Solved

Cannot add local group in security tab of a folder in WInDows 2003

Posted on 2011-02-24
16
1,103 Views
Last Modified: 2012-05-11
Hi,


I have created in AD 2 groups: Global Group and Local Group

After that I go to the folder which I want to add the security but I can just add the Global Group. When I try to add the Local Group I can't find it. Why?
0
Comment
Question by:SAM2009
  • 8
  • 3
  • 3
  • +2
16 Comments
 
LVL 5

Expert Comment

by:smangogna
ID: 34971724
If you mean to add groups to other groups you have to raise Active Directory domain and forest functional levels and create universal groups

How to raise Active Directory domain and forest functional levels
http://support.microsoft.com/kb/322692/en-us

Otherwise I don't understand.....
0
 
LVL 1

Author Comment

by:SAM2009
ID: 34971807
No I just want to add the local group that I just cretaed in the security tab of the folder but when I clicked on ADD I could not see the local group.
0
 
LVL 1

Assisted Solution

by:Medfly
Medfly earned 166 total points
ID: 34971938
If it's a LOCAL group..
when you are looking at the security permissions to ADD an object.. make sure the LOCATIONS option is set to the local machine.  By default it may be poiting to your domain.
 ScreenShot
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 1

Author Comment

by:SAM2009
ID: 34972778
Hey ya it works but I don't understand...  my local group is created in a domain why I should choose as location the server name instead the domain?
0
 
LVL 83

Expert Comment

by:oBdA
ID: 34973031
There are two kinds of local groups: "real" local groups on a stand-alone machine or a domain member (not on a DC!), and "domain local" groups. The former are not created on a DC, but with the "Local users and groups" MMC on the machine itself. Domain local groups can only be created in AD.
The scope of a real local group is the single machine on which it was created.
Domain local groups are basically local groups on a DC. The scope of this group type is DCs, unless the domain is running at least in Windows 2000 native mode.
In other words: if you've created a domain local group on a DC, and you don't see it on a domain member, then your domain functional level is still Mixed. Unless you have down-level DCs in your domain, you can raise the level.
How to raise Active Directory domain and forest functional levels
http://support.microsoft.com/kb/322692
If you've created a real local group on a member server, then medfly is correct that the object picker's location has to be changed to the local server.
0
 
LVL 1

Author Comment

by:SAM2009
ID: 34973262
This is what happen.


1- I open AD and in domain: Dom1.com, I create a local group: Grp_Local.Dom1.com
2- I go to server Server1 and create a folder: FOLDER1
3- I go to security tab of FOLDER1 and want to add the local grp: Grp_Local.Dom1.com, but the server can't find it.
4- If I change the location and choose the server Server1 and try to add Grp_Local.Dom1.com, it works. Windows is abled to find it.

That why I don't understand.

My domaine is:

Domain functional level: Windows Server 2003

Domain server level: Windows 2000
0
 
LVL 1

Expert Comment

by:Medfly
ID: 34974651
That IS certainly odd behavior..
It sounds like you somehow created a group Local to Server1, not a Domain Local group in your AD ... That's the only explanation I know for the situation you have described.

When you say you created a Local Group... did you create it as a Global -Security Group (default option), or did you select the radio button for a Domain Local -Security Group?  Either way, it should still be visible in your AD, but just trying to understand what you did.

Also.. based on your comments.. all your domain controllers are Windows Server 2003 but you have member servers still running Server 2000?
0
 
LVL 1

Author Comment

by:SAM2009
ID: 34975914
I create my domain local group in AD by selecting the radio button for Domain Local -Security Group and yes I still have Windows 2000 servers.
0
 
LVL 1

Expert Comment

by:Medfly
ID: 34979222
I'm afraid I don't have any explanation for why you needed to select the server as the location in order to add the AD group.  But ... at least you were able to accomplish your task.  Glad I could get you that far at least.
0
 
LVL 1

Author Comment

by:SAM2009
ID: 34979369
HAHHAH that's weird! It's the first time I see that! :)
0
 
LVL 83

Expert Comment

by:oBdA
ID: 34979430
Is "Server1" a DC?
If not, which OS, and did you check whether there is a real local group named "Grp_Local" on this machine?
0
 
LVL 1

Author Comment

by:SAM2009
ID: 34980121
No the server is a DFS  and in Server1 there is no group like "Grp_Local" and by the way when I added it I put: Dom1\Grp_Local, so there is no confusion.
0
 
LVL 1

Assisted Solution

by:SAM2009
SAM2009 earned 0 total points
ID: 34997715
Hey Sorry guys the Server1 is an NT4 domain and Dom1 is Windows 2003 domain maybe that why I need to choose the local server first as location and add domain local group by adding: "Dom1\Grp_Local"

Does it make more sense?
0
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 167 total points
ID: 34997746
Yes, much!  You're porting the group between domains...
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 167 total points
ID: 34999799
That's why I explicitly asked for the machine's OS in http:#a34979430 ...
Yes, that makes more sense, because the NT4 object picker doesn't know the first thing about domain local groups on a member server.
On any other domain member with W2k or a later OS, you should be able to find the DL group through AD.
0
 
LVL 1

Author Closing Comment

by:SAM2009
ID: 35042647
Thank you!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question