WIN - 2003 groups

[BadgerBrian]

say i have 10 users - i place them in an account called office - they have read/write /execute etc.

i have another 3 users in group accounting - they have set restrictions to read/write /execute etc.


now i want to create a group called business and place them all in...

my question is , what kind of group should each be -a local or a global.
if i create a global group called business do i add the users to that or the 2 previous groups?

which groups would overide which?

thanks

 

[NickFerrar]

It kind of depends where you are using the groups, if just for resources within a single domain then I'd create 3 global groups; GBL_Office, GBL_Accounting and GBL_Business. GBL_Office and GBL_Accounting would contain the individual accounts and GBL_Business would just contain GBL_Office and GBL_Accounting (you need to be in Native mode to nest global groups).

If you won't ever have to worry about the resource you are granting permissions to needing to be access from outside the domain it's in then personally I'd add the global groups as appropriate directly onto the resource (if you added both GBL_Business and it's sub-groups directly then permissions would still be cumulative at the NTFS level). However this isn't Microsoft's best practice and it will catch you out if you ever need to give access to people from another domain as global groups can only contain accounts from the same domain they are created in so you will have to add more permissions onto the resource to allow people from other domains to access them.

MS's recommended way (and what you should do if you need to allow, or may need to allow in the future, resource access from another domain) is to create Domain Local groups for each resource and each permission level for that resource, you then add the global groups into those Domain Local groups (which can also contain accounts/groups from other domains).

So for example if you had a "Finance" folder you wanted everyone in the office read access to and the accounting department change access then you'd create 2 Domain Locla groups (e.g. DL_Finance_R and DL_Finance_Chg (although MS recommend you don't indicate the permission level in the group name for security reasons, personally I do though as it makes admin a lot easier)). You would then add the GBL_Office or GBL_Business global groups (I'd choose the GBL_Office one in case you modify GBL_Business in future to contain accounts/global groups that aren't office users so you wouldn't want them to have access to the Finance resource) into DL_Finance_R local group and give this domain local group read only rights to the Finance folder. Into the second domain local group (DL_Finance_Chg) you would add the GBL_Accounting global group and then give NTFS change permissions to DL_Finance_Chg on the Finance folder.

That all probably reads like garbage It's easier to visualise than to explain. The basic acronym is A->GG->DL<-P, stay away from Universal groups unless you have a specific reason to use them (e.g. to include global groups from several domains into a single group before putting that group into a DL group).