+ Reply to Thread
Results 1 to 15 of 15
  1. Member
    Join Date
    Jun 2008
    Posts
    55

    Certifications
    210, 215, 270, 290 Network+ A+ Netw.+2009
    #1

    Default A Good way to Remember Group Nesting

    Since group nesting and group membership can be so confusing I thought of a better way of remembering this stuff. Instead of memorizing what you can do remember what you can't. Cause there are less can'ts then cans
    Like this ..

    Universal groups can't be in mixed mode domain levels
    Universal can't have GG as members if they are nested in another GG
    Universal can't have DL as members if they are nested in another DL
    (I also think that applies to converting)
    GG to DL can't happen without first converting to universal, then to DL."

    GG can't have members outside its domain
    DL can't have permissions outside its domain
    DL can't have DL from out side domin

    DL can't be seen out side its own domain

    Group Nesting Can't be done in Mixed mode

    Groups can't contain more than 5,000 members

    Please correct me if I'm wrong on any points also post if I missed any can'ts with group scope abilities.
    Last edited by AndreL; 06-04-2010 at 03:01 PM.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #2
    Quote Originally Posted by AndreL View Post
    Universal groups can't be in mixed mode or inter mode domain levels
    Universal can't have GG as members if they are nested in another GG
    Which mode is which, you ask?

    2000 Mixed. Everything (It's mixed) NT, 2000, 2003
    2000 Native. 2000 is in the title, so that must be part of it, and 2003 is in all of them
    2003 interim. 2003 is involved, and 2000 is in 2000 native, so this must be 2k3 and NT
    2003 Only 2003

    Universal groups (and varior other items) aren't available in any of the functional levels that involves NT. Once I sit down on Saturday I am going to jot that little table down, just for easy and quick reference.

    Also keep in mind, that the functional level is dependant on DC's. You can use 2003 DFL, and still use a windows 2000 file or web server.

    Thanks AndreL, I will print this off and include it with my notes.
    Last edited by Devilsbane; 06-04-2010 at 02:08 PM.
    Reply With Quote Quote  

  4. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #3
    I also have in my notes that a global can be a member of another global when in the same domain.
    Reply With Quote Quote  

  5. Member
    Join Date
    Jun 2008
    Posts
    55

    Certifications
    210, 215, 270, 290 Network+ A+ Netw.+2009
    #4
    thank you I'll change my notes (post)
    Reply With Quote Quote  

  6. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #5
    Good posts guys! I would like to suggest a book that has a very good explanation of why the AGULP method is a best practice and why it should be used and a good explanation of some odd stuff with NTFS permissions:

    Amazon.com: Professional Windows Desktop and Server Hardening (Programmer to Programmer) (9780764599903): Roger A.…
    Reply With Quote Quote  

  7. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #6
    If you can only remember one of the restrictions, it seems that not being able to nest a universal inside of a GG is the big one to remember. Probably because it is the method that everyone wants to use.

    http://ptgmedia.pearsoncmg.com/image...9736489ch3.pdf
    Sample chapter 3 from a book. I don't know what book, but it does seem to be good. Table 3-1 looks like a good summary.
    Reply With Quote Quote  

  8. Still a noob earweed's Avatar
    Join Date
    Mar 2010
    Location
    Mobile, Alabama
    Posts
    5,176

    Certifications
    BSIT, Proj+, A+, Net+, Sec+: MCTS: X5; MCITP:EA
    #7
    It looks like an exam cram book. I've found those to be very helpful. I have the exam cram books for the 70-640/642 and they explain things in a different way than the MS Press books.
    Reply With Quote Quote  

  9. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #8
    Amazon.com: MCSA/MCSE 70-290 Exam Prep: Managing and Maintaining a Microsoft Windows Server…

    I can tell from the ISBN and from having shopped a few pixels in my time. Sorry, I know - stupid meme.
    Reply With Quote Quote  

  10. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #9
    "If the domain functionality level of your domain is Windows 2000 mixed or Windows Server 2003 interim, [AKA you have Windows NT DC's] you cannot change a group’s scope. Universal groups are not available at that domain functionality level, and you cannot change a group’s scope from domain local to global, or vice versa.

    If the domain functionality level is Windows 2000 native or Windows Server 2003, [NO NT DC's] you can change a group’s scope, but only if the group is not a member of another group and has no group members that would be illegal for groups of the new scope."

    An excerpt from the chapter 3 pdf that I liked. I added in the information in the []'s.

    Reply With Quote Quote  

  11. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #10
    Typo in Table 1? It says that both universals and globals can be granted access to resources in "any domain in the forest and any domain in any other forest that trusts the local domain."

    Is that right?
    Reply With Quote Quote  

  12. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #11
    Quote Originally Posted by Devilsbane View Post
    I also have in my notes that a global can be a member of another global when in the same domain.
    I see why our note differ. GG's can only contain other GG's when in 2000 Native or 2003 DFL. (When NT DC's are not involved)

    Darn you Microsoft!!!
    Reply With Quote Quote  

  13. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #12
    Does anyone actually remember and use this? Or is it just something that you cram for for the test and then forget it afterwords? Then just look it up on the rare occasion that you are implementing new groups?

    I suppose it isn't too hard, because if you are using the 2003 DFL (and in 2010, I don't know why you wouldn't be) you can safely forget about all of the restrictions imposed by mixed and interim.
    Reply With Quote Quote  

  14. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #13
    Quote Originally Posted by Devilsbane View Post
    Does anyone actually remember and use this? Or is it just something that you cram for for the test and then forget it afterwords? Then just look it up on the rare occasion that you are implementing new groups?

    I suppose it isn't too hard, because if you are using the 2003 DFL (and in 2010, I don't know why you wouldn't be) you can safely forget about all of the restrictions imposed by mixed and interim.
    This is just something you study for the test. In the real world you can always look it up if you need to, but if previous admins have stuck to AGULP it almost does not matter.
    Reply With Quote Quote  

  15. Member
    Join Date
    Jun 2008
    Posts
    55

    Certifications
    210, 215, 270, 290 Network+ A+ Netw.+2009
    #14
    With AGP I have a MS book that says the disadvantage to them are performance degrades cause GG are not cached. - What does that mean.

    Also it say "DL's should not be used to assign permission to ADog in aforest with more tahn oone domain because DL's cannot be evaluated in other domains." And right above it, the book talks about AGDLP's and AGUDLP. And when descriping them "and then grant permissions to the DL grp."
    Now I'm gusseing that you don't just give permisson to a DL grp and let it sit there (ADLP), you use the AGDLP strategies or AGUDLP.

    This is just something you study for the test. In the real world you can always look it up if you need to, but if previous admins have stuck to AGULP it almost does not matter.
    With that, ... aren't you suppose to use U grp sparingly cause it helps reduce replication to between domains. Also I remember something about universal grp and GC's, I think you can only convert them to DL or GG on a GC. Am I right about that
    Reply With Quote Quote  

  16. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #15
    Quote Originally Posted by AndreL View Post

    With that, ... aren't you suppose to use U grp sparingly cause it helps reduce replication to between domains. Also I remember something about universal grp and GC's, I think you can only convert them to DL or GG on a GC. Am I right about that
    Any changes to membership to a universal causes immediate replication. So if you have users as member, every time you hire or fire someone, you just caused replication to all of your DC's.

    If you add some global groups to them, you are free to change the members of the globals without causing replication. If you would add a new global, or remove an existing global, then you will be causing that replication to occur.

    That is why universals would ideally only hold groups that are going to rarely change.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks