Announcement

Collapse
No announcement yet.

Changing security group scope

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Changing security group scope

    Hi All,

    I'll set the scene. We currently have a Windows 2003 domain (forest and domain level is Windows 2003). Were looking to migrate to a Windows 2008 R2 domain (forest and domain functional level is 200. Were have a forest to forest trust in place and working.

    What I want to do it create all IT staff admin accounts in the new domain and disable their admin accounts in the old domain. We have 3 security groups set-up in the old domin:

    oldDomain\1stline - Global Security Group
    oldDomain\2ndline - Global Security Group
    oldDomain\3rdtline - Global Security Group

    I've set-up 6 groups in the new domins:

    newDomain\SG - D - 1stline - Domain Local Security group
    newDomain\SG - D - 2ndline - Domain Local Security group
    newDomain\SG - D - 3rdline - Domain Local Security group
    newDomain\SG - G - 1stline - Global Security group
    newDomain\SG - G - 2ndline - Global Security group
    newDomain\SG - G - 3rdline - GlobalSecurity group

    users are members of the global groups which are then members of the local groups. You get the picture.

    Now, I can't add the newDomain Global security groups into the oldDomain Global security groups as this is now allowed. So I was thinking of changing the oldDomain global groups to universal groups, and then changing them to domain locla groups. This will then allow me to add the global groups from the new domain into the domain local groups in the old domain.

    I've tested this by creating an oldDomain\1stline test global group and adding all the member of the oldDomain\1stline security group and changing it to univesal then local. This all worked fine.

    I was just wondering if there are any side effects of changing the group scope? We have service accounts that sit in this group that I don't want to cause issues with?

    Anyone have any other ways of getting to the end goal? The domain admins group is a global group so I can't add them straight into there. The administrators group is a domain local group but this does not have any rights over the end PC's so would be of no use.

    Thanks in advance.

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

  • #2
    Re: Changing security group scope

    I don't see any issues so at first glance... Where do you see potentional issues?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Changing security group scope

      The changing of the actual groups from Global to local. Not too sure if they have any side effects.

      I think it will be OK to be honest but it's always nice for the re-assurance. I've tested this and it seems to work fine so I think I'll just go ahead.

      I couldn't find any cases of this causing any problems

      Michael
      Michael Armstrong
      www.m80arm.co.uk
      MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      Comment


      • #4
        Re: Changing security group scope

        Hi,

        What you can do is create a copy of the group and then move all except service account to new group and make changes there.
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment


        • #5
          Re: Changing security group scope

          Navdeep,

          Doing this would mean I would have to add the new group to exactly the same resources as the old group.

          I've been testing the chaing of scope and so far I have not encountered any problems so I think I will just change the scope.

          Thanks for replying

          Michael
          Michael Armstrong
          www.m80arm.co.uk
          MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          Comment


          • #6
            Re: Changing security group scope

            Changing a group's scope changes what users and groups can be members of the group, what groups the group can be a member of, and what resources can have permissions applied to the group. Here's a quick breakdown from MS:

            A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.

            A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.

            A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.

            Comment


            • #7
              Re: Changing security group scope

              Joeqwerty,

              Yes - The main reason I was asking the question was if there are any issues changing the scope after you have permissioned everything. long story short, all our groups on the old domian are global and need to be change to local to allow me to add global group in from the new domian. so users still have permissions over resources in the old domian once thier accounts have been migrated.

              Michael
              Michael Armstrong
              www.m80arm.co.uk
              MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              Comment

              Working...
              X