We have a single domain covering a few sites, most of them containing a domain
controller. To prevent people in different sites being allowed by default to
access computer resources in other sites, I'd like to change the Primary Group
of every user to one that reflects the site that they are in.

However when searching the web for the pros and cons of this approach, I keep
coming across comments and articles expressing that this is not a good idea at
all - that the Primary Group should be kept as Domain Users unless Mac clients
are being used.

No-one explained the reasoning behind this though. Can anyone please tell me
why is it recommended that the Primary Group shouldn't be changed?

Thanks
Steve

The primary group has no use in Windows --it is there for compatibility with
MACs and UNIX boxes. There is no reason to do what you wish to do.

--

Dan,

The group replication behaviour has been changed in 2003. In 2000 the whole
group was replicated, which imposed additional limitations other than just
more replication; in 2003 it has been changed and only the changes are
replicated.

--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

The primary group is a normal group. However, its use in Windows is not heavy,
it is primarily a UNIX/MAC type of thing.

The way you are talking, the way to implement this would be to change the
primary group and remove the users from domain users. Reasons for not doing it
are that you could run into apps or other things that are assuming you will be a
domain users member and only work then, if you aren't it could fail.

The more intelligent way of implementing this would be to set up groups for each
site and add the users to those groups and set the share permissions on the
server such that only that group could access that share.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Steve Hunter wrote:
> We have a single domain covering a few sites, most of them containing a domain
> controller. To prevent people in different sites being allowed by default to
> access computer resources in other sites, I'd like to change the Primary Group
> of every user to one that reflects the site that they are in.
>
> However when searching the web for the pros and cons of this approach, I keep
> coming across comments and articles expressing that this is not a good idea at
> all - that the Primary Group should be kept as Domain Users unless Mac clients
> are being used.
>
> No-one explained the reasoning behind this though. Can anyone please tell me
> why is it recommended that the Primary Group shouldn't be changed?
>
> Thanks
> Steve
>

That is an odd way of saying it.

The issue would come in on 2K domain where you change the primary group of
someone and then don't remove them from domain users. The issues would really
crop up once you approached 5k users in the domain users group as a normal
member versus as a primary group due to the mechanism difference in storing
primary group memberships compared to storing normal group memberships when you
start to bump against version store issues.

joe




--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Danilo Bordini [MVP] wrote:
> Steve, as far I know, its a replication issue. If you change primary group
> other than Domain User, every time you made some modification in user's group
> membership, this group (Domain User, that currently is not primary) will be
> replicate for all DC's in your enviroment. This can be dangerous if you have
> thousands users on this group. When you set Domain Users as primary, this
> replication did not take place, even you change any groups of the user.
>
> "Steve Hunter" wrote:
>
>
>>We have a single domain covering a few sites, most of them containing a domain
>>controller. To prevent people in different sites being allowed by default to
>>access computer resources in other sites, I'd like to change the Primary Group
>>of every user to one that reflects the site that they are in.
>>
>>However when searching the web for the pros and cons of this approach, I keep
>>coming across comments and articles expressing that this is not a good idea at
>>all - that the Primary Group should be kept as Domain Users unless Mac clients
>>are being used.
>>
>>No-one explained the reasoning behind this though. Can anyone please tell me
>>why is it recommended that the Primary Group shouldn't be changed?
>>
>>Thanks
>>Steve
>>
>>