Re: Security Groups
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Sat, 24 Feb 2007 03:59:24 -0600
"SEgerton" <SEgerton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ADEC0E0D-B407-454C-9943-B819DC9F032F@xxxxxxxxxxxxxxxx
I just changed over our network from Netware to Active Directory. The
Netware
was here before i started w/ my company and the groups and rights were a
bit
of a mess. Now that i've migrated over to Active Directory. Is there a way
to
tell the rights a Group has to what files and directories?
Not really -- or at least not really conveniently.
One minor difficulty that those with Netware have is the terminology:
Rights and Permission in Windows are DIFFERENT things, and used
differently than in Netware.
Permissions are the access settings (Access Control) on Files, printers,
shares, registry keys, and AD objects. Right are something entirely
separte: General privileges like changing the system time, logging on
locally, installing drives, adding workstations to the domain, etc.
Permissions in Windows are stored on the "objects" themselves, in
Access Control Lists so that to figure out what a Group can access you
really have to use a tool that "visits" every file in every directory of
every
drive in the entire domain or larger "trusting" environment (both forests
and explicit trusts.)
I'd like to place these rights in the notes section of the groups.
Therefore i know what groups
i can add people to w/o worrying that i'm giving them rights to something
more then what they need.
This doesn't really work in Windows and would be almost immediately
out of date even if you used some program (cacls.exe, xcalces.exe, etc)
to produce it.
There is another philosophy and strategy to do this in Windows.
Use GLOBAL Groups to represent "sets of users", e.g., Engineers, HelpDesk,
Secretaries, Executives, Salespeople.
Then use Local Groups (either on Domain or individual machines) to represent
"sets of resources". Give permission ONLY to Local groups.
Place the Globals into Locals for access. Now you can just review what
Local groups (using good names for them) to understand what permissions
you have given.
Account->GlobalGroups->LocalGroups->Permissions.
(In large domains and forests Universal groups can be used to group the
Globals for scalability.)
And can someone also tell me the correct formating to cross-post within
theses newsgroups. I saw and example on microsoft,
microsoft.public.word.newusers; but i don't really understand that. When i
come in here i usually post in English/Servers/Windows Server/Active
Directory and so on.
Reasonable crossposting IS ENCOURAGED when more than one group
is likely to have the answer to your question. We can't tell you the
formmat
because we don't know what newsreader you are using.
For Outlook Express you just type a comma or semi-colon and list the
next group in the Newsgroups: edit box.
For other Newsreaders and Web newsreaders the format will be somewhat
different -- some web readers may not allow it.
For me, Outlook Express is the best newsreader and I have tried most of the
other well-known or popular ones.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Prev by Date: Re: Searching the whole directory
- Next by Date: Re: DNS Secondary and failover
- Previous by thread: Re: Security Groups
- Next by thread: Re: Security Groups
- Index(es):
Relevant Pages
|
