Global/Local Groups in AD

[BillyBoy114]

Hi All,

I am following the guidelines on setting up permissions on our file server. At the moment we are still using Share permissions, which is proving to be a nightmare to manage.

I have created two groups:

1. Blotter Read Only - Domain Local
2. Blotter RO Members - Global Group

I have added a user to the Blotter RO Members group and have made this a member of the Blotter Read Only group.

However when I now go to apply permissions to the folder and try to add the local group - Blotter Read Only, the local group cannot be "seen" and it adds in the Global Group - Blotter RO Members.

What am i doing wrong? Any help would be greatly appreciated.

Regards
Matt

 

[markdmac]

Need more info. Are you doing all of this on one server? Why bother with nesting the groups?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[BillyBoy114]

All the data is stored on one server, the File Server and is administered via a domain controller.

I wanted to use groups because currently we are using Shared permissions. Im using the nested groups because this appears to be the standard way of doing things.

When reading various articles on the web, they say that permissions should be applied only to the Domain Local group and never to a Global group.

This is where im having problems?

 

[ForumKB]

Is the Domain Local group in the same domain as what you are trying to add permissions to?





Adrian Paris

Paris Engineering Ltd

http://www.ForumKB.com

- Tech forum dedicated Google search, find answers faster by not searching the junk.

 

[BillyBoy114]

Yes, we only have the one domain.

 

[MrGeek]

Billy,

I am assuming you have 2 OU's named (if not do this )

- GlobalGroups
- LocalGroups

and within GlobalGroups you have a security group (not distro) named Blotter_GR (G=global R=Read) and likewise in LocalGroups you have Blotter_LR security group (not distro) and that you have placed your users into the global and now are trying to add the permissions to the share. You may need to give your server time to replicate the changes (i know when i create new local groups and try and immediately place in some folder they do not populate right away.

Another note:

Git rid of share permissions, its absurd.

Make a share, give "Authenticated Users" (please lets not discuss why I am not saying "Everyone" )full control and then control your permissions based on the layout I provided above

Lety me know how it goes, if you cannot see them after ample time, then you have configuration issues we will need to troubleshoot



The Geek


Dont be afraid to share what you know. There are no losers in our arena, only self rightous monkeys atop their own tree.

 

[BillyBoy114]

Thanks MrGeek for your reply, i have given it a couple of reads and i think i understand what you mean. However Im slightly concerned about the following:

"you have placed your users into the global and now are trying to add the permissions to the share."

Does this mean i have to apply the permissions to the Global Group? I thought this wasnt best practice?

When i try to add the local group to the share it doesnt allow me to (it cannot find it) it can only find the global group?

Sorry if im not making sense, i do appreciate all your responses, think i maybe getting a little bit confused.

Regards
Bill

 

[MrGeek]

Sorry yes, place the local group. Globals are for account placement (user a, user b etc...), locals are for resource assignment(folder a, folder b, printers etc...). Can you provide the setup of your servers? Example:

Server 1 is MS Server 2003 Domain Controller with AD running in Native or Mixed Mode.

Server 2 is MS Server 2003 providing File Service (housing all your data)

If you cannot see the local groups something else is missing or configured wrong


The Geek


Dont be afraid to share what you know. There are no losers in our arena, only self rightous monkeys atop their own tree.

 

[Davetoo]

I think you're overly complicating a very simple task.

Create a Global Security Group, add the users to it, then on the shared folder, set the share permissions to authenticated users and set the security settings to permit only the global security group that you created to access it.

I'd suggest that you also add your administrative account to it as well with full control.

Your users will have to logoff/logon in order to receive the proper permissions, and you're all set.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[BillyBoy114]

Excellent we are both on the same wavelength now

We are running Windows 2003 Server R2 with Exchange 2003 in Native mode, we also have another Windows 2003 Server for our File Server. Our Domain Controller is also a separate server running Windows Server 2003 R2

All the server editions are Standard.

It would appear something else is missing or configured wrong then, any ideas as to where i can start looking, things to check maybe?

Thanks
Bill

 

[MrGeek]

Before we look elsewhere you do just have one domain controller yes?


The Geek


Dont be afraid to share what you know. There are no losers in our arena, only self rightous monkeys atop their own tree.

 

[BillyBoy114]

Yep just the one domain controller.

 

[BillyBoy114]

Thanks Dave for your reply, I realise i could do it your way but it has been recommended not to allow permissions to be granted using Global Groups.

I am also curious as to why it isnt working the other way and it would be useful to get it right the first time.

If this proves too difficult however i may be forced to go with your method.

Thanks

 

[MrGeek]

do me a favor and make a new domain local security group. call it "testlocal". wait 15 minutes then under the security tab on a folder on ALL 3 server try and type "tes" then click check name and tell me the results (does it show you the group or not). Again do it on all 3 servers


The Geek


Dont be afraid to share what you know. There are no losers in our arena, only self rightous monkeys atop their own tree.

 

[BillyBoy114]

Ok I feel we are getting somewhere:

The security group isnt visable on the Exchange or the File Server but it is visible on the Domain Controller.

Does this mean im likely to have replication issues?

Cheers
Bill

 

[ForumKB]

Very stupid question (but just checking) the local group is a Domain Local Group added in AD not a local computer group somewhere added via a computer management mmc I take it?

Which makes me think actually, if you still can't get it to work and want to follow 'best security practises' etc. etc. blah blah blah; your other option is to create a local group on the fileserver via the comp mmc, add the global group to that and add the computer local group to the folder for permissions al la ye olde NT4.





Adrian Paris

Paris Engineering Ltd

http://www.ForumKB.com

- Tech forum dedicated Google search, find answers faster by not searching the junk.

 

[MrGeek]

Could be many things DNS sometimes is the culprit too. Look at your DNS are the servers listed properly with correct IP's in both forward and reverse zones?

The Geek


Dont be afraid to share what you know. There are no losers in our arena, only self rightous monkeys atop their own tree.

 

[Davetoo]

All of my security groups are global. Perhaps you'd like to share these places that you've found that recommend against this? I think someone is making something up on that count.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[BillyBoy114]

The DNS Forward and Reverse lookups all look fine.

However under Active Directory Sites and Services, I have Default-First-Site-Name, under this i have SERVERS and under this only 1 Server is there.

Is this correct or should the File Server and Exchange servers also be here?

Im going home shortly, would just like to say thanks again to all your responses - all greatly appreciated.

Bill

 

[ForumKB]

Best practices do say you should use domain local groups for security permissions not global groups but I think this only really applies in practice to multi-domain / forest enviroments where it may be necessary to add groups or users from other domains to a share etc.

If you are in a single domain enviroment and expect to stay that way I don't really think it matters a t*ss







Adrian Paris

Paris Engineering Ltd

http://www.ForumKB.com

- Tech forum dedicated Google search, find answers faster by not searching the junk.