Re: proper file security methods

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Doug Sherman [MVP] (dsherman_at_nospam.tampabay.rr.com)
Date: 03/08/05 

Date: Tue, 8 Mar 2005 13:10:03 -0500

Either way will work, and if the global group serves no purpose other than
to access this particular resource, it probably makes no difference. The
recommended way to do it is as you described - create a domain local group
to access the resource, place users in a global group, and make the global
group a member of the local group. The reason for doing it that way is that
it gives you more granular control. You can add other users/groups to the
local group without having to add them to the global group which might give
them undesired access to other resources.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"Mike Brearley" <nospam@spam.com> wrote in message
news:eGaO6TAJFHA.2852@TK2MSFTNGP09.phx.gbl...
> What's the proper way to assign a group access to a directory.
>
> Say I have a global group setup in AD that many users are members of.
> Should I setup a local group on the local file server and make that global
> group a member of the local group and assign the local group access to the
> directory or should I just assign the global group access to the directory
> without creating a local group? Or is there a difference in setting up a
> local group in AD?
>
> --
> Posted 'as is'. If there are any spelling and/or grammar mistakes, they
> were a direct result of my fingers and brain not being synchronized or my
> lack of caffeine.
>
> Mike Brearley
>
>

Relevant Pages

  • RE: Adding AD Account to NT Global
    ... > accounts from other domains while global group is used to be added in other ... The local group in NT is only accessible within the controllers and can't be ... I have already done some successful migrations from nt4 to w2k3 root domain. ...
    (microsoft.public.windows.server.migration)
  • Hi.
    ... Each global group belongs to one or more: ... the local group. ... rather than giving rights at the login level. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
    (Security-Basics)
  • Re: Group Accounts
    ... And that a Domain Local group can only access resources in the ... Wouldn't this restrict the Global Group members from accessing ... > You can nest groups and when nesting Domain Local group can contain Domain ... >> not be able to access resources outwith the domain, ...
    (microsoft.public.windows.server.general)
  • Determine Global Group vs User in Local?
    ... This code enumerates all local group members (Win2K web ... member server in a Win2K domain). ... is a global group, ...
    (microsoft.public.dotnet.security)
  • Re: Best Practice Group Strategy ??
    ... Make these users members of a Global group. ... Then on the file server ... > create a Local group and add that Local group to the ACL of the file ... > the ACL of the file share on the file server containing the resources they ...
    (microsoft.public.win2000.security)