RE: ntfs permissions and AD restore password
- From: Paul <Paul@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 16 Nov 2007 08:15:02 -0800
Thanks for the clarification on question 1 restore mode password.
Q2. Yes I do have many multiple domains. The user accounts are all located
in the child domains and soon all their files\folders will be in the forest
domain.
I seem to be stuck which way to play the changes to the permissions after I
move the resources to the forest root location.
If I simply change the domain local group to become a universal groups then
I can restore the folders on the SAN and maintain the security. The downside
to this is the AD traffic. The alternative is to create new domain local
groups at the forest root level and add the child domain global groups into
these new domain local group. The downside to this is I will have to trawl
through tons of folders adding this new domain local group.
"Masterplan" wrote:
1. This change only affect the DC where the change was made. The password.
that you use when you start Directory Service Restore Mode is stored in the
registry-based Security Accounts Manager (SAM) on the local computer. The SAM
is located in the %SystemRoot%\System32\Config folder.
2. The recommended strategy is AGUDLP strategy:Accounts, Global, Universal,
DomainLocal, Permissions. So:
-add the User Accounts to Global Groups
-add theGlobal Groups to Universal Groups
-add the Universal Groups to Domain Local Groups
-Domain Local Groups get Permissions.
It is not recommendet to give permissions to global groups, because these
can only contain users from a single domain. If a user in another domain
needs acces, we can't add them to the global group, so we will assign
permissions to the resource again, every time we need. You did not mention if
you have 1 domain or multiple domains, because in single domain forests there
is no benefit of AGUDLP.
About the replication traffic, indeed group type plays a role in global
catalog server replication. Universal groups publish the group memberships in
the GCs, but global groups do not, so more replication traffic is expected
for universal groups than for global groups.
made
"Paul" wrote:
Two questions:
1. When changing the password of the AD restore account from ntdsutil on a
domain controller, does this change only affect the DC where the change was
made or is the change replicated to all the DC's in the same domain?
2. I currently have my ntfs permissions assigned by putting the users into
domain global groups and then placing the domain global into domain local and
assigning the permissions against the domain local group.
I am in the process of building a SAN in the forest root domain and it is my
intension to move files\folders from three child domains into this SAN. My
question is what is the best way to apply the permissions in this scenario. I
vaguely remember reading somewhere that enterprise groups are better for
reducing AD traffic. If this is true I was thinking of changing the domain
local group to enterprise group and assigning the permissions against this
group. My new setup would be users into domain global and domain global into
enterprise group assigning permissions for the resource against the
enterprise group.
Thanks
- Prev by Date: GPO: Password Policy Enforcement Question
- Next by Date: Re: Cannot find domain controller
- Previous by thread: GPO: Password Policy Enforcement Question
- Next by thread: ADSI
- Index(es):
Relevant Pages
|
Loading
