Announcement

Collapse
No announcement yet.

Can't give Domain Local accounts permissions.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't give Domain Local accounts permissions.

    I posted this in the Server 2003 forum, perhaps I should have posted it here to start off.




    At the moment we are running Novell 5 but have a functioning 2003 Domain that we will be switching to in the future.
    At the moment we have 2 pizza box HP's clustered and attached to a NAS storage array. The Cluster runs Exchange and file sharing. Our ADDC is running on an older IBM box that used to be one of our Novell servers.

    To the piont. I can't assign Domain Local groups permissions in my file structure.

    AD is running in 2000 Mixed mode(even though all our servers are 2003).

    Do I need to have AD running at a higher functional level to use Domain Local groups for assigning permissions to resources?

    Just to clarify Exchange and AD are functioning but not in use. They were set up by a consultant before I was hired here. All the file shareing and Email is still handled by the Novell box.

    Please let me know if there's any more information you need.

    Any help is appreciated, thank you.

    -Bill

    To reiterate, when I go into the security settings for a directory and try to assign a Domain Local group it will not let me. Domain Local groups do not even show up in the list off things that can be assigned permissions. <---- Does that clear it up a bit better?
    CCA: XenApp 5.0

  • #2
    Re: Can't give Domain Local accounts permissions.

    To assign permissions to AD groups, the file system of the target drive must be NTFS. Windows does not understand Novell file systems and therefore accessing the shares on a Novell box will not show the security tab in the folder properties dialog in Windows. Novell doesn't talk to AD so you won't see AD groups in the list of objects to which you can give permissions from Novell's security dialog.

    Until your file shares are on NTFS file systems, you will not be able to add ANY kind of Windows AD group to the permissions on a folder.

    By the way - if AD is not in use, why are you even talking about Domain Local groups?


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Can't give Domain Local accounts permissions.

      Ahhh - I see.

      Is the NAS box a member of the AD Domain? If not, of COURSE you can't see Domain Local Groups... they're LOCAL to the DOMAIN...


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Can't give Domain Local accounts permissions.

        Ah, I'm sorry. I didn't make myself clear enough.

        I am setting up the file system and proper permissions prior to our cutover date. We are still using Novell at the moment but won't be within 6-8 weeks.

        When I say cutover I mean we are dumping the Novell setup and switching everything over to the Domain, there is no migration going on here. This is a financial institution and all of our "vital" programs and information reside on an AIX box at our location that we own but is managed by a third party. The Novell setup is simply for file sharing and email(groupware). The Domain will fill the same roles.

        Everything I am doing is preliminary to implementing the Domain. The consultant they had setting up the new hardware and installing windows on all the systems did almost nothing when it came to file permissions, users, email accounts and all that.

        Yes, the cluster that is attached to the NAS are member servers.

        Basically we're 75% the way to having the Domain ready to roll out. The servers all all up and functioning, right now all I need to do is get the file system setup with and the proper groups so I can assign appropriate permissions.
        CCA: XenApp 5.0

        Comment


        • #5
          Re: Can't give Domain Local accounts permissions.

          Perhaps this will help. I am able to setup Global groups and assign them permissions.

          I'm thinking this has something to do with the functional level of AD. We're running in 2000 mixed mode(I didn't set this up so don't ask me why, we only have 2003 servers). Perhaps it won't allow me to use Domain Local groups because that would not be compatible with an NT system because they didn't have anything like that back in the old NT days.

          Am I on the right track here?
          CCA: XenApp 5.0

          Comment


          • #6
            Re: Can't give Domain Local accounts permissions.

            I suspect so. Raise the Forest and Domain functional levels to Windows Server 2003 and all should be fine - you have no legacy domain controllers so there will be no negative impact.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: Can't give Domain Local accounts permissions.

              That's what I want to do.

              The problem is my boss isn't here and I'm not sure I want to do that without his say so.

              I've done it before many times, just not in a live setup.

              The other thing that stops me from doing that is wondering why the consultant set it up to run at that functional level. I suspect he didn't know better. His original intention was to put the Domain controller on the cluster. He found out after my business bought that hardware that you can't put a Domain Controller on a cluster. I didn't know that either, but then again I don't charge people big bucks to set stuff up like that.

              /rant

              Thanks for the help Stonelaughter, much appreciated!!
              CCA: XenApp 5.0

              Comment


              • #8
                Re: Can't give Domain Local accounts permissions.

                No problem at all... be sure to click my yinyang icon at top right if you feel I deserve it! Thanks and I hope your boss still likes you after the weekend


                Tom
                For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                Anything you say will be misquoted and used against you

                Comment


                • #9
                  Re: Can't give Domain Local accounts permissions.

                  W00000t!!!!

                  It worked!!

                  I made the change late in my shift last night and it didn't work within 5 minutes of the change so I was really worried, but figured I would wait overnight anyway just to see how things came out. Got in this morning and everything seems to be working just fine!

                  I'm sure it has to do with NT boxes not recognizing Domain Local groups so 2000-Mixed functional level will not let you use them.
                  CCA: XenApp 5.0

                  Comment

                  Working...
                  X