software distribution groups



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:MrPTSai
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5234
People OnlinePeople Online:
VisitorsVisitors:37
MembersMembers:0
TotalTotal:37
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use