Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] Global vs Universal vs Domain Local groups for software distribution groups
Prev Next
You are not authorized to post a reply.

AuthorMessages
decrosbyUser is Offline

Posts:101

06/03/2010 9:37 AM  
One thing to consider here is the union of groups that you use to facilitate access to data and groups that you use to facilitate access to applications. Its quite possible that you could run into the age old ceiling limits to group membership and /or token size problems where access is across domains or delegation is being used. As a neat alternative we used some custom scripting to use distribution list membership to determine if a user was able to install an application to avoid these potential problems..


Thanks.

Damian.

________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: 02 June 2010 22:21
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Global vs Universal vs Domain Local groups for software distribution groups

Barring my inexperience with SCCM, I don't quite understand what you said about SCCM seeing a DL group differently than how it would see a GG.

Generally speaking, the options to choose DL over GG for user population (when deviating from AGDLP model) lies in the applicability (nesting restrictions) and requirements of use case. And IMO there is no technical drawback in defining permissions based on GGs. It just gets messy in a muti child domain forest.

As I am sure you are aware - whereas GGs will only accept users from the same domain it belongs to, it can be permissioned (ACLed) across the domain. Similarly, a DL will take an object from cross trusted domain but can only be ACLed to native resource (same domain) where it belongs.

GGs are preferred to manage User objects because often times that translates to lesser DLs on a resource ACL (few ACEs, less clutter) i.e one RW, one RO, one Full Control DL with multiple GGs nested inside from same or trusted domains.


On Wed, Jun 2, 2010 at 3:35 PM, Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com<mailto:Thomas.Vuylsteke@realdolmen.com>> wrote:
Hey all,

Perhaps not really a technical question, but I'm a bit curious of how far the A-G-DL-P principal reaches, here is an example to come to my question:
Suppose you have a number of people who are considered to be "administrative personnel" (fictive example).
You want to make sure these people have access to their shares, their printers and that they receive their applications (which are pushed/installed by SCCM).

Now in the AGDLP I would say:

* create a global group: GG_AdminstrativePersonnel

* add Mr X, Lady Y, Sir Z, ... to that group.

Now If you want to ensure proper access to their share called Data:

* Create a group "DL_Data_RW"

* add GG_AdministrativePersonnel to that group.

We continue with the printers, we want to make sure they can manage the print queue of the printer in their office:

* create DL_ManageAdminPrinter

* add GG_... to that group

See where I'm going? What with SCCM? Applications can hardly be considered permissions. But I don't see the DL_Data_RW group as a permission, I see it as a resource you get granted access to.Just like you can get granted access to an Applicaton.

Are there any pro's, contra's, do's, don'ts to choose between Global and Domain Local groups for SCCM collections? My thought was to just use the same principle as above, but all people I encounter say they somehow prefer Global.

Any thoughts are appreciated!


--------------------------------------------------------------------------
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] Global vs Universal vs Domain Local groups for software distribution groups



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:MrPTSai
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5234
People OnlinePeople Online:
VisitorsVisitors:46
MembersMembers:0
TotalTotal:46
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use