Re: Breaking Ground - the 70-290

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

=?Utf-8?B?TE1D?= <LMC@xxxxxxxxxxxxxxxxxxxxxxxxx> prattled ceaselessly in
news:CD182084-AFBC-4D7B-97BB-D3D44097804D@xxxxxxxxxxxxx:

I could come to truly love this site...
The sarcasm is fairly quick. Try this on for size. This is not a
question in any braindumper site or transcender or other lame (as my
Son calls them) site.

Given:

Lets say you have a 3 domain arrangement, all 2003 server, all under
the same forest. ohio.xyz.com, tenn.xyz.com and fla.xyz.com.

You have CPA's in all 3 loc's and you want to give those cpas access
to resources no matter which loc they happen to be in.

I would answer it this way:

1. Create a DL group, say DL-Accountants ( link it to a shared folder
) 2. Create a G group, G-CPA ( add the local domain accountant users )
3. Place each of the domain Global group (G-CPA) into the
DL-Accountants Local group.
Traveling CPA's should have access to resource in any location.
CAVEAT: Unless I'm mistaken the bandwidth might be high based on the
global catalog transfer of all member info.
ALTERNATIVE and this might be more appropriate for a multiple forest
arrangment.
1. Create a Univ Group, say U-CPA, add the global G-CPA of each domain
as members of the Univ group.
2. Add the Univ groups is added to each domain local group.

Global catalog bandwidth utilization should be minimal transfering
only link info instead of an entire least of say 200 users each site.


The goal is to minimize replicating changes between forest members so you
want anything that replicates between them to remain as stable as
possible.

I would got with your ALTERNATIVE option:

Best practice is to use Local Groups to assign permissions, so you're on
the right track there. Local Groups and Global Groups are in the Global
Catalog but their members are not listed. Universal group members ARE
listed in the Global Catalog. Because changes in the membership of the
Universal Group impacts the Global Catalog I would put the individual
domain members into a Global Group in their domain and add the Global
groups from each domain to the Universal Group. Add the Universal Group
as a member of the the Local Group that has the permissions. Voila!
Usually, after that, you only have to manage the member list for the
Global Groups.



--
Catwalker
MCNGP #43
www.mcngp.com
"Definitely not wearing any underwear."
.

Relevant Pages

  • EnumLocalGroup - fails when "NT AUTORITY/SYSTEM" is member of group
    ... On Error GoTo 0 ... Enumerate members of the local group. ...
    (microsoft.public.windows.server.scripting)
  • Re: How to configure local PC group membership via Group Policy?
    ... key the name of the Domain group you ... want to added to the local group. ... Don't put anything in the "Members of this group" box. ... > First is Add Group (I'm assuming I need to create a security group ...
    (microsoft.public.windows.group_policy)
  • Re: External Trust - Universal Group Membership
    ... >> I have two Windows 2003 Native Forests, Hub and Spoke. ... when I attempt to add the universal group ... > group can only contain members from the domain the group is in; ... > Local Group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Manage computers
    ... > using Restrictive Groups that all 'current' members of the local group ... rights for the OU's in which these computers reside. ...
    (microsoft.public.win2000.active_directory)
  • Re: User list in a lcl group
    ... Check SHOWMBRS and SHOWGRPS in the W2K Resource kit. ... a list of users in local group in windows explorer? ... ask for "members" and see names of users that were members ... I am not in domain admin group, but a member of local PC admins group. ...
    (microsoft.public.win2000.general)