Yes it is possible. By default they will be able to login into any domain in the forest. In order for them to access anything you will need to grant them access to any resources in the domain that they do not have access to.
Actually Jesus which is far more superior to Maya Angelou, said you get what you give, when you give people in offering, which means you cant really afford to lose it, but still give it away, you will receive more blessings than when you cling onto it, anyways thank you itfreetraining for teaching us this for free. :D
Thank you very much for the well explained video trainings, I would suggest all my friends to visit your site and subscribe to your channel on UA-cam. Well done and keep up the great work.
+joutiar ghaderyan When you click on the group and select "Add to group" this will add that item to that group. So in this case, "invoice_modify" is being added to "Sales_Staff" group.
You keep on saying there are four types of group in the beginning, but is it really type or scope? I think according to the book, there are two types which are security and distribution * somewhere I found three ) and four scopes of group which is Local Group, Domain Local Group, Global Group and Universal Group. Isn't it? :)
itfreetraining Thank you very much for accepting my comment. I thought you would get mad. You actually have become a bible for me for my course. Lastly can you please kindly take some time and pain in answering my question which I asked you in face book if not I will copy and paste the question here again. :) Dearest IT Free Training Greetings from Copenhagen. I wanted to kindly ask which video should I watch in order to completely understand the availability of each group scope. In other words which video should I watch in order to understand which group can be used or found in whose ACLs Sincerely thanking you Deepak Basnet
deepak basnet The group videos are only in the 70-640 course. If you the following link itfreetraining.com/70-640/index-70-640/ There is order that they should be watched in.
itfreetraining, Can you please help me to find out answer for below query? How the GroupMembership of Domain Local Group is confirmed? If there are two domains in the forest ,Domain ABC & Domain PQR. User account Paul from Domain PQR is the member of TestGroup which is Domain Local Group & this TestGroup belongs to Domain ABC. So now when user Paul tries to login to his Domain PQR,How the group membership of TestGroup is confirmed for Paul.As I know Domain Local Group members attribute does not store in Global Catalog server then how the Paul will confirm his membership for TestGroup which is Domain Local & belongs to another Domain ABC????
Hi , tutorials are very good , thanks . At 8 .20 seconds please explain in a Global group why is column empty . We can add a Global group in a global group.
@@deepaktripathi4050 Global groups can only be used in the domain they were created in. Domain local groups can be used in other domains. It is done with way to reduce the amount of replication between different domains.
@@itfreetraining hi , thanks , i was under impression that domain local can be used in same domain as per name and global group can be used in all domains
@@deepaktripathi4050It is a little confusing. Have a look at the following reference. learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups Universal groups are replicated to ALL domains in the forest. Thus when you make it must go to all global catalogs in the forest. To reduce replication. Global groups should be put into universal groups. Global groups only replicate at the domain level and thus only change when a domain change is done. Domain local is put in the global group. This can contain any account from any domain. Thus, allows for fine control of the resource. If you think of it is regards to reducing replication it makes more sense.
Ugh, of all the videos thus far, this one has me stumped even with the charts. Maybe I'm just hearing 'group' 'universal' 'local' way too many times in a row...but I'm getting lost in the explanations around the 9:00 and beyond mark.
We are looking at redoing this video later on in the future. I think we will break it down into some smaller videos to make it a bit easier to understand as there is a lot covered in this video. What is it that you are having problems understand? Basically it is saying that universal groups do not work on domain not in the forest. This is because universal groups require access to the GC. External domains do not have this access.
@@td8113 Sorry my bad, I misread your comment. So universal groups cannot be replicated across external domains and in a forest. So if you have an external domain you need to create a trust between your domain and that domain. Once created, you can add users and groups to your domain from the external domain (Not universal group however). For example, if ITFreeTraining had an external domain HighCost training. I would create a global group in ITFreeTraining called "External domain" or "HighCost users" or something like that. I could place my users in that group from the external domain. If you wanted to manage the user list in HighCost Training, I would create a group in HighCost Training and place the users in that. However, since the external group cannot go into a universal group, I would place the Global group from HighCost Training into a global group in ITFreeTraining to get around it. For example, in High Cost training create a group called "User for use in ITFreeTraining". Place that group in a group in IFTreetraining called something like "External HighCost users". Now place that group in a universal group call "All company users" in ITFreeTraining or whatever. That will get around it.
I dont understand why in an external domain, Local Groups and Domain Local Groups can contain Global Groups although they are outside the Global Group scope, and then why Global Groups can't contain Global Groups.
Can Exchange server manage 50000 users ? or it will be depend on size of the area ? so within 15 kilometres one server or can 1 server manage entire region of australia ?
+shamshir sheikh Exchange can manage a very large number of users. 50000 is not many users. Exchange however requires a Domain Controller for certain functions. For this reason, DC's need to be deployed need your users.
I'm still lost. You don't explain what each one means...for example - what is a local group for v a domain local group? I have looked at loads of material for this and they are all circular....ie A means B, B means C and C means A, without a basic explanation of any of them, it remains a circular definition
A Universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest. A Global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. A Domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located. Hope this helps.
+joutiar ghaderyan Sorry, this is an old video and does not come with a PDF. When the video gets updated it will include a PDF which you can use to print.
@itfreetraining: please review the information in 4:35 about universal group availability. Universal groups should be available not only within domains in the forest but also across trusts. According to blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy, 'a universal group can be used to manage resources, for example, to assign permissions, anywhere in the forest, as well as across trusts'. This is also confirmed by technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx - refer to the table called 'Group scopes' - it states that universal groups can grant permissions in any domain in the same forest or trusting forests. This means that the possible members of domain local groups can also be universal groups from other forests so the information in your video needs to be corrected.
Thanks for comment, we do are best. :)
you organize all security groups and their scope and membership in a single picture ..amazing..Thanks for uploading such a nice video.
It's my pleasure
No problem at all. Thanks for watching.
sometimes i get confused how such well explained learning course could be for free))
Elnur Taghiyev Thank you. We're happy to hear you found out video helpful
Thanks for the comment. More videos on the way.
Yes it is possible. By default they will be able to login into any domain in the forest. In order for them to access anything you will need to grant them access to any resources in the domain that they do not have access to.
Thanks, glad you liked the video.
Thanks very much. More videos on the way.
Excellent, glad we could help.
this was great. Very clear audio and video. Thanks.
You're welcome! We're glad you enjoyed it.
Thanks. Glad you like the videos.
i studied MCITP course but i didn't understand every thing like i'm doing right here.
thanks for every thing
thank u very much sir for making things so easy for the student.
No problem at all, thanks for watching.
Takes some habits to start getting used to this. Once you've worked with it for a short while it becomes like pure water, clear and smooth.
Excellent as usual!! Thanks :)
+David Okeyode You're welcome. Thanks for watching.
Actually Jesus which is far more superior to Maya Angelou, said you get what you give, when you give people in offering, which means you cant really afford to lose it, but still give it away, you will receive more blessings than when you cling onto it, anyways thank you itfreetraining for teaching us this for free. :D
very helpful.. They're needs to be more free Microsoft study material. keep them coming. :)
Thanks very much Sir. God Bless you. Very good explanation
toyvjirb
So nice explanation..
Thanks for watching.
Thank you very much for the well explained video trainings, I would suggest all my friends to visit your site and subscribe to your channel on UA-cam. Well done and keep up the great work.
Thanks very much and thanks for recommending us, that helps us a lot.
Thanks a Ton!!! great help!
Thanks, glad we could help.
:)
Thanks for the videos, very helpful.
Thanks for watching.
You are the best
Thanks for watching.
That is good question and good answer.
Thanks
Why do we need distribution groups when security groups can as well be used for distribution ?
thanks for the explanation, but as per you there is no sid for distribution group. But I check and found that universal group has SID..
15:22 are you adding Invoice_Modify group into the Sales_Staff group or Sales_staff group into Invoice_Modify group ? I'm just confused.
+joutiar ghaderyan When you click on the group and select "Add to group" this will add that item to that group. So in this case, "invoice_modify" is being added to "Sales_Staff" group.
so the only group that can be used across forests is global group ?
You keep on saying there are four types of group in the beginning, but is it really type or scope? I think according to the book, there are two types which are security and distribution * somewhere I found three ) and four scopes of group which is Local Group, Domain Local Group, Global Group and Universal Group. Isn't it? :)
deepak basnet Yeap, you are correct. We got it wrong. It should be 2 groups and four scopes. Will keep that in mind when we update the video.
itfreetraining Thank you very much for accepting my comment. I thought you would get mad. You actually have become a bible for me for my course. Lastly can you please kindly take some time and pain in answering my question which I asked you in face book if not I will copy and paste the question here again. :)
Dearest IT Free Training
Greetings from Copenhagen.
I wanted to kindly ask which video should I watch in order to completely understand the availability of each group scope. In other words which video should I watch in order to understand which group can be used or found in whose ACLs
Sincerely thanking you
Deepak Basnet
deepak basnet The group videos are only in the 70-640 course. If you the following link itfreetraining.com/70-640/index-70-640/
There is order that they should be watched in.
itfreetraining, Can you please help me to find out answer for below query?
How the GroupMembership of Domain Local Group is confirmed?
If there are two domains in the forest ,Domain ABC & Domain PQR.
User account Paul from Domain PQR is the member of TestGroup which is Domain Local Group & this TestGroup belongs to Domain ABC.
So now when user Paul tries to login to his Domain PQR,How the group membership of TestGroup is confirmed for Paul.As I know Domain Local Group members attribute does not store in Global Catalog server then how the Paul will confirm his membership for TestGroup which is Domain Local & belongs to another Domain ABC????
Hi , tutorials are very good , thanks . At 8 .20 seconds please explain in a Global group why is column empty . We can add a Global group in a global group.
It is blank because global groups can't be used in other domains in the forest. Global groups can only be used in the domain it is created in.
@@itfreetrainingThanks. then we can use domain local group . what is difference between domain local and global
group.
@@deepaktripathi4050 Global groups can only be used in the domain they were created in. Domain local groups can be used in other domains. It is done with way to reduce the amount of replication between different domains.
@@itfreetraining hi , thanks , i was under impression that domain local can be used in same domain as per name and global group can be used in all domains
@@deepaktripathi4050It is a little confusing. Have a look at the following reference.
learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups
Universal groups are replicated to ALL domains in the forest. Thus when you make it must go to all global catalogs in the forest.
To reduce replication. Global groups should be put into universal groups. Global groups only replicate at the domain level and thus only change when a domain change is done.
Domain local is put in the global group. This can contain any account from any domain. Thus, allows for fine control of the resource.
If you think of it is regards to reducing replication it makes more sense.
This is really nice...
Thanks for watching.
can i get a full explanation of the web server
thank you
You're welcome
Ugh, of all the videos thus far, this one has me stumped even with the charts. Maybe I'm just hearing 'group' 'universal' 'local' way too many times in a row...but I'm getting lost in the explanations around the 9:00 and beyond mark.
We are looking at redoing this video later on in the future. I think we will break it down into some smaller videos to make it a bit easier to understand as there is a lot covered in this video.
What is it that you are having problems understand?
Basically it is saying that universal groups do not work on domain not in the forest. This is because universal groups require access to the GC. External domains do not have this access.
its really useful
Thanks, glad we could help.
what is the difference between member and member of in a group.?
Being a member means they are part of a group, the Member Of option shows which groups they are a member of.
If Global groups are restricted to the same domain in which they are created, how can the scope be multiple forests?
You create a universal group. These can be used across different domains. The global groups are then placed into the universal group.
thanks for the quick reply, but I'm still confused, how can global be used outside the forest, if universal are restricted to the forest as well?
@@td8113 Sorry my bad, I misread your comment. So universal groups cannot be replicated across external domains and in a forest. So if you have an external domain you need to create a trust between your domain and that domain. Once created, you can add users and groups to your domain from the external domain (Not universal group however). For example, if ITFreeTraining had an external domain HighCost training. I would create a global group in ITFreeTraining called "External domain" or "HighCost users" or something like that. I could place my users in that group from the external domain. If you wanted to manage the user list in HighCost Training, I would create a group in HighCost Training and place the users in that. However, since the external group cannot go into a universal group, I would place the Global group from HighCost Training into a global group in ITFreeTraining to get around it. For example, in High Cost training create a group called "User for use in ITFreeTraining". Place that group in a group in IFTreetraining called something like "External HighCost users". Now place that group in a universal group call "All company users" in ITFreeTraining or whatever. That will get around it.
I think I understand now. thx so much for your help.
Thank you master...
Thanks for watching.
I dont understand why in an external domain, Local Groups and Domain Local Groups can contain Global Groups although they are outside the Global Group scope, and then why Global Groups can't contain Global Groups.
Can Exchange server manage 50000 users ? or it will be depend on size of the area ? so within 15 kilometres one server or can 1 server manage entire region of australia ?
+shamshir sheikh Exchange can manage a very large number of users. 50000 is not many users. Exchange however requires a Domain Controller for certain functions. For this reason, DC's need to be deployed need your users.
Thanks
Thanks for watching. :)
Helpful..
+kunal sood Thanks!
I'm still lost. You don't explain what each one means...for example - what is a local group for v a domain local group? I have looked at loads of material for this and they are all circular....ie A means B, B means C and C means A, without a basic explanation of any of them, it remains a circular definition
A Universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.
A Global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.
A Domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.
Hope this helps.
Thanks =- but I thought that was a global group?
thanks for clearing that up - still a bit foggy but better
It's unfortunately not very clear cut and is seemingly very interchangeable. What are you still foggy on? Perhaps we can help.
Thanks again IT Free Training. Is there any way I can print this nice chart on 9:55 ?
+joutiar ghaderyan Sorry, this is an old video and does not come with a PDF. When the video gets updated it will include a PDF which you can use to print.
microsoft should have named global groups, global domain groups helps explain it more.
the group strategy agdlp video helps to explain it better
@itfreetraining: please review the information in 4:35 about universal group availability. Universal groups should be available not only within domains in the forest but also across trusts. According to blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy, 'a universal group can be used to manage resources, for example, to assign permissions, anywhere in the forest, as well as across trusts'. This is also confirmed by technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx - refer to the table called 'Group scopes' - it states that universal groups can grant permissions in any domain in the same forest or trusting forests.
This means that the possible members of domain local groups can also be universal groups from other forests so the information in your video needs to be corrected.
what a cute coming-up
Good Job, but i am still lost...
Feel free to ask any questions.
cute
Thanks!
so the only group that can be used across forests is global group ?