Solved

Where is my Group?

Posted on 2009-04-09
31
191 Views
Last Modified: 2012-05-06
I have created a group called Acct. on A DC I have added a user to this group named Jay. I goto my Member Server win2k3 and Share a folder called Shared. I goto Shared permissions to allow the Group Acct to access this folder. I cannot find that group in Dialog box(es). I stick with the defaults of everyone/read.

I goto security tab to add Acct access to the Shared folder. I cannot find the Acct group in Dialog Box(es). I can find the user Jay, I can give permissions to jay. I need to be able to do this for groups. Where did my Acct group go?

Selected Object Types = Built in Security Principals, Groups and User. (I did NOT select Computers for the obvious reasons).
 
From This Location = (Searched in) Entire Directory, Users, Container where Acct and Jay account resides. Still NO Acct group...

What? What? What?

Simple I know.


0
Comment
Question by:ultreya
  • 13
  • 10
  • 5
  • +1
31 Comments
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24109301
Did you make it a security group and not a distribution group?  In ADUC, right click on the group you have created.  Click properties.  Let me know.  It should be a security group.
0
 

Author Comment

by:ultreya
ID: 24109312
I am sorry I should have added that ...
Security Group.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24109333
Very odd, can you download adfind
http://www.joeware.net/freetools/tools/adfind/index.htm
run
adfind -sc  g:Acct
just want to make sure that group is in the directory.
...also if it is there what kind of group is it (i.e. global/security)
Thanks
Mike
 
0
 
LVL 83

Accepted Solution

by:
oBdA earned 150 total points
ID: 24109363
Could it be that this is a *domain* *local* group, and your AD is not running in W2k3 functional level yet?
Or that you have more than 1 DC and the member server was checking against the other one, while the group maybe wasn't replicated yet?
0
 

Author Comment

by:ultreya
ID: 24109380
I cannot add 3rd party software to the server... Company rules, for security.
I can assure you that the Acct Group and Jay are there. I can goto the Exchange server (seperate server) and see them through AD Console. I can goto the 2nd DC and see the Acct Group and Jay

Domain local / Security
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24109382
Sounds like it hasn't replicated yet.

http://technet.microsoft.com/en-us/library/cc776188.aspx
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24109421
Domain local groups are only available on member servers if the domain is running at least in Windows 2000 native mode.
If you don't have any DCs running NT4 or W2k (and are not planning to introduce any ever), you can raise the functional level of your AD:
How to raise domain and forest functional levels in Windows Server 2003
http://support.microsoft.com/kb/322692
0
 

Author Comment

by:ultreya
ID: 24109463
My domain functional level is 2K3 All 6 of my servers are Server2K3
0
 

Author Comment

by:ultreya
ID: 24109481
"Sounds like it hasn't replicated yet."
I have forced replication on the servers (DC's), With NO change I still cannot see the Group Acct only the user Jay.

I created the Acct group and Jay about 3 hours ago. Replication takes place 180 minute intervals?
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24109502
See?
domain.jpg
0
 

Author Comment

by:ultreya
ID: 24109549
This¿
Acct.bmp
0
 
LVL 8

Assisted Solution

by:MrMintanet
MrMintanet earned 150 total points
ID: 24109590
Change the scope to Global.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24109606
Your domain is not running in W2k3 functional level, otherwise you'd have the possibility to convert the group type to Universal, and you'd be able to see the group on the member server.
Please check the article I linked above.
0
 

Author Comment

by:ultreya
ID: 24109625
Success...
Why Global works and not Domain local.
It's in the same domain¿¿¿
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24109634
What was success?  How wonderful those three ¿¿¿ are.  LOL
0
 

Author Comment

by:ultreya
ID: 24109649
"Your domain is not running in W2k3 functional level, otherwise you'd have the possibility to convert the group type to Universal, and you'd be able to see the group on the member server."

My apologies You are correct. I thought we set this domain up as 2k3 since all servers are 2k3. My Bad

Does this explain why domain local would not register???
0
 

Author Comment

by:ultreya
ID: 24109658
"Change the scope to Global"
I deleted the Acct group, and recreated the group, as a global, and it was instantly seen.
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24109673
:)  Good.  Glad I could finally get someone's problem solved!  LOL.  It's been a slow day for me.  I have a touch of the flu.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24109678
...and if all your DCs are at 2k3 you should plan to raise your functional level at some point.
Thanks
Mike
0
 

Author Comment

by:ultreya
ID: 24109692
Why did I have to use global though?
Domain Local should have done the same thing. I only have the one domain.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24109699
Change the forest and domain functional level to W2k3, and you'll be able to use domain local groups on member servers as well. You'll be able to change the group scope and type, and it will make it easier to use concepts like AGDLP (http://en.wikipedia.org/wiki/AGDLP)
Group scope
http://technet.microsoft.com/en-us/library/cc755692.aspx
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24109725
Is this not solved?
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24109727
As I've said before: domain local groups are only available on member servers if your domain functional level is at least Windows 2000 native. All lower versions (Windows 2000 mixed, W2k3 interim) allow the use of NT4 DCs, and NT4 DCs can't handle domain local groups; these were only introduced with AD.
0
 

Author Comment

by:ultreya
ID: 24109738
I believe we are getting ready to change all servers to 2008,
thus any changes to the existing network will be debated.
Thank you for your help.
0
 

Author Closing Comment

by:ultreya
ID: 31568631
Thank you for your help.
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24109807
How was my answer not considered accepted?  It was considered "assisted".  What on earth?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24109854
Let it go man...you got points :)  
In the end he was helped and that is what matters
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24109896
LOL.  Right... Somehow, I think I was robbed.  Meh... anyways!  Onward!  To the next question!
0
 

Author Comment

by:ultreya
ID: 24109939
MrMintanet, I am sorry you feel robbed on points. I increased the value to 300 and split them between you and oBdA.

Your resolution was correct, in that I changed to a global group rather than a domain local, and I could then see the group.

Although oBdA's first post was correct and it was my error that overlooked what would have been the final resolution.

The site is responsible for determining assisted due to placement. I would be more than happy to resolve any issues you may have with the grading system, just tell me what you want me to do? I admit MY ERROR in overlooking oBdA and where he was going, so in essence he got hosed on points as well. So how do I make it right?
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24109975
My tears are shed, but my face is dry.  I will try to wipe up my mess so no one slips and falls.  :)  It's fine.  I am just a tad bit saddened by my lack of love.  I am going to buy a dog tonight.
0
 

Author Comment

by:ultreya
ID: 24109989
Well I hope you at least get to feeling better. I know the flu sux :)
0

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration, of the HP EVA 4400 SAN Storage. The name , IP and the WWN ID’s used here are not the real ones. ABOUT THE STORAGE For most of you reading this, you …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now