Windows 2000 Active Directory Global Vs. Local Permissions

I have a company in UK that wants to have the ability to grant accounts but account access will need to be managed locally in the USA. (The accounts will need to be managed in its entirety from the UK.  However, access will be managed locally in the USA.)  The UK office cannot have access into the US network at all.  Can someone explain if this can be done?  If so, how do we do it?  The question becomes, "Can the UK office manage accounts and be locked out of the US network if they still control the creation of accounts from the UK?"
jodie888Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bluntTonyHead of ICTCommented:
They way you would manage this is:

In the US domain, create domain local groups used to grant access to the shares (e.g. a group called 'Accounts Files'). Admins in the US can then grant this group the permissions to the local resources.

In the UK domain, you create a global group, say 'Accounts Users', and place your users into this group.

The US admin then places your global group 'Accounts Users' into 'Account Files', thus granting your users access to the resources in the US domain.

That way, the US admin has control over the level access to the resources the group has, while you have control of who gets that level of access.
0
bluntTonyHead of ICTCommented:
My first line was supposed to read...

"In the US domain, the US admin creates domain local groups..."

0
jodie888Author Commented:
The UK office cannot access the US network at all.  In other words, the UK creates user accounts but the US manages the access to the network and must block out the UK users from accessing any US resources.    
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

jodie888Author Commented:
If the UK creates the accounts how can the US block out UK access?
0
bluntTonyHead of ICTCommented:
As I said, you don't need access to each others domain. Are we talking two domains? Basically the US has resources that it wishes to control access to?
- The US creates a domain local group and grants this group the required level of access.
- The UK creates users and puts them into a global group.
- The US then adds this global group to the domain local group, thus granting it's members access.
- If the US wants to change or restrict the access granted, they change the permissions granted to the domain local group, thus granting/changing access of the UK users.
 
0
jodie888Author Commented:
Thanks for your reply.  

We are talking the same domain (UK and US in the same domain).  I guess what I am confused about is how can I keep the UK out of US directories if they are the ones controlling the creation of accounts? Could they override my settings in the US if they needed or wanted to?  All the accounts would be created in the UK but US will control access.  But if UK creates the accounts couldn't they also delete these accounts?  Could they not gain access into the network as well?
0
bluntTonyHead of ICTCommented:
In that case, you would need to place the domain local groups (which are granted the access to the resources) in an OU, which the UK has no control over. You can create a global group to contain the US admin user accounts, add this group to the security tab of the OU, then remove the rights of 'Domain Admins' . By default, Domain Admins have full control over all of the domain, but you can change this so that only a specified group does.

This would mean that only this group has control over this OU. You can then create and maintain the domain local groups in this OU. The UK can still create accounts, but only the US can place those users into the required domain local groups to grant them access to certain resources. Also change the owner of the OU to your group so that the UK domain admins cannot re-add themselves.

Check the security tab in the properties of an OU. You can grant/remove permissions similar to how you would for a file/folder. You can be more granular also in the 'Advanced' tab, where youu could grant a group the right to create new objects, but not to delete them.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jodie888Author Commented:
Thanks to Tony for clarifying what I needed.  He was very responsive and extremely helpful.  Kudos to you... thanks for the knowledge!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.