Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Global group grants access for file permissions but domain local group does not

Posted on 2010-08-26
6
Medium Priority
?
785 Views
Last Modified: 2013-12-04
I'm setting up the permissions for access to shared drives on the servers in our system. (Should have been done years ago but then again, everything I've been doing since I started working here a few months ago should have been).  I'm reasonably new to active directory and domain management and stuff, so this might be a simple solution.

Anyway, I'm trying to do everything right, so I have global groups that are part of domain local groups and the domain local groups are given permissions.  The problem I'm having is the permissions on a different server (same domain).  When I give permissions to a domain local group, only the people in that group that are also domain admins actually get permissions.  But if I add the global group that is a member of the domain local group directly to the folders permissions, then all users get access.  I'm not really sure where to go from here.

Thanks for the help.

P.S. Both servers in question are Windows 2003 R2
0
Comment
Question by:mjburgard
  • 3
  • 3
6 Comments
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 2000 total points
ID: 33535597
If you are going to use the AGLP paradigm, then you should create the local groups on the local server, if that server is a domain member. Then add the domain Global groups as a member to those local groups.

The Domain Local groups can only be used on domain controllers.

The Domain Admins group probably inherited their permission another way (e.g. by being a member of the computer-local Administrators group). You can't assign rights to Domain Local groups on member servers, or use them in other domains.

About group scopes: http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
0
 
LVL 1

Author Comment

by:mjburgard
ID: 33537277
Ok I guess I'm worse of then I thought, cause I can't figure out how to create local groups on the other server.  I'm assuming its just with some windows component that I don't have installed or something.
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 2000 total points
ID: 33539668
You can use Computer Management | Local Users and Groups | Groups
This snap-in is not available on domain controllers, just domain members and workgroup servers.

The commandline to add a new local group is: NET LOCALGROUP "Groupname" /ADD /COMMENT:"Description"

The commandline to add domain global groups to that group is: NET LOCALGROUP "Groupname" "DOMAIN\Groupname" /ADD
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:mjburgard
ID: 33544168
Ok I found that and was able to make groups, but now when I go to the folders on that computer and try to add the groups to the permissions it can't find them.  Tried searching entire directory and the local computer, didn't find it either way.  I'm sure its something else simple that I am missing.
0
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 2000 total points
ID: 33544606
Typing partial names in the 'Select Users, computers and groups' dialog and then "Check names" will not find local groups on a member server. You must type the full group name (including computer name as above) or use: Advanced | Location... | Change to local computer | Find Now, to find all groups.

Yes, they did make that unnecessarily difficult.

Check names works only for objects in the domain, and only if the group name starts with the partial text.

For good measure, can you try typing: computername\groupname
into the search box when adding your group? See if it can find that? If that doesn't work, please tell us exactly what steps you are taking to create and find the group, because I'm not seeing the issue.

There is no shame in using Global groups to assign permissions to resources on member servers, and then add other global or universal groups to those "ACL groups", as I call them. The only restriction is that global groups cannot contain global groups from another domain, only universal groups (see above link). It does have a few advantages over using local groups, from an ease of management point of view.
0
 
LVL 1

Author Comment

by:mjburgard
ID: 33544698
Cool, that seems like it worked.  Thanks for all the help, hopefully I'll learn from this and be able to do more in the future.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question