Premiernc
asked on
Creating groups for permissions
I am having problems creating a simple group with members and then assigning them rights to a specific directory. I have a win2k sp3 server in a single domain with AD DNS running. A very simple setup. I have all the standard default groups. I would like to create a small group with only 5 users in it to have access to a specific directory. I create the group in AD, give it domain local status or Global status, and then add users to it, and then assign it to the directory, no luck. I am not sure what the group has to be a member of, such as user/builtin or whatever. It seems I have tried all possibilities and no luck. If someone could explain in detail how to create the group properly so that the rights will work, I will be very happy.
Thanks
Thanks
Logon to your server with a domain admin account(administrator will work). Open AD users and computers, expand your domain, highlight your domian, right click it to add new group, name your group, make it domain local, global is not necessary if you do not have multiple domains. Once your group is created add your users to it. Go to the folder you want to give rights to and open properties. Remove the propogation check so that the users you dont want to have access to this directory dont have it, and remove the everyone group from the directory, add your new user group and set the permissions.
Hoe this helps :)
Hoe this helps :)
ASKER
PCBrat,
Thanks for the steps but it still does not work. Should this group be a member of any other group such as users/builtin etc. At the directory security area, I am adding the new group and giving full control for the sake of testing. I have added administrator to the group before tryinh this. Once I remove the other groups, everyone and domains users from the security on the directory, I cannot access it with administrator logged in. Am I missing something? It seems like this should be simple.
Thanks for the steps but it still does not work. Should this group be a member of any other group such as users/builtin etc. At the directory security area, I am adding the new group and giving full control for the sake of testing. I have added administrator to the group before tryinh this. Once I remove the other groups, everyone and domains users from the security on the directory, I cannot access it with administrator logged in. Am I missing something? It seems like this should be simple.
ASKER
Toocollkris,
The DC has been up and running for awhile, and I can give rights to the directories for individual users with no trouble. How do I perform any checks to make sure I am not having any other strange problems making this happen?
Thanks
The DC has been up and running for awhile, and I can give rights to the directories for individual users with no trouble. How do I perform any checks to make sure I am not having any other strange problems making this happen?
Thanks
Does the behavior change when you assign the rights to a User instead of a group?
Are there inherited permissions on this folder?
What effective rights are you allowing (Read, Write, Create, etc..) If you are assigning any deny rights, it is what is causing this. Deny rights override allow rights.
Are there inherited permissions on this folder?
What effective rights are you allowing (Read, Write, Create, etc..) If you are assigning any deny rights, it is what is causing this. Deny rights override allow rights.
Run dcdiag. AD is dependent on DNS, domain controller diagnostics may help figure out what is wrong here.
ASKER
I can assign an individual user all the rights in the world and it works fine. I'm not sure where the issue is, with the group or in the directory. I have taken off the inherited permissions. Kinda stumped
What have you done? Have you tried what TKK suggested? Have you run DCDiag? Your last post was no different than the first and we can't see what you have tried, what worked and what didn't?
ASKER
Sorry for the delay,
I was just blowing it by not giving the group any specific rights in group policy. I thought if you made a group a member of a builtin group like "users" the rights for the group would transfer to the new group, not the case. Does anyone know how to copy the group policy rights from one group to another, esentially making two groups the same? Then I could take away a certain number of rights rather than having to add the group to very ritgh it needs.
I was just blowing it by not giving the group any specific rights in group policy. I thought if you made a group a member of a builtin group like "users" the rights for the group would transfer to the new group, not the case. Does anyone know how to copy the group policy rights from one group to another, esentially making two groups the same? Then I could take away a certain number of rights rather than having to add the group to very ritgh it needs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the input. I didn't try the last suggestion, but will do so soon, thanks.
Group Type and Scope Usage in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;231273
HOW TO: Manage Groups in Active Directory in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;320054
Also make sure that the DC with the infrastructure FSMO role is up and running fine. If there is a problem with this role then you will have problems with group memberships.
TKK