are there any concerns using Universal Groups ? My understanding from other threads are, Universal Groups are more\or less "Permissions Anywhere" groups. and not deployed correctly, can complicate Global Catalog, and logon requests.

Hello, Universal is a scope that can be used for groups. More information about groups scopes: http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator

Hi, Universal groups can be used anywhere in the same Windows forest. They are only available in a Native-mode enterprise. Universal groups may be an easier approach for some administrators because there are no intrinsic limitations on their use. Users can be directly assigned to Universal groups, they can be nested, and they can be used directly with access-control lists to denote access permissions in any domain in the enterprise. For example, there is two domain in the same forest, one is domain1.com and the other is domain2.com. In some cases, users of domain1.com need to visit the resource in domain2.com. Create a Global Group in the domain1.com, add the users which need to visit domain2.com, and then nest the Global Group within Domain Local Group. Of course, create Universal Groups is also ok, but Universal group will replicate across the forest, it will be a huge traffic cost. I assume that the members of the group will changed frequently, it is better to create a Global Group. Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely. In addition, here are some good articles for your reference: Group Type and Scope Usage in Windows http://support.microsoft.com/kb/231273 Understanding Groups http://technet.microsoft.com/en-us/library/dd861330.aspx Hope this helps!

Nice !!, this was very informative. Thank you

Hi, You're welcome! Regards!