What use do you make of Windows Server 2003’s Universal Groups?
Best Practice (Litmus Test)
Professionals: Use Universal Groups sparingly and only for nesting other groups.
Amateurs: Do not know Universal Groups Exist
Amateurs: Use only Universal Groups and never Global or Domain Local
What are the two TYPES of Groups in Windows Server 2003? Hang on Guy, I thought there were three, Global, Domain Local, and Universal? Microsoft are playing games with words, the two TYPES of groups are Security and Distribution (as in Distribution List).
Microsoft has introduced the Scope attribute to explain the capabilities of groups. If you are brand new to groups it makes sense, but for old timers it takes a while to get your head around the scope concept.
Domain Local Groups (These used to be plain Local groups).
Think of domain local groups as great hosts, literally anyone can be a member, users, Global groups, Universal groups, even computers can join a domain local group. Local groups are bad travellers and only operate in their own domain.
Best practice is to use local groups to assign permissions to resources like databases and printers.
These are great travellers, they can wander the entire Forest. The key point is that global groups are poor hosts and can only contain members from their own domain.
Best practice is to make global group your default group, and for starters, make a group to represent each of your departments.
Another question for you, why is it sometimes the radio button against create Universal group is greyed out? The answer is when the Domain is in mixed mode you cannot create universal groups (NT 4.0 BDC’s would not understand them). You need to ‘raise domain level to Windows 2000 native before you benefit from universal groups. Think of universal groups as the ultimate container for nesting groups. They are good hosts and great travellers.
Best practice is make it rule to only include global groups inside Universal groups, no individual groups. See more on Universal Groups.
Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.
Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.
If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)
Global Catalog Implications
As you would expect, domain local and global groups are listed in the global catalog, however the individual members are not listed. So changes in global group membership have zero impact on global catalog replication traffic.
Universal groups on the other hand, not only are listed in the global catalog but also the individual users or nested groups are also listed. Now you can see that adding users to a universal group will generate replication traffic. That is why Guy says only put global groups inside universal groups, the individual members inside the global groups are not replicated.
In Windows 2000 the situation is that one change of membership to a universal group causes the whole list to be replicated, thankfully that changed in Server 2003, now only incremental changes are replicated not the whole list.
Over 40 of Guy’s litmus tests. Have fun while you learn about aspects of computing. Stacks of ideas to check your servers, networks and security.
Your eBook has printer friendly pages and lots more screen shots.
Guy’s Litmus test is a concept that you can apply anywhere. Each test gives you an instant answer to the simple question:- ‘Are you dealing with a professional, or are they an amateur? Is this the real deal, or is it a turkey?’ The Litmus Test concept is rather like Best Practice, but it reduces a 27 page report to one sentence.