User Administration in a Single Domain
If a group is needed to simplify the process of granting rights to reset user passwords in a single domain, either a domain local or global security group would suffice. The actual domain user rights can only be granted to domain local groups, but these domain local groups could have global groups as members. For a single-domain model, if the specific user rights need to be granted only at the domain level, a domain local group with users as members would be fine. In more complex situations, if you need to reuse the same group of users for different functions or add domains to the forest, adding the users to global groups that are then added to the domain local group is a good solution.
For most organizations, ...
Get Windows Server® 2012 Unleashed now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
