jodie888
asked on
Windows 2000 Active Directory Global Vs. Local Permissions
I have a company in UK that wants to have the ability to grant accounts but account access will need to be managed locally in the USA. (The accounts will need to be managed in its entirety from the UK. However, access will be managed locally in the USA.) The UK office cannot have access into the US network at all. Can someone explain if this can be done? If so, how do we do it? The question becomes, "Can the UK office manage accounts and be locked out of the US network if they still control the creation of accounts from the UK?"
My first line was supposed to read...
"In the US domain, the US admin creates domain local groups..."
"In the US domain, the US admin creates domain local groups..."
ASKER
The UK office cannot access the US network at all. In other words, the UK creates user accounts but the US manages the access to the network and must block out the UK users from accessing any US resources.
ASKER
If the UK creates the accounts how can the US block out UK access?
As I said, you don't need access to each others domain. Are we talking two domains? Basically the US has resources that it wishes to control access to?
- The US creates a domain local group and grants this group the required level of access.
- The UK creates users and puts them into a global group.
- The US then adds this global group to the domain local group, thus granting it's members access.
- If the US wants to change or restrict the access granted, they change the permissions granted to the domain local group, thus granting/changing access of the UK users.
- The US creates a domain local group and grants this group the required level of access.
- The UK creates users and puts them into a global group.
- The US then adds this global group to the domain local group, thus granting it's members access.
- If the US wants to change or restrict the access granted, they change the permissions granted to the domain local group, thus granting/changing access of the UK users.
ASKER
Thanks for your reply.
We are talking the same domain (UK and US in the same domain). I guess what I am confused about is how can I keep the UK out of US directories if they are the ones controlling the creation of accounts? Could they override my settings in the US if they needed or wanted to? All the accounts would be created in the UK but US will control access. But if UK creates the accounts couldn't they also delete these accounts? Could they not gain access into the network as well?
We are talking the same domain (UK and US in the same domain). I guess what I am confused about is how can I keep the UK out of US directories if they are the ones controlling the creation of accounts? Could they override my settings in the US if they needed or wanted to? All the accounts would be created in the UK but US will control access. But if UK creates the accounts couldn't they also delete these accounts? Could they not gain access into the network as well?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to Tony for clarifying what I needed. He was very responsive and extremely helpful. Kudos to you... thanks for the knowledge!
In the US domain, create domain local groups used to grant access to the shares (e.g. a group called 'Accounts Files'). Admins in the US can then grant this group the permissions to the local resources.
In the UK domain, you create a global group, say 'Accounts Users', and place your users into this group.
The US admin then places your global group 'Accounts Users' into 'Account Files', thus granting your users access to the resources in the US domain.
That way, the US admin has control over the level access to the resources the group has, while you have control of who gets that level of access.