Adding an Active Directory to a computer-local group - which scope to choose?

I am aware of the "AGDLP" rule of thumb when it comes to group nesting inside an AD strcture. But now I am wondering if there are any best practises when it comes to adding Active Directory groups to "computer"-local groups.

Let's assume i got a server named HOST_A which is running the Remote Desktop Server role. And I would like to manage the group of people having access to it via an AD group.

I would therefor create a domain-local group let's say "P_RemoteDesktopUsers_Host_A" and make it a member of the computer-local group called "Remote Desktop Users".

Or should i choose a global group scope? If so, why?


Solution 1:

I believe your decision of which group scope to use should be defined by:

  • What security principals need to be members of the group? For instance, if you have to include security principals from other domains of the forest in this security group, then you'll have to make it a Domain Local or Universal group. If you only need to include members of the same domain in this security group, you can use a Global security group.

  • What resources you will need to control access to with respect to this group? You can put a Global group on ACLs in any domain in the forest, while a Domain Local security group can only be put on ACLs within its own domain. If you have a situation where you need span domains in a very flexible way, you might want resort to a Universal group.

Global groups are good for keeping replication to the global catalog to a minimum... but that's not a huge deal these days now that every domain controller is usually a GC, and bandwidth consumed by replication traffic is not something that typically worries us any more.

http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx

Solution 2:

I'm not sure that Microsoft has ever published a best practice on this particular scenario. It differs from the typical scenarios in that you're not ultimately placing an access control list into the filesystem. A quick search of their site doesn't come up with any good results.

In a single domain scenario (the most common thing out there) I'd use Group Policy Restricted Groups functionality to nest a global group from the domain into the "Remote Desktop Users" group on computers. I feel like this method is sufficiently "visible" to allow for future auditing. I will, of course, have different Restricted Groups settings applied to different "classes" of computers. I don't see a need for the domain local group to abstract the role away from the resource, because I see Group Policy satisfying that requirement.