× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

Global vs Universal vs Domain Local for host group

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 24
Registered: ‎08-18-2016
#1 of 2 834
Accepted Solution

Global vs Universal vs Domain Local for host group

We have Centrfy Standard version in Windows 2012 now.

 

e.g we have the AD structure like AD_controller_ABC\Company\Unix\Servers which including all the host joined the Centrify domain.

 

And we have AD_controller_ABC\Company\Unix\server-groups including all the host groups.

 

Given the hosts and host groups will be existed in the same domain, can we use "Security Group-Global"? or we need to use Universal or Domain local for some concern?

 

Thanks!

Centrify Guru I
Posts: 1,750
Registered: ‎07-26-2012
#2 of 2 832

Re: Global vs Universal vs Domain Local for host group

@reboot,

 

Welcome back.

 

Your question about AD group scope (global, domain local or universal) is more of an AD design consideration than a Centrify question.

Here's an excerpt from Microsoft's documentation : https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

 

Group scope

Group can include as members…

Group can be assigned permissions in…

Group scope can be converted to…

Universal

  • Accounts from any domain within the forest in which this Universal Group resides

  • Global groups from any domain within the forest in which this Universal Group resides

  • Universal groups from any domain within the forest in which this Universal Group resides

Any domain or forest

  • Domain local

  • Global (as long as no other universal groups exist as members)

Global

  • Accounts from the same domain as the parent global group

  • Global groups from the same domain as the parent global group

Member permissions can be assigned in any domain

Universal (as long as it is not a member of any other global groups)

Domain local

  • Accounts from any domain

  • Global groups from any domain

  • Universal groups from any domain

  • Domain local groups but only from the same domain as the parent domain local group

Member permissions can be assigned only within the same domain as the parent domain local group

Universal (as long as no other domain local groups exist as members)

 
Based on the definitions above:
  • If your UNIX groups will contain users and groups only from the local domain, you can use a Global group.
  • If your UNIX groups will contain users and groups from the local domain and other trusted domains, use a Domain Local group.
  • If your UNIX groups will contain users and groups (including universal groups) from local and other domains, then use Universal groups.
Note that Universal groups and memberships are replicated to all global catalogs in the tree.
 
 
R.P
Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: