Announcement

Collapse
No announcement yet.

Permissions and Groups

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Permissions and Groups

    Hello folks, it's been a very long time since I was last here - hello again!

    Anyway - what I'm asking is, could someone please just run me through again what can and cannot be done with each of the four Group Scopes - Local, Domain Local, Global and Universal. (In a 2000/2003 AD Forest)

    Reason is, we're trying to give permissions to folders on a server, and are having two problems. (KB article 833883 does not apply as all servers are at the current patch state/service pack level).

    1. <EDITED> We cannot add a user to any groups outside his domain from the User Properties dialog (Member Of tab).

    2. We cannot see a user's group memberships from outside a domain; we can only see memberships within the domain. Adding a user to a Universal Group can only be accomplished from the GROUP's properties, not from the User. When we click "Add" on a user's groups, only his domain is shown in the "Locations" dialog... not the whole forest.

    Thanks in advance...
    Last edited by Stonelaughter; 18th October 2006, 14:27.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

  • #2
    Re: Permissions and Groups

    Tom,

    This helped me out a lot:

    http://technet2.microsoft.com/Window....mspx?mfr=true

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Permissions and Groups

      Thanks mate. Do you have any answer for the two problems I have mentioned, while I read that little lot please?


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Permissions and Groups

        Sorry for the repeat post: I've edited "problem 1" above because I had it wrong. The problem is actually that I can add a user to a universal or global group (outside the domain he resides in) from the Group's properties, but not from the user's properties. If I go into "Member Of" for a user object, and click "Add", then click "Locations", I can only see the local domain...


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Permissions and Groups

          Simple Microsoft best practise.

          AGUDLP or AGDLP

          Account (User) --put into--> Global Group --> Universal Group --> Domain Local Group --> Assign required Permission to Domain Local

          Just another MCP

          Comment


          • #6
            Re: Permissions and Groups

            *sheepish*

            Thanks... I take it that users shouldn't be added to domain local groups in a Windows Server 2003 Mode Forest....?


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment

            Working...
            X