Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting permissions, why can't use local groups? 1

Status
Not open for further replies.
vekara

vekara

IS-IT--Management
May 26, 2003
25
0
0
FI
Hi,

I'm a beginner on these things, so sorry for possible stupid question. I read all manuals without finding a answer...

I have NT4 domain (5 domains total, trusts between) in our company. I need to give access to one folder in w2k server that is not a DC (Member server, is in domain). Access is needed for 50 users and from many domains.

What I did:
If I made a local group on domain where server was located. I was able to add all needed users (or global groups from another domain) on that group. I could then add this local group to NT4 DC folder permissions (just a test...), but not on standAlone W2k server folder permissions. Then I read that this is so...

Because w2k server only allowed domain global groups to be added to folder permissions I made a global group. In global I can't add users from another domain. So I should have made a global group to every domain, add users on those,then add all global groups to folder permissions?

That solution would mean that I have five groups defined for one folder. On two domains there comes only one user and I would't like to make global groups on servers just for one user. So is it possible to use just local group in this case or is there some other solution?
 
Sort by date Sort by votes
vekara,

Create a local group on that stand alone server. You then add all the Global Security groups from your various domains to that local group. You then apply this local group (populated with the Global Security Groups from the various domains) to the resource you are trying to get access to.

Remember, (taken from MS text)

1.Always add users to the Global Groups with common job responsibilities.

2. Create a Domain Local group to share resources with.

3.Add the Global Groups who need access to the resources to the domain local groups.

4.Assign resource permissions to the Domain Local groups.

This is the easiest way to manage complicated set-ups. It can be a nightmare plugging security holes if these rules aren't followed.

Goodluck.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
75
hairlessupportmonkey
hairlessupportmonkey
Scparks
  • Locked
  • Question
Trouble with setting up a SMTP Relay to Office 365
Replies
0
Views
50
Scparks
Scparks
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
143
DrB0b
DrB0b
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
82
technome
technome
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
53
penguinroundup
penguinroundup

Part and Inventory Search

Sponsor

Back
Top