[gptalk] Re: handling remote desktop

Pretty simple.. all Domain Global groups are replicated to all GCs in the 
forest. Domain Local groups are replicated only to domain-level DCs. Also, 
Domain Local groups allow for individual members accounts (in them) from other 
domains, whereas Domain Global groups do not.

An example of impact to GPO Administrators:  There is the built-in Domain 
Global Group named Group Policy Creator Owners. As a Domain Global group, it 
cannot contain user accounts which reside in a different domain. Effectively, 
this means that a GPO Admin in one domain cannot easily create GPOs in a 
different domain (same forest) without (a) being in the domain Administrators 
group or (b) having a second account in that (or each separate) domain. Our 
security policies do not allow simple GPO Administrators either (a) or (b). 
Early on, we had to create a Domain Local group and provide that group the same 
permissions (as the global group already has) to the ..\System\Policies 
container and to the ..\SYSVOL\Policies folder to get around this limitation.

Most of the security group filters for our GPOs are Domain Local as well.

In the interest of passing on knowledge, I offer the following (it's not GPO 
'specific' stuff, so, sorry ahead of time-I do hope some find it useful):

Windows Restrictions on Group Membership Based upon Group Type
        Type    Scope   Can Contain Domain Local        Can Contain Domain 
Global       Can Contain Universal
                        Distribution Groups     Security Groups Distribution 
Groups     Security Groups Distribution Groups     Security Groups
        Domain  Local   Distribution Groups     Yes     Yes     Yes     Yes     
Yes     Yes
                Security Groups Yes     Yes     Yes     Yes     Yes     Yes
        Domain Global   Distribution Groups     No      No      Yes     Yes     
No      No
                Security Groups No      No      Yes     Yes     No      No
        Universal       Distribution Groups     No      No      Yes     Yes     
Yes     Yes
                Security Groups No      No      Yes     Yes     Yes     Yes
        Examples        A Domain Local Security group can contain a Domain 
Global Security Group
A Domain Global Security group can NOT contain a Domain Local Security Group

Windows Restrictions on Group Membership Based upon Domain (Users/Computers and 
Domain Locals)
        Group Type
Both Distribution and Security Groups   Can Contain Users and Computers from    
Can Contain Domain Local Groups from
                The Same Domain A Different Domain      The Same Domain A 
Different Domain
        Domain Local Groups     Yes     Yes     Yes     No
        Domain Global Groups    Yes     No      No      No
        Universal Groups        Yes     Yes     No      No
        Examples        A Domain Local Security group can contain Users and 
Computers from a different domain
A Domain Global Security group can NOT contain Users and Computers from a 
different domain

Windows Restrictions on Group Membership Based upon Domain (Domain Global and 
Universal)
        Group Type
Both Distribution and Security Groups   Can Contain Domain Global Groups From   
Can Contain Universal Groups From
                The Same Domain A Different Domain      The Same Domain A 
Different Domain
        Domain Local Groups     Yes     Yes     Yes     Yes
        Domain Global Groups    Yes     No      No      No
        Universal Groups        Yes     Yes     Yes     Yes
        Examples        A Domain Local Security group can contain Universal 
groups from a different domain
A Domain Global Security group can NOT contain Universal groups from the same 
domain

Windows Security Group Conversion Rules
                Security Groups can be converted to Distribution Groups.
                Distribution Groups can be converted to Security Groups.
                A Domain Local group can be converted to a Universal group only 
if it is not already a member of another Domain Local group.
                A Domain Global group can be converted to a Universal group 
only if it does not contain any other Domain Global groups.
                A Universal group can be converted to either a Domain Local 
Group or a Domain Global Group.

        HINT Let's say that you've created a Domain Global Security group and 
fully populated it. Then you realize that you should have
         created it as a Domain Local Security group. First convert it to a 
Universal Security group, then convert the Universal Security
         group to a Domain Local Security group.


Jerry Cruz | Group Policies Product Manager | Windows Infrastructure 
Architecture | Boeing IT
Office 425-865-6755 | Mobile 425-591-6491

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of rpo
Sent: Tuesday, November 18, 2008 4:45 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: handling remote desktop

hi guys,

i appreciate all the suggestions. jerry your particular setup is just amazing.

although since our business is only 1000 workstations in size, i think i will 
be sticking to a simpler setup and just use the restricted groups via gpo.

on a side note, i must say that even after reading a few articles, I can't 
figure out the point of domain local groups vs. domain global groups. we don't 
use local groups here, only global.

daniel.

Other related posts: