Re: Group Types Question
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Tue, 17 Oct 2006 00:34:29 +0100
Hi
did you logof and login again after adding those users to that group?
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"bob britton" <rbritton@xxxxxxxxxxxx> wrote in message
news:unwfNOW8GHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the feedback.
And thank you for confirming that i'm not nuts!
Well, the printer is an IP printer setup on the DC (let's call it
Server01). It's installed as an IP printer and shared using File & printer
sharing. The group that has been given "Print" permissions to it is a
Domain Local group called "Color Printer Users". We have two A/D accounts
in this group.
This group definitely can access the printer.
i've another test group that is a Domain Global group with two A/D users
in this group. This group is given Print permissions to the same printer
share on the DC.
The Domain global group of users was NOT being granted access. Only those
in the Domain Local group.
But here's the weird thing: I just went in and confirmed that one of the
users in the Domain GLOBAL group can now access the printer. Meaning,
after nearly 3 hours of time, they're now able to have access to the
printer. No changes at all were done from an A/D management perspective.
So in other words, there appears to be this HUGE latency between the time
a user is granted access in the domain global group as to when they are
actually able to have effective permissions to the device. How do I
troubleshoot this latency? Where do i even begin?
It was by testing of alternative group memberships (domain local) that
helped me identify that the Domain Global Groups. One thing i've not done
is a Domain Universal.
"Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx> wrote in message
news:uJuDXsV8GHA.3280@xxxxxxxxxxxxxxxxxxxxxxx
If I'm understanding your post correctly, you have an issue alright. You
can grant access to resources in the domain using domain local (Win2k
native or higher if the resource isn't on a DC), global or universal
(Win2k native or higher). You don't need to use local groups, and I
would recommend you don't use these. That's a management nightmare.
Please further elaborate on the setup. The printer is installed into a
machine or is a network printer, and the print queue is installed on the
DC. Access is defined via a global security group, and you cannot access
this from a PC that is a member of the domain, but you can if the access
is granted to a domain local group? Is that correct? If so, the only
thing that springs to mind is that you've not refreshed your token (group
membership change). But depending on the circumstances, e.g. remote
access, not local, then that might not be an issue. Another option is
that there's some kind of Deny ACE, or privilege missing for that group.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- References:
- Group Types Question
- From: bob britton
- Re: Group Types Question
- From: Paul Williams [MVP]
- Re: Group Types Question
- From: bob britton
- Group Types Question
- Prev by Date: Re: duplicate entries for reverse DNS zone
- Next by Date: Re: Replication between parent child domains
- Previous by thread: Re: Group Types Question
- Next by thread: Re: Sync disabled AD users to ADAM via IIFP
- Index(es):
Relevant Pages
|
