Announcement

Collapse
No announcement yet.

AD Groups and Permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Groups and Permissions

    Hi All

    I have a question

    I have only a single forest and domain

    I know best practices for groups is Users(U) into Global Groups (G)
    and Global Groups into Domain Local Groups (L) and assign permissions
    to Domain Local Groups

    this will be pretty simple understanding for file shares and printer
    resources.

    let say i have 20 servers all w2k3 and want to assign one of my
    Techs access to a print server and access to an application server
    and access to a web server for management functions

    So I have a UserX add him to G Group, add G Group To the Domain Local
    group, do i then add this domain local indivdually onto the local
    group of these three servers, if so , why not just add the G Group
    into the local group on each server and skip the domain local group.

    what would happen if i added the servers into the domain local group
    or Global group on the domain, does UserX have permissions the those
    servers

    I am just looking advice, views etc

    Cheers

    N

  • #2
    Re: AD Groups and Permissions

    I would use the domain local groups and give them permissions directly because that keeps all access control in the Domain database. Adding the Server Local Groups into the equation simply adds extra complexity you don't need... and I don't even know if domain globals will go into a server local directly... if they will I'm sure it's a bad idea for SOME reason or another but I can't think what...


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: AD Groups and Permissions

      Just a curiosity that why do you want to add domain local group in local group. Why r u not assigning the permissions to domain local group directly.

      Regards,
      Kapil Sharma
      ~~~~~~~~~~~~~
      Life is too short, Enjoy It.

      Comment


      • #4
        Re: AD Groups and Permissions

        Hi Guys

        Thanks for your replies

        Are u's saying for me to add the DL groups and assign permissions to them.

        will that not take more time, than me just adding the DL group to the local administrator group or backup operator group.

        What happens if i add serverA into the DL Group and add users to the Global Group and then add this global group into the DL group as the serverA

        Cheers

        N

        Comment


        • #5
          Re: AD Groups and Permissions

          If you can't see the incredible risk and downright cavalier thinking behind that idea then I can help you no further.

          My advice is, add users to global groups, add global groups to domain local groups, use domain local groups to assign permissions to resources.


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: AD Groups and Permissions

            Cheers for the replies

            I understand all you have said and that is what i will do

            But i just thought i would ask the question.

            The reason behind my question was an IT Tech Consultant which was brought in to do some work and re-configuration work and he says for me to add global groups into the local group of each server eg into local server admin group.

            His view which i thought was wrong, was to skip the adding global groups to the domain local groups and add the global group straight into the local server admin group or local backup operator group.

            His view was User into global group and global group into Server Local group and skip the domain local group, he says that was an extra step i did not need to do.

            Cheers

            N

            Comment


            • #7
              Re: AD Groups and Permissions

              Using the intermediate Domain Local group is useful in multi-domain forest, where you create DLG and put into it GGs from different domains.

              The reason for using Server Local groups usually has to do with faster ACL enumeration on the server side and adds a certain level of security: AD group membership can be read by default by every domain member, but for reading Server Local group membership you need to have rights on the server, hence this way you can "hide" the actual path via which the user gets permissions to the resource on the server.

              Personally, I do not like Server Local groups - they add to much management complexity. I do not mind users knowing which groups have access to resources. I do mind though, about locking down the resources in such a way that only authorized people have access to it.

              Yet, I can think of a scenario where Server Local groups can come useful: if the server administrator does not have rights for creating groups in AD and you still want him to manage permissions on server resources, server local groups will be handy.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment

              Working...
              X