Announcement

Collapse
No announcement yet.

Group Nesting and Permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Nesting and Permissions

    Hi im planning an AGDLP strategy..and this is my set up. 1 AD/DC anf 1 File server.
    what i did was created 3 Groups in AD. Shared Access Group/Domain Local, Modyfiy Access Group/Global , Read Access Group/ Global. Now What I did was I nested the Modify and Read Access Group in Shared Access Domain Local group.

    In my file server i created a Test Share and In the share permission I wanted to add the Share Access/Domain Local Group but I couldn't find It. Well I think because it a local group in my AD. So I tried to create another global group so i can add the Modify and Read Access Group but then Im not able to add the two as a member of the global group I created.

    Now Im confused..Is AGDLP strategy only applicable if my share is in the AD itself? Man Im lost..I hope you guys understand..

    All I wanted was Share Access Group = Modify and Read Access Group to be added in the share permission, and Modify and Read Access Group in the Shared ACL.. Please Help
    Ronuel
    MCP
    There is only one way to find Out..Its to try it and/or Do it...

  • #2
    Re: Group Nesting and Permissions

    Strategy is applicable everywhere. In your scenario:
    Create 2 DL groups (Modify and Read)
    Give permissions on the share to those groups (as per group names)
    Create 2 Global groups (names up to you but one for people who should get read permission and one for people who should get modify permission)
    Put the global groups into the correct DL groups
    Put users into the global groups

    Simples!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Group Nesting and Permissions

      I think I already did this ossian. My problem is i want to add the DL's in the Share permission of my Test Shared in my file server. But I am not able to see it. Objects are Users and Groups, Location is my testdomain.local. The DL's I created are not listed when i click find now. However im able to see the global groups. I think im missing something. Or i misunderstood that a Domain Local group cant really be added in the Share or Access list of a shared folder in a File server(Member server).
      Ronuel
      MCP
      There is only one way to find Out..Its to try it and/or Do it...

      Comment


      • #4
        Re: Group Nesting and Permissions

        is your domain running in mixed mode ?

        bio..

        Comment


        • #5
          Re: Group Nesting and Permissions

          DL groups can and should be added to ACLs (as long as its the same domain)
          Just double check they are security (and not distribution) groups!
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Group Nesting and Permissions

            @bio
            nope its Windows server 2003

            @Ossian
            I am able to add DL Group but only in a shared that I created in my AD/DC itself.
            But in my File server(member server that is joined to my DC) Im not able to add the DL group in the ACL or Share permission of a shared folder.
            Ronuel
            MCP
            There is only one way to find Out..Its to try it and/or Do it...

            Comment


            • #7
              Re: Group Nesting and Permissions

              Try deleting the DL group and creating another
              There should be NO issues with this - on the file server you should either see all groups or none, not some!
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Group Nesting and Permissions

                actually im not quite sure what functional level my DC is so Im considering bio's question. Im going to try to check the Domain functional level and raise it if needed..and give you guys an update.. By the way Both my servers are Windows Server 2003 Standard R2. Thanks for the inputs Ossian and Bio..
                Last edited by NonoRonuel; 8th April 2010, 14:40.
                Ronuel
                MCP
                There is only one way to find Out..Its to try it and/or Do it...

                Comment


                • #9
                  Re: Group Nesting and Permissions

                  Problem Solved guys..indeed, Its the Functional level.. I was in windows 2000 mixed. So i Raised it to Windows server 2003. And yes! I was already able to see the DL group in my File server Share ACL and Share Permission.. Thanks Again Ossian and Bio
                  Ronuel
                  MCP
                  There is only one way to find Out..Its to try it and/or Do it...

                  Comment

                  Working...
                  X