|
Welcome to
NetworkCert.NET
Aids and Tools for Networking
Certifications
Group Nesting Pros and Cons
AGP
Accounts-->Global Groups<--Permissions
Identities-->Role Groups<--Permissions
Used in forests with one domain and very
few users. You never plan to add another domain
|
Advantage |
Disadvantage |
| Groups are not nested and
troubleshooting is easier |
Every time a user authenticates
to a resource, the server must check global group membership to determine if
the user is still a member |
| Groups belong to a single group
scope |
Performance degrades because a
global group is not cached |
AGDLP
Accounts-->Global Groups--Domain Local Groups<--Permissions
Identities-->Role Groups-->Resource Groups<--Permissions
Used in forests with one or more domains
where you may have to add another domain.
|
Advantage |
Disadvantage |
| Domain are flexible |
More complex to set up |
| Resource owners require less
access to AD to secure their resources |
|
|