Re: Native mode... what now.

Tech-Archive recommends: Speed Up your PC by fixing your registry

If you want to nest groups of the same type (e.g., global groups into other
global groups or domain local groups into other domain local groups), yes.
However, you can put global groups into domain local groups in non-native
domains - that's actually the recommended way to do it.

http://technet2.microsoft.com/WindowsServer/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true

As an aside, all Windows 2000/2003 domains support universal distribution
groups; native mode is required to support universal security groups.

Hope this helps.

Steve

"Will Sellers" wrote:

I need to use nested groups in a small school domain.
Are you saying that I must use native mode in order to nest groups?

"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:eO9him05GHA.5072@xxxxxxxxxxxxxxxxxxxxxxx
"Mike" <MRrepair2002@xxxxxxxxx> wrote in message
news:1159914624.566981.162030@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
after upgrading to native mode what have some of you implemented that
you could not have without being in native mode... just a general wide
open question.

Universal groups
Group nesting
Group conversion
Larger ADs since the SAM is dropped from the PDC Emulator
Controlling Access to RRAS (dial/vpn) through RRAS Policies
(big one for those who still use dial or use Windows for VPN)
Controlling access similary for IAS -- big deal if more people
used IAS for RADIUS support
Can assign IP to RRAS users through User props (who cares?)
SID History Enabled
Some Exchange server benefits

The Group and SAM issues are mainly of concern to large
Enterprising where Nesting and Universal groups can be a
very important feature.

If you need one (or more) of the features it is nice but most
people don't even need them (for small domains.)

Then there is:
Win2003 Server Native mode

To infinity and beyond.... <grin>

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]





.

Relevant Pages

  • Re: Why A-G-DL-P?
    ... security principals from the external domain ... principals can become members of domain local groups in the internal domain. ... different global groups that need access to this share. ... permissions) to this share you can create one Domain Local group named "DL ...
    (microsoft.public.windows.server.active_directory)
  • Re: Pass-through Authentication Between Trusted Domains Not Working
    ... universal groups and add global groups from any trusted domain to the ... Domain local groups will only work on ... domain computers if the domain is in native mode. ...
    (microsoft.public.win2000.security)
  • Re: Active Directory Groups Question
    ... Domain local groups can contain members of any domain, but only be assigned permission in the domain in which it belongs. ... Consider a scenario where you assign all of our file permissions with Global groups and then suddenly you require a child domain or a forest trust to another entity. ... group of these three servers, if so, why not just add the G Group ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Groups Question
    ... Global groups can only contain members of the domain in which the group ... Consider a scenario where you assign all of our file permissions with Global ... and Global Groups into Domain Local Groups and assign permissions ... workers access to a print server and access to an application server ...
    (microsoft.public.windows.server.active_directory)
  • Re: cant see domain local groups
    ... As Domain Local groups cannot be members of workstation Local Groups ... I am wondering why MS added the functionality in Native Mode and what ... >> only see the listing of global groups and users, ...
    (microsoft.public.windows.server.active_directory)