I'm implementing a tool which secures certain shared resources within AD forest (mostly file shares). By some criteria a list of users from different domains is generated, those users are added to a universal group (because I need to gather users from different domains in a single group) and then that universal group is added to a shared resource ACL.
The forest has roughly 10 000 users, I think my universal groups will end up having up to 2000 users in each. And there might be up to several thousand those groups.
Everything looks good and works in test environment.
The problem is that there is an MS article on groups best practices: http://technet.microsoft.com/en-us/library/cc787646(v=ws.10).aspx
Almost the same is written here:
http://ss64.com/nt/syntax-groups.html
In "Best practices for controlling access to shared resources across domains" section
it reads that I should create domain local groups and nest global/universal groups in it.
I understand that there is an administrative benefit in it, easier management, visibility, etc
But I'm doing everything automated and my tool will watch for the right security by itself.
Some our IT consultants try to persuade me that not following that best practice may also result in poor performance.
So basically the question is: Can there be a performance (it means time required to logon, to secure a directory, etc) impact if I add universal groups directly on the shared resource instead of nesting universal group in a domain local group?
Thanks in advance.
UPDATE:
There is also one restriction regarding nesting groups. (http://support.microsoft.com/kb/328889)
There is a limit of 1015 user's groups. So In case of nesting universal groups into domain local groups I get ~ 500 limit, which seems like a painful restriction.
UPDATE2:
Regarding my forest topology. I have 6 domains, grouped into 2 trees. (Tree consists of a root domain, and two child domains)
Best Answer
Here is Microsoft's statement regarding Universal Groups. Especially the bolded part pertains to you:
The performance impact should be rather minimal in a well-connected environment where everyone has access to global catalogs.
The performance impact will be increased time to log in and increased time to evaluate ACLs on resources if a global catalog cannot be reached, or if your Sites & Subnets are misconfigured so that you find yourself communicating with global catalog servers outside of your own site. Also, there will be increased global catalog replication load.
However, I'm obliged to once again inform you that what you're doing is against commonly-accepted best practices.
This part of what you said: "... and my tool will watch for the right security by itself." That also scares me.
So I'm on the side of your IT consultants and I think they are doing their jobs by trying to persuade you to follow commonly-accepted best practices in terms of AD design.
But there's the answer to your question regardless.