Solved

Security groups

Posted on 2006-07-12
6
193 Views
Last Modified: 2010-04-11
This is a MS study guide question...

There is a network consisting of several domians in a single AD forest Abc.com. the fucntional level for all child domains is Win2000 mixed

A server named Xyz.com runs win 2003. You share a folder named SalesDoc on this server. In the properties of the SalesDoc you give Full control to a UNIVERSAL group caled U_Sales in Abc.com.

It shows a pic with the effective perms for U_Sales showing it has full control

It goes on to say

In each domain in the forst, you make a global group called G_Sales, whose members consist of users in that domains department. You add EVERY G_Sales group to the U_Sales group

A user is a member of G_Sales in Child1.Abc.com. And he says he cannot get access to SalesDocs.

It shows the effective perms of the user for SalesDocs, and NOTHING is checked.

It says says one COMPLETE solution is change the group scope of the U_Sales to Domain Local.

Now, I can kind of understand why that would work, as the user is in G_Sales, which in turn is a memeber of U_sales, and therefore a domain local group would allow access

BUT it says another COMPLETE solution is just give the G_Sales group in Child1.Abc.com full control.

My questions are: -

How can you just give allow full control to G_Sales in Child1.Abc.com and expect that to work. when we are told the functional level for child domains is 2000 mixed i.e. universal groups cannot be used ?

Also how would the user still get access by just changing the group to a domain local group if the perms showed nothign was checked
0
Comment
Question by:LFC1980
  • 3
  • 2
6 Comments
 

Author Comment

by:LFC1980
ID: 17091397
Also does it work with a local group as they are in the same forest
0
 
LVL 2

Expert Comment

by:Mcfake
ID: 17138937
when you add a group to another parent group , u need to make sure you have permissions set that also inherits the parent permissions.

When a grp joins a grp and you havent got that ticked it doesnt gain the extended privlages.

for example i can have
paretn grp A this hsa full Access
i make sub.B grp to join
sub.B gains Read access to files by default.

If inherit was turned on they would automaticly inherit the partent grps permissions of Full

for example often you have people labled Everyone in a grp but u dont give them full access or inherit.

common example is DOMAIN ADMINS grp which entitels your people inside that grp to access eveything fromt taht domain. This is not a good one to add inherit and add eveyone :).

hope that makes sence to you.

with reguards to adding a local grp or user. if you are part of a domain and u change the grp to a local grp and give it FULL domain access . This would give the users full access on that 1 server locally to the file.
0
 

Author Comment

by:LFC1980
ID: 17145047
Ok i can see why giving full control to G_sales would work i.e. as he was a part of G_sales, it probably didn't have the rights to get into SalesDocs

However, i am still not clear why Universal groups are allowed in this set up , when it states "the functional level for all child domainss is Windows 2000 MIXED", i thought to use Universal groups it has to be Win 2000 NATIVE. In one of the answers, it even says you have to change the scope of the U_Sales to local. SO how can it work by just changin permission, if the Universal groups are not allowed in the first place

And can you confirm the follwoing

- Even if a GLOBAL groups is in a LOCAL group, it still has the ability to access stuff that only a global one can. ?

- And above where it said "change the scope of U_sales to a local group". That this would have still worked if instead of a changint it to a local group it was changed to a Global group.
0
 

Author Comment

by:LFC1980
ID: 17262493
Anyone ?
0
 
LVL 2

Accepted Solution

by:
Mcfake earned 200 total points
ID: 17286394
- Even if a GLOBAL groups is in a LOCAL group, it still has the ability to access stuff that only a global one can. ?

u can be in local and global at the same time. therefore enableing u to access both.
IF you are a local user grp but part of a trusted server. this will enable your access to go accross the servers.

Dont get confused with mixed mode and native mode. this is only used for Access to NT systems. doesent effect anything in a complete 200x enviroment.

If u make Usales a global grp. with full access this grp will have access to all files on both domains. (depending a trust is set up).

Mixed mode vs Native mode
http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=7156

hope that helps

i recommmned u get Virtual PC and set up 2 servers and connect , and set up the test lab. its alot easier when u c it.   THe fact that the server is in MIxed mode. prolly means there is a later Question about putting in a NT server. and waht problems u will get with the access rights.

Gl. thx
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question