Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows 2000 / Security / August 2005

Tip: Looking for answers? Try searching our database.

Domian local group versus Domain admin group

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Darren - 27 Aug 2005 16:38 GMT
what are the diffrences amoung groups Domain Local and Domain Admin..

Thanks
Darren
Reply to this Message
Roger Abell - 28 Aug 2005 03:27 GMT
Domain Local is a type of group, not a group itself.
Domain local groups can contain members from other domains.
Domain global groups by contrast can only contain as members
objects that are defined in the group's domain.

Domain admins is a group.  It is a domain global group.  By
default Domain Admins is a member in the Administrators group
on every machine in its domain (this is changable).

Signature

Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA

> what are the diffrences amoung groups Domain Local and Domain Admin..
>
> Thanks
> Darren
Reply to this Message
Darren - 28 Aug 2005 19:02 GMT
Thanks . Roger
Just want to make sure I understand the diffrences . I am just curious to
know whats the use of Domain local group and when would you use domain local
groups perhaps some examples..
Are there articles on Microsoft site that explain group membership usage and
best practises etc....

Thanks
Darren
> Domain Local is a type of group, not a group itself.
> Domain local groups can contain members from other domains.
[quoted text clipped - 9 lines]
>> Thanks
>> Darren
Reply to this Message
Roger Abell - 29 Aug 2005 01:36 GMT
The best docs for comprehensive view of what is there and some
issues for usage is the resource kit.  Check out
www.reskit.com
Opinions differ as to when use of domain global vs domain local
is a correct choice.  Either are available for use on any machine in
the domain.  They of course have potentially significant differences
in a multi-domain forest, as globals can contain only objects from
their own domain - a limitation locals do not have.  The user token
contains info on all memberships of the account, and has a limited
size, and as globals have a smaller representation the token can
hold info about more group memberships is globals are used.
Those are some factors, but the pros and cons do not alway give
a clear winner as to a best practice - but again, in a single domain
forest (that will always be so) locals seem to hold little advantage,
whereas if the opposite is true globals can be a risky thing to use
directly across members of the domain (risking potential future
need to change the members).
Signature

Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA

> Thanks . Roger
> Just want to make sure I understand the diffrences . I am just curious to
[quoted text clipped - 18 lines]
> >> Thanks
> >> Darren
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.