Improve company productivity with a Business Account.Sign Up

x
?
Solved

Global group grants access for file permissions but domain local group does not

Posted on 2010-08-26
6
Medium Priority
?
788 Views
Last Modified: 2013-12-04
I'm setting up the permissions for access to shared drives on the servers in our system. (Should have been done years ago but then again, everything I've been doing since I started working here a few months ago should have been).  I'm reasonably new to active directory and domain management and stuff, so this might be a simple solution.

Anyway, I'm trying to do everything right, so I have global groups that are part of domain local groups and the domain local groups are given permissions.  The problem I'm having is the permissions on a different server (same domain).  When I give permissions to a domain local group, only the people in that group that are also domain admins actually get permissions.  But if I add the global group that is a member of the domain local group directly to the folders permissions, then all users get access.  I'm not really sure where to go from here.

Thanks for the help.

P.S. Both servers in question are Windows 2003 R2
0
Comment
Question by:mjburgard
  • 3
  • 3
6 Comments
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 2000 total points
ID: 33535597
If you are going to use the AGLP paradigm, then you should create the local groups on the local server, if that server is a domain member. Then add the domain Global groups as a member to those local groups.

The Domain Local groups can only be used on domain controllers.

The Domain Admins group probably inherited their permission another way (e.g. by being a member of the computer-local Administrators group). You can't assign rights to Domain Local groups on member servers, or use them in other domains.

About group scopes: http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
0
 
LVL 1

Author Comment

by:mjburgard
ID: 33537277
Ok I guess I'm worse of then I thought, cause I can't figure out how to create local groups on the other server.  I'm assuming its just with some windows component that I don't have installed or something.
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 2000 total points
ID: 33539668
You can use Computer Management | Local Users and Groups | Groups
This snap-in is not available on domain controllers, just domain members and workgroup servers.

The commandline to add a new local group is: NET LOCALGROUP "Groupname" /ADD /COMMENT:"Description"

The commandline to add domain global groups to that group is: NET LOCALGROUP "Groupname" "DOMAIN\Groupname" /ADD
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
LVL 1

Author Comment

by:mjburgard
ID: 33544168
Ok I found that and was able to make groups, but now when I go to the folders on that computer and try to add the groups to the permissions it can't find them.  Tried searching entire directory and the local computer, didn't find it either way.  I'm sure its something else simple that I am missing.
0
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 2000 total points
ID: 33544606
Typing partial names in the 'Select Users, computers and groups' dialog and then "Check names" will not find local groups on a member server. You must type the full group name (including computer name as above) or use: Advanced | Location... | Change to local computer | Find Now, to find all groups.

Yes, they did make that unnecessarily difficult.

Check names works only for objects in the domain, and only if the group name starts with the partial text.

For good measure, can you try typing: computername\groupname
into the search box when adding your group? See if it can find that? If that doesn't work, please tell us exactly what steps you are taking to create and find the group, because I'm not seeing the issue.

There is no shame in using Global groups to assign permissions to resources on member servers, and then add other global or universal groups to those "ACL groups", as I call them. The only restriction is that global groups cannot contain global groups from another domain, only universal groups (see above link). It does have a few advantages over using local groups, from an ease of management point of view.
0
 
LVL 1

Author Comment

by:mjburgard
ID: 33544698
Cool, that seems like it worked.  Thanks for all the help, hopefully I'll learn from this and be able to do more in the future.
0

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Seizing the Operation Master Roles in Windows Server 2016 in case of FSMO holder failure.
The intent of this article is not to tell you what solution to use (you know it better) or make a big bang change to your current regime (you are well aware of), but to share how the regime can be better and effective in streamlining the multiple pa…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question