SAM2009
asked on
Cannot add local group in security tab of a folder in WInDows 2003
Hi,
I have created in AD 2 groups: Global Group and Local Group
After that I go to the folder which I want to add the security but I can just add the Global Group. When I try to add the Local Group I can't find it. Why?
I have created in AD 2 groups: Global Group and Local Group
After that I go to the folder which I want to add the security but I can just add the Global Group. When I try to add the Local Group I can't find it. Why?
ASKER
No I just want to add the local group that I just cretaed in the security tab of the folder but when I clicked on ADD I could not see the local group.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey ya it works but I don't understand... my local group is created in a domain why I should choose as location the server name instead the domain?
There are two kinds of local groups: "real" local groups on a stand-alone machine or a domain member (not on a DC!), and "domain local" groups. The former are not created on a DC, but with the "Local users and groups" MMC on the machine itself. Domain local groups can only be created in AD.
The scope of a real local group is the single machine on which it was created.
Domain local groups are basically local groups on a DC. The scope of this group type is DCs, unless the domain is running at least in Windows 2000 native mode.
In other words: if you've created a domain local group on a DC, and you don't see it on a domain member, then your domain functional level is still Mixed. Unless you have down-level DCs in your domain, you can raise the level.
How to raise Active Directory domain and forest functional levels
http://support.microsoft.com/kb/322692
If you've created a real local group on a member server, then medfly is correct that the object picker's location has to be changed to the local server.
The scope of a real local group is the single machine on which it was created.
Domain local groups are basically local groups on a DC. The scope of this group type is DCs, unless the domain is running at least in Windows 2000 native mode.
In other words: if you've created a domain local group on a DC, and you don't see it on a domain member, then your domain functional level is still Mixed. Unless you have down-level DCs in your domain, you can raise the level.
How to raise Active Directory domain and forest functional levels
http://support.microsoft.com/kb/322692
If you've created a real local group on a member server, then medfly is correct that the object picker's location has to be changed to the local server.
ASKER
This is what happen.
1- I open AD and in domain: Dom1.com, I create a local group: Grp_Local.Dom1.com
2- I go to server Server1 and create a folder: FOLDER1
3- I go to security tab of FOLDER1 and want to add the local grp: Grp_Local.Dom1.com, but the server can't find it.
4- If I change the location and choose the server Server1 and try to add Grp_Local.Dom1.com, it works. Windows is abled to find it.
That why I don't understand.
My domaine is:
Domain functional level: Windows Server 2003
Domain server level: Windows 2000
1- I open AD and in domain: Dom1.com, I create a local group: Grp_Local.Dom1.com
2- I go to server Server1 and create a folder: FOLDER1
3- I go to security tab of FOLDER1 and want to add the local grp: Grp_Local.Dom1.com, but the server can't find it.
4- If I change the location and choose the server Server1 and try to add Grp_Local.Dom1.com, it works. Windows is abled to find it.
That why I don't understand.
My domaine is:
Domain functional level: Windows Server 2003
Domain server level: Windows 2000
That IS certainly odd behavior..
It sounds like you somehow created a group Local to Server1, not a Domain Local group in your AD ... That's the only explanation I know for the situation you have described.
When you say you created a Local Group... did you create it as a Global -Security Group (default option), or did you select the radio button for a Domain Local -Security Group? Either way, it should still be visible in your AD, but just trying to understand what you did.
Also.. based on your comments.. all your domain controllers are Windows Server 2003 but you have member servers still running Server 2000?
It sounds like you somehow created a group Local to Server1, not a Domain Local group in your AD ... That's the only explanation I know for the situation you have described.
When you say you created a Local Group... did you create it as a Global -Security Group (default option), or did you select the radio button for a Domain Local -Security Group? Either way, it should still be visible in your AD, but just trying to understand what you did.
Also.. based on your comments.. all your domain controllers are Windows Server 2003 but you have member servers still running Server 2000?
ASKER
I create my domain local group in AD by selecting the radio button for Domain Local -Security Group and yes I still have Windows 2000 servers.
I'm afraid I don't have any explanation for why you needed to select the server as the location in order to add the AD group. But ... at least you were able to accomplish your task. Glad I could get you that far at least.
ASKER
HAHHAH that's weird! It's the first time I see that! :)
Is "Server1" a DC?
If not, which OS, and did you check whether there is a real local group named "Grp_Local" on this machine?
If not, which OS, and did you check whether there is a real local group named "Grp_Local" on this machine?
ASKER
No the server is a DFS and in Server1 there is no group like "Grp_Local" and by the way when I added it I put: Dom1\Grp_Local, so there is no confusion.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you!
How to raise Active Directory domain and forest functional levels
http://support.microsoft.com/kb/322692/en-us
Otherwise I don't understand.....