Announcement

Collapse
No announcement yet.

Security Groups and access to shares.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Groups and access to shares.

    I have a domain running og 2003 AD and I want to clean up and organise the access to fileshares and so on...

    I have the domain organised by departments and then by position. (executives, teamleaders and agents). I want to be able to assign all users in one OU to a specific group, and then add that group again to a group that has read or write permissions on a folder.

    I have a filestructure and I want to have 2 groups for every top-level folder that gives either read or change permissions on that folder.

    That way I will have i.e. a top level folder called: "sales" and only two groups connected to this folder. One for read and one for change-permissions. One called "sales-read" and one called sales-change"

    The problem is that I dont know what kind of groups and scopes to use to be able to add a group to a group...

    I want to be able to add i.e. the "teamleaders all" group to the "sales-read" group and voila... all teamleaders can access the "sales" folder.

    So... what Group scope and Group type do I use for my groups. (Universal group-scope is not available)
    Greetings from
    Petter C.
    Norway

  • #2
    Re: Security Groups and access to shares.

    The recommended nesting for users/groups is to assign users to global groups that are based on roles such as "Accounting". These global groups would then be nested in Local groups that are defined on the resource such as a printer or share.

    So your sales-read and sales-change groups would be Local groups. Your Teamleaders, Executives and Agents would be Global groups.

    However, if you only have a single domain none of this matters.

    Comment


    • #3
      Re: Security Groups and access to shares.

      Assuming you don't have domain controllers with Windows NT on your domain, you can set the functionality level to Windows 2000 Native or Window 2003.
      This way you'll be able to nest global within global.
      I don't like using Local Groups because you can only use them within the domain. Global groups can be used on trusted domains as well.
      However, global groups can only have users from the same domain as members.

      you can read some more about AD groups and group scope:
      http://technet.microsoft.com/en-us/l.../cc755692.aspx

      Comment


      • #4
        Re: Security Groups and access to shares.

        Ok.

        I have a trust between this domain and a NT 4.0 domain. If I raise the functionality-level of this domain... will this cause problems between the two domains?

        I would like to be able to nest a global group inside another global group, but as I understand it this is not possible unless I raise the functionality level?
        Greetings from
        Petter C.
        Norway

        Comment


        • #5
          Re: Security Groups and access to shares.

          Raising the functionality level to 2000 Native will not affect external trusts. The only thing you "loose" is the ability to add NT4 domain controllers to the domain. If you don't have any NT4 DCs in the domain, you can raise it without problems.
          Anyhow, since the operation is Theoretically irreversible, I suggest backing up the DC before the operaion.

          You can read some more about it in http://support.microsoft.com/kb/322692

          Asaf.

          Comment

          Working...
          X