Solved

Global group grants access for file permissions but domain local group does not

Posted on 2010-08-26
6
782 Views
Last Modified: 2013-12-04
I'm setting up the permissions for access to shared drives on the servers in our system. (Should have been done years ago but then again, everything I've been doing since I started working here a few months ago should have been).  I'm reasonably new to active directory and domain management and stuff, so this might be a simple solution.

Anyway, I'm trying to do everything right, so I have global groups that are part of domain local groups and the domain local groups are given permissions.  The problem I'm having is the permissions on a different server (same domain).  When I give permissions to a domain local group, only the people in that group that are also domain admins actually get permissions.  But if I add the global group that is a member of the domain local group directly to the folders permissions, then all users get access.  I'm not really sure where to go from here.

Thanks for the help.

P.S. Both servers in question are Windows 2003 R2
0
Comment
Question by:mjburgard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 500 total points
ID: 33535597
If you are going to use the AGLP paradigm, then you should create the local groups on the local server, if that server is a domain member. Then add the domain Global groups as a member to those local groups.

The Domain Local groups can only be used on domain controllers.

The Domain Admins group probably inherited their permission another way (e.g. by being a member of the computer-local Administrators group). You can't assign rights to Domain Local groups on member servers, or use them in other domains.

About group scopes: http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
0
 
LVL 1

Author Comment

by:mjburgard
ID: 33537277
Ok I guess I'm worse of then I thought, cause I can't figure out how to create local groups on the other server.  I'm assuming its just with some windows component that I don't have installed or something.
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 500 total points
ID: 33539668
You can use Computer Management | Local Users and Groups | Groups
This snap-in is not available on domain controllers, just domain members and workgroup servers.

The commandline to add a new local group is: NET LOCALGROUP "Groupname" /ADD /COMMENT:"Description"

The commandline to add domain global groups to that group is: NET LOCALGROUP "Groupname" "DOMAIN\Groupname" /ADD
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:mjburgard
ID: 33544168
Ok I found that and was able to make groups, but now when I go to the folders on that computer and try to add the groups to the permissions it can't find them.  Tried searching entire directory and the local computer, didn't find it either way.  I'm sure its something else simple that I am missing.
0
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 500 total points
ID: 33544606
Typing partial names in the 'Select Users, computers and groups' dialog and then "Check names" will not find local groups on a member server. You must type the full group name (including computer name as above) or use: Advanced | Location... | Change to local computer | Find Now, to find all groups.

Yes, they did make that unnecessarily difficult.

Check names works only for objects in the domain, and only if the group name starts with the partial text.

For good measure, can you try typing: computername\groupname
into the search box when adding your group? See if it can find that? If that doesn't work, please tell us exactly what steps you are taking to create and find the group, because I'm not seeing the issue.

There is no shame in using Global groups to assign permissions to resources on member servers, and then add other global or universal groups to those "ACL groups", as I call them. The only restriction is that global groups cannot contain global groups from another domain, only universal groups (see above link). It does have a few advantages over using local groups, from an ease of management point of view.
0
 
LVL 1

Author Comment

by:mjburgard
ID: 33544698
Cool, that seems like it worked.  Thanks for all the help, hopefully I'll learn from this and be able to do more in the future.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question