Author: NetworkAdminKB.com
Created: 2008-12-04
Modified: 2008-12-05

Information:

While Universal Groups are very beneficial, they have limitations that are not widely known and can cause administrative burdens when multiple forests and External Trusts are implemented.  Below is a collection of limitations of Universal Groups and the solutions to work around those limitations

 

1)      Limitation: Universal Groups cannot contain members (users or groups) outside the forest they are created in.  This limitation would preclude users or groups that are members of domains trusted via External Trusts from being added to Universal Groups.

a.       Reason for Limitation: Universal Groups can only contain members (users or Global Groups) from within the same Forest as the Universal Group.

b.      Solution:  As a best practice it is recommended that groups assigned directly to resources be created as Domain Local groups to allow users from outside the forest to be easily integrated into the existing security.

2)      Limitation: Universal Groups from any domain in any forest can not be placed as members into Global Groups.

a.       Reason for Limitation: Global Groups can only contain users or other Global Groups from their same domain.  Universal Groups may contain users or Global Groups from any domain in the Forest.

b.      Solution:  As a best practice users should be placed into Global Groups and all nesting of groups should take place using Global Groups.  Those Global Groups can then be added to Universal Groups.

3)      Limitation: Domain Local Groups from any domain in any forest can not be placed as members into Universal Groups.

a.       Reason for Limitation: Universal Groups can only contain members (users or Global Groups) from within the same Forest as the Universal Group.  Universal Groups may not contain Domain Local groups, which may not contain users from other Domains outside the Forest.

b.      Solution: As a best practice Universal Groups should be used as an intermediary between Global and Domain Local Groups.  Therefore, Users are placed into Global Groups, Global Groups are placed in Universal Groups, and Universal Groups are placed in Domain Local Groups.  The Domain Local Groups are then assigned permissions to the resource.

4)      Limitation: Universal Groups can not contain Global Groups from a mixed-mode domain in the same forest.  Active Directory Users and Computers will display the following warning if you attempt this.

a.       Reason for Limitation: Universal Groups require a domain function level of Windows 2000 native or Windows 2003.

b.      Solution: If you have no NT4 Domain Controllers you can raise or domain functional level to Windows 2000 native or Windows 2003.

5)      Limitation: Universal Groups are not available while running in Windows 2000 mixed mode.

a.       Reason for Limitation: Mixed mode allows NT4 compatibility and does not support the newer features of Windows 2000.

b.      Solution: If you have no NT4 Domain Controllers you can raise or domain functional level to Windows 2000 native or Windows 2003.

Article ID: 106, Created On: 9/17/2011, Modified: 9/17/2011