Re: Cannot Assign Permissions to Domain Local Groups
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Tue, 01 May 2007 23:14:21 -0400
Actually NT4 didn't have domain local groups, it had local groups. The local groups on the DCs couldn't be used on members. Well I take that back, you could add them to the ACLs but the SIDs would not make it into the security token. Domain Local Groups that could be used on domain members came about with Windows 2000 native mode.
This is how I do almost all permissioning and it is in use in several 100k+ companies I deal with and I know it works well.
I would do two tests if you are absolutely sure you aren't in mixed mode.
1. I would log into a machine that is part of DomainB and verify that the group is in the token (via whoami /groups or sectok)
2. I would try to add the domain local group to a resource (or local group) on a member with a command line tool such as net localgroup / lg / subinacl / whatever.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
David V wrote:
OK. Maybe my explanation was unclear. Users in Domain A need access to a folder in Domain B. I created a Domain Local Group in Domain B and added the users from Domain A as members. When I try to grant this group permissions on the folder, the group is not searchable; in fact, no domain local groups in the domain are searchable. Note that the shared folder and the domain local group are both in the same domain. The scope of a domain local group is such that it can have members from any trusted domain, but can only access resources in the same domain; this has been the case since at least NT4 that I know of. Also, this domain, like all the domains in this forest, is in Windows 2003 functional mode..
The reason I used this model is so that: 1) I can more easily keep track of folder permissions, since I name all domain local groups "sharename"_Read or "sharename"_Modify; and so that, when a new employee is hired, I can simply copy the group membeships, instead of searching high and low for folder permissions. I have been using this same groups/permission model at this company for 5 years, and have never seen this behavior.
"Roger Abell [MVP]" wrote:
I figured you may have. I take "remote domain" to be a different
domain rather than remote part of this domain.
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:e%23xVKqniHHA.1216@xxxxxxxxxxxxxxxxxxxxxxxYeah I saw that, here is why I thought what I thought
"I created a domain local group in the remote domain and added the requested user accounts as members. However, when I searched for the new group from the ACL of the shared folder, it didn't appear. In fact, no domain local groups at all appear...only global groups. I have checked, and this behavior is consistent on the member servers throughout the remote domain; a full listing of available groups only lists global groups."
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Roger Abell [MVP] wrote:Hey Joe.
I tend to agree with you on the oversold nature of AGLP as a hard
and fast practice. However in this case of this post I think you may
have misread, or I did. I took the post to say "I am trying to use a
domain local from domain A to grant some stuff on domain B, but
I only see globals from domain A", which is of course expected.
Roger
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:eSzIBygiHHA.1220@xxxxxxxxxxxxxxxxxxxxxxxI highly dislike the AGLP model as a generic case but that isn't your problem here. Your problem is almost certainly that your remote domain is not in native mode. You don't get to use domain local groups on members until you are in native mode which means you don't have to force support for legacy NT4 group types.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
David V wrote:I have run across a very perplexing problem that perhaps someone else out there has seen and can provide insight on.
I recently received a request to grant a number of users in one domain access to a folder in a remote domain - pretty basic stuff, and I've done it a hundred times. So, following the trusty old AGLP pattern, I created a domain local group in the remote domain and added the requested user accounts as members. However, when I searched for the new group from the ACL of the shared folder, it didn't appear. In fact, no domain local groups at all appear...only global groups. I have checked, and this behavior is consistent on the member servers throughout the remote domain; a full listing of available groups only lists global groups. Funny thing is, if the shared folder is on a domain controller, when I want to grant permissions, all groups (global and domain local) appear. What is going on?
I had to do a sloppy work-around, granting each user accss to the folder individually, but I really need this to work properly and be sustainable beyond the tenure of current employees. If anyone has an idea as to why domain local groups are not available for granting permissions on member servers within the same domain, please share your insight. Thanks in advance.
- Prev by Date: Re: Sites and Services
- Next by Date: Re: Too long to log in into active directory 2003
- Previous by thread: Re: Sites and Services
- Next by thread: Re: Too long to log in into active directory 2003
- Index(es):
Relevant Pages
|
