Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Major Users and Group Help!!!!!!!!!!!!

Status
Not open for further replies.
BadgerBrian

BadgerBrian

Technical User
Apr 5, 2004
21
0
0
US
Please let me know if this seems to be the right way to go about this as we are having huge trouble with permissions in our domain.

We are running a Win 2003 server domain controller with 5 member servers - 1 email, 1 web and 3 file storage, we have around 40 client computers - all the clients were previously connected to our old domain controller.

We re created the accounts on the new DC and began to add them to groups and i think thats where we got all screwed up.......

Our client machines are a mixture of win xp and mac osx running admit mac 1.1.1

All machines can be seen on the domain network and can connect to the internet , however opening files on all member servers and other user machines causes either read only permissions, or the machine cannot see anything... so we are sure that its a group permission thing.
Each machine needs to be able to access and retrieve and modify files on the member file servers.

We are about to try again tommmorow by scrapping all the groups that we previously made....

can someone verify if the following seems to be the way to go....
Lets assume We have created 40 user accounts within our domain.
now...

Create a Global group called Accounts
Add all accounts users to it as members of that group.

Create a Global group called Scheduling
add all Scheduling users to it as members of that group.

create a Local group called Business
Add the Global accounts and Global Scheduling groups to it as members of that group?

then Define access rights to the local group business.
(how exactly is this done?)
(will this will then affect all users within acccounts and scheduling?)is this done on the active directory domain controller or does it have to be done on all the member servers as well>?

Now the 2nd part -

lets say member File server "Zeus" has a D: Drive
with many folders and subfolders within containg word and excel docs.

How do i go about letting all members of business access to it?
What happens if i wanted just members of Global Admins to have access to it?
finnally lets say i want to share a E: Drive on one of the users computers, how would i go about letting the Local Group Business have access to it?

thankyou for your time in helping
 
Sort by date Sort by votes
When you say all "clients" were part of the old domain, did that include your member servers? If so you have a SID (Security ID) problem. The SIDs for your groups/users on the "old" domain are different from the SIDs on your "new" domain. Rights are based on the SID for the Group/User (not the friendly you see). You just can create a group with the same name and expect the "old" NTFS permissions to work.

If you plan to do the move like you described, you will need to go through and reassign rights on everything. I may have misinterpreted what you described, but this is my read on your problem.

MikeL
 
Upvote 0 Downvote
all the users and member servers were removed from the network, added to a workgroup test, then once the new domain was up and running they joined the new domain.
so i assume none of the old sids are there anyway since they were removed from the old domain as a member.
 
Upvote 0 Downvote
This might be off the mark but one of the changes in 2003 that I had to adjust to was the change to share permissions. I currently give authenticated users change and read share permissions and then the group full control for ntfs permission. By default in 2003 the share permission is only read. In 2000 share was full control and it took me a bit to figure out why users couldn't make changes to thier folders when I upgraded : ) So check your share permission and make sure the group has permissions above read. The most restricive between share and ntfs will win.

Hope this helps.
 
Upvote 0 Downvote
I find it just easier to give the "everyone" group full control share permissions to the folder then control user access by setting ntfs permissions.

Nesting global groups within domain local groups is not necessary with a single domain. (nesting groups simplifies administration for a multi domain network)

Just add user accounts to the domain local group then add the domain local group to the acl of the folder.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
187
gbaughma
gbaughma
bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
92
DrB0b
DrB0b
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
97
on3mansh0w
on3mansh0w
tviman
  • Locked
  • Question
How to restrict RDP users to the desktop 2
Replies
13
Views
214
strongm
strongm
Fireksf
  • Locked
  • Question
Avaya IPOCC not generate Report, Please any body if you a have any idea help me.
Replies
1
Views
100
MarkSweetland
MarkSweetland

Part and Inventory Search

Sponsor

Back
Top