Domian local group versus Domain admin group

Archived from groups: microsoft.public.win2000.security (More info?)

Domain Local is a type of group, not a group itself.
Domain local groups can contain members from other domains.
Domain global groups by contrast can only contain as members
objects that are defined in the group's domain.

Domain admins is a group. It is a domain global group. By
default Domain Admins is a member in the Administrators group
on every machine in its domain (this is changable).

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Darren" <Darren@somewhere.com> wrote in message
news:ujged1xqFHA.3660@TK2MSFTNGP15.phx.gbl...
> what are the diffrences amoung groups Domain Local and Domain Admin..
>
> Thanks
> Darren
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

The best docs for comprehensive view of what is there and some
issues for usage is the resource kit. Check out
www.reskit.com
Opinions differ as to when use of domain global vs domain local
is a correct choice. Either are available for use on any machine in
the domain. They of course have potentially significant differences
in a multi-domain forest, as globals can contain only objects from
their own domain - a limitation locals do not have. The user token
contains info on all memberships of the account, and has a limited
size, and as globals have a smaller representation the token can
hold info about more group memberships is globals are used.
Those are some factors, but the pros and cons do not alway give
a clear winner as to a best practice - but again, in a single domain
forest (that will always be so) locals seem to hold little advantage,
whereas if the opposite is true globals can be a risky thing to use
directly across members of the domain (risking potential future
need to change the members).
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Darren" <Darren@somewhere.com.(donotspam)> wrote in message
news:%23Hqffq$qFHA.3788@TK2MSFTNGP12.phx.gbl...
> Thanks . Roger
> Just want to make sure I understand the diffrences . I am just curious to
> know whats the use of Domain local group and when would you use domain
local
> groups perhaps some examples..
> Are there articles on Microsoft site that explain group membership usage
and
> best practises etc....
>
> Thanks
> Darren
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%23%23BxDg3qFHA.3788@TK2MSFTNGP12.phx.gbl...
> > Domain Local is a type of group, not a group itself.
> > Domain local groups can contain members from other domains.
> > Domain global groups by contrast can only contain as members
> > objects that are defined in the group's domain.
> >
> > Domain admins is a group. It is a domain global group. By
> > default Domain Admins is a member in the Administrators group
> > on every machine in its domain (this is changable).
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Darren" <Darren@somewhere.com> wrote in message
> > news:ujged1xqFHA.3660@TK2MSFTNGP15.phx.gbl...
> >> what are the diffrences amoung groups Domain Local and Domain Admin..
> >>
> >> Thanks
> >> Darren
> >>
> >>
> >
> >
>
>