Solved

Security groups

Posted on 2006-07-12
6
189 Views
Last Modified: 2010-04-11
This is a MS study guide question...

There is a network consisting of several domians in a single AD forest Abc.com. the fucntional level for all child domains is Win2000 mixed

A server named Xyz.com runs win 2003. You share a folder named SalesDoc on this server. In the properties of the SalesDoc you give Full control to a UNIVERSAL group caled U_Sales in Abc.com.

It shows a pic with the effective perms for U_Sales showing it has full control

It goes on to say

In each domain in the forst, you make a global group called G_Sales, whose members consist of users in that domains department. You add EVERY G_Sales group to the U_Sales group

A user is a member of G_Sales in Child1.Abc.com. And he says he cannot get access to SalesDocs.

It shows the effective perms of the user for SalesDocs, and NOTHING is checked.

It says says one COMPLETE solution is change the group scope of the U_Sales to Domain Local.

Now, I can kind of understand why that would work, as the user is in G_Sales, which in turn is a memeber of U_sales, and therefore a domain local group would allow access

BUT it says another COMPLETE solution is just give the G_Sales group in Child1.Abc.com full control.

My questions are: -

How can you just give allow full control to G_Sales in Child1.Abc.com and expect that to work. when we are told the functional level for child domains is 2000 mixed i.e. universal groups cannot be used ?

Also how would the user still get access by just changing the group to a domain local group if the perms showed nothign was checked
0
Comment
Question by:LFC1980
  • 3
  • 2
6 Comments
 

Author Comment

by:LFC1980
ID: 17091397
Also does it work with a local group as they are in the same forest
0
 
LVL 2

Expert Comment

by:Mcfake
ID: 17138937
when you add a group to another parent group , u need to make sure you have permissions set that also inherits the parent permissions.

When a grp joins a grp and you havent got that ticked it doesnt gain the extended privlages.

for example i can have
paretn grp A this hsa full Access
i make sub.B grp to join
sub.B gains Read access to files by default.

If inherit was turned on they would automaticly inherit the partent grps permissions of Full

for example often you have people labled Everyone in a grp but u dont give them full access or inherit.

common example is DOMAIN ADMINS grp which entitels your people inside that grp to access eveything fromt taht domain. This is not a good one to add inherit and add eveyone :).

hope that makes sence to you.

with reguards to adding a local grp or user. if you are part of a domain and u change the grp to a local grp and give it FULL domain access . This would give the users full access on that 1 server locally to the file.
0
 

Author Comment

by:LFC1980
ID: 17145047
Ok i can see why giving full control to G_sales would work i.e. as he was a part of G_sales, it probably didn't have the rights to get into SalesDocs

However, i am still not clear why Universal groups are allowed in this set up , when it states "the functional level for all child domainss is Windows 2000 MIXED", i thought to use Universal groups it has to be Win 2000 NATIVE. In one of the answers, it even says you have to change the scope of the U_Sales to local. SO how can it work by just changin permission, if the Universal groups are not allowed in the first place

And can you confirm the follwoing

- Even if a GLOBAL groups is in a LOCAL group, it still has the ability to access stuff that only a global one can. ?

- And above where it said "change the scope of U_sales to a local group". That this would have still worked if instead of a changint it to a local group it was changed to a Global group.
0
 

Author Comment

by:LFC1980
ID: 17262493
Anyone ?
0
 
LVL 2

Accepted Solution

by:
Mcfake earned 200 total points
ID: 17286394
- Even if a GLOBAL groups is in a LOCAL group, it still has the ability to access stuff that only a global one can. ?

u can be in local and global at the same time. therefore enableing u to access both.
IF you are a local user grp but part of a trusted server. this will enable your access to go accross the servers.

Dont get confused with mixed mode and native mode. this is only used for Access to NT systems. doesent effect anything in a complete 200x enviroment.

If u make Usales a global grp. with full access this grp will have access to all files on both domains. (depending a trust is set up).

Mixed mode vs Native mode
http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=7156

hope that helps

i recommmned u get Virtual PC and set up 2 servers and connect , and set up the test lab. its alot easier when u c it.   THe fact that the server is in MIxed mode. prolly means there is a later Question about putting in a NT server. and waht problems u will get with the access rights.

Gl. thx
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now