Solved

Global group grants access for file permissions but domain local group does not

Posted on 2010-08-26
6
777 Views
Last Modified: 2013-12-04
I'm setting up the permissions for access to shared drives on the servers in our system. (Should have been done years ago but then again, everything I've been doing since I started working here a few months ago should have been).  I'm reasonably new to active directory and domain management and stuff, so this might be a simple solution.

Anyway, I'm trying to do everything right, so I have global groups that are part of domain local groups and the domain local groups are given permissions.  The problem I'm having is the permissions on a different server (same domain).  When I give permissions to a domain local group, only the people in that group that are also domain admins actually get permissions.  But if I add the global group that is a member of the domain local group directly to the folders permissions, then all users get access.  I'm not really sure where to go from here.

Thanks for the help.

P.S. Both servers in question are Windows 2003 R2
0
Comment
Question by:mjburgard
  • 3
  • 3
6 Comments
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 500 total points
ID: 33535597
If you are going to use the AGLP paradigm, then you should create the local groups on the local server, if that server is a domain member. Then add the domain Global groups as a member to those local groups.

The Domain Local groups can only be used on domain controllers.

The Domain Admins group probably inherited their permission another way (e.g. by being a member of the computer-local Administrators group). You can't assign rights to Domain Local groups on member servers, or use them in other domains.

About group scopes: http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
0
 
LVL 1

Author Comment

by:mjburgard
ID: 33537277
Ok I guess I'm worse of then I thought, cause I can't figure out how to create local groups on the other server.  I'm assuming its just with some windows component that I don't have installed or something.
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 500 total points
ID: 33539668
You can use Computer Management | Local Users and Groups | Groups
This snap-in is not available on domain controllers, just domain members and workgroup servers.

The commandline to add a new local group is: NET LOCALGROUP "Groupname" /ADD /COMMENT:"Description"

The commandline to add domain global groups to that group is: NET LOCALGROUP "Groupname" "DOMAIN\Groupname" /ADD
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:mjburgard
ID: 33544168
Ok I found that and was able to make groups, but now when I go to the folders on that computer and try to add the groups to the permissions it can't find them.  Tried searching entire directory and the local computer, didn't find it either way.  I'm sure its something else simple that I am missing.
0
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 500 total points
ID: 33544606
Typing partial names in the 'Select Users, computers and groups' dialog and then "Check names" will not find local groups on a member server. You must type the full group name (including computer name as above) or use: Advanced | Location... | Change to local computer | Find Now, to find all groups.

Yes, they did make that unnecessarily difficult.

Check names works only for objects in the domain, and only if the group name starts with the partial text.

For good measure, can you try typing: computername\groupname
into the search box when adding your group? See if it can find that? If that doesn't work, please tell us exactly what steps you are taking to create and find the group, because I'm not seeing the issue.

There is no shame in using Global groups to assign permissions to resources on member servers, and then add other global or universal groups to those "ACL groups", as I call them. The only restriction is that global groups cannot contain global groups from another domain, only universal groups (see above link). It does have a few advantages over using local groups, from an ease of management point of view.
0
 
LVL 1

Author Comment

by:mjburgard
ID: 33544698
Cool, that seems like it worked.  Thanks for all the help, hopefully I'll learn from this and be able to do more in the future.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question