Re: Security Groups issue...

Kshaeta wrote:
*** Note, I posted this is the "security" group, but someone suggested I
put it here to get an answer. ***

One reason I ask, is because of this problem. I have two security
groups, within my domain, and two servers in my domain. One server is a
domain server (DOM), the other is a member server (MEM).
I have 2 security groups. The difference between the two is one is a
DLS group, the other is a GS group. The DLS one doesn't allow the
security group to be set on servers other than the domain servers. That
is, if you are on DOM and you create a directory, you can grant it
"Information Systems_DLS" security, or "Information Systems_GS"
security. But if you log on to MEM, and try that it won't work. You
need to grant it "Information Systems_GS". The option to grant any DLS
doesn't even show up in the security selection on the member server.

I don't really grasp this. Should "Domain level Security" allow you to
grant that security group to any member server?

I know how security groups work together, how certain ones can't be part
of others, etc. But I don't really understand how they work, or where
and when to use them.

Where are DLS (Domain Local Security) groups used, and why?
How about GS (Global Security) groups? Universal Security groups?

Is there any good documentation that explains how these are used and why?

Thanks for any info.

Universal groups can contain members from any domain, but IIRC you can
only use these in Windows 2000 or 2003 native mode. Domain Local groups
can contain members from all trusted domains, but can only be used
within the domain in which it exists. Global groups can only contain
members from the local domain, but can be used to apply security in any
domain that trusts the on in which the group exists.

There are catches to using each of these, so you need to select which
one works best for you. Universal groups use additional resources within
Active Directory and ought to be used sparingly. If you have the option
enabled, Global Catalogue servers can cache Universal Group membership
and therefore optimize WAN link utilization during searches on the
directory.

All in all, it sounds like in your case you're dealing with a single
Active Directory domain, and probably don't need to use Universal groups
at all. With the little information provided in your original post, I
would probably use Domain Local groups to assign security.

Trevor Sullivan
MCP
.

Relevant Pages

  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)