Hello All,

I am just getting into setting up groups and permisions for an NT domain. I have read that Microsoft suggests that you place user accounts into global groups, assign local groups permissions to access resources and then place the global group into the local groups. I think I have that right. :) Why is it done this way? Can't you do everthing with a Global group? For example, create a directory c:\data and share it out. Set the permisions to Domain users full control. I don't see why you would want or need to use a local group here.

Thanks Bob

Sharing to everyone is a different case.

If you are sharing only to a subset of your users, it is much better to add a global group to a local group with access to the resource.

In your case I cannot see a problem with adding access for everyone. If that is what you really what you want to do.

Harry Finn

Microsoft advise you against using global groups for resource access because users that are a member of that group must belong to that domain only. Local Groups can be used to add users and global groups from domains that your domain trusts. You need to have the correct trust established though in order to make use of a trusted domains users and groups. You can however only use global groups and users across trust.

So if you have domain A and you have global group which has access to a file server, you would not be able to put users from domain B into this group. However you could create a local group in domain A and place the global group from domain A and any users or global groups from domain B.

So to simply administration you would create a global group in both domains and simply add this to the local group in domain A.
You would then only need to add users to both of the global groups to give them access.

Hope that helps clear things up.

Gav.

Gav,

Ok I can see that now with multiple domians and how it would be used.