Assigning Domain Local Groups to resources on client machines?

[Paul Cachia]

Hello can anybody explain to me why you cannot assign Domain Local groups
such as the built in ones for example USERS to shared resource permissions
on client machines when logged on to the client machine with domain
administrative rights, in the object picker you only get the individual
users, Global Groups and special groups and identities. However you can
assign Domain Local Groups on resources when you are logged on to the
server. ???

Thanks Paul.

 

[Shawni Jernigan \(MSFT\)]

326265 Description of the Group Scopes That You Can Use to Help Secure
Active

http://support.microsoft.com/?id=326265

 

[Joe Richards [MVP]]

Builtin groups are not domain local groups, they are different. Builtin groups have special SIDS that do not have domain
scope and can only be on machines that share a common security database such as domain controllers. Domain Local Groups
have the SID of the domain as part of their SID so they are uniquely resolvable back to a security authority.

In your example of users, here is the SID for users from two different machines

F:\VPC\Virtuals>getsid \\w2kasdc1 users \\mainpro users
The SID for account BUILTIN\users matches account BUILTIN\users
The SID for account BUILTIN\users is S-1-5-32-545
The SID for account BUILTIN\users is S-1-5-32-545


Notice that they are identical? That is because they are hard coded. So if you tried to specify the Users Group from one
domain on a machine, it would't be able to resolve that back to a specific domain, any domain would work so that is a
security hole so they don't allow it and you use the local builtin users group and add some domain group to that.