Security Group Settings/Usage

[Diane]

I realize this is a simple question in the scheme of things. As a newcomer
to this area, I would appreciate your help.

I rarely deal with security items and now need to create AD security groups
to allow certain users only read access to a set of folders/subfolders, while
enabling a smaller group to create folders. I have researched security
groups and created two seperate groups with the appropriate users. What I
don't understand is what, if anything, I am suppose to set on the security
tab for the security group in AD. I expected to be able to set the
permissions for the respective group on this tab, but instead see a list of
other groups (e.g. domain users, etc). I don't understand why they are
listed there - should they removed or?????

I have tested my new groups with a folder set and see I can set the
permissions when I add the groups to the sharing permissions and security
settings. However, I thought the premise of security groups was that the
permissions were defined once in AD and then applied whenever that group was
used with a folder or other object - not that the permissions were defined
when used with an object.

I am obviously missing some concept, can someone kindly help set me straight?

Thank you,

 

[Roger Abell [MVP]]

Permissions are defined at the resource being controlled (where
you use a security group to grant or deny a specific permission set).
The security groups as defined in AD are just that, groups of accounts,
perhaps defined by nesting of other groups. The type of grants they
will be used to carry are not defined there (a group might for example
represent an organizational role and end up being used on multiple
resources and used to grant different permission level on each).
Another way to look at this is that each securable resource carries
its own specification of what permissions are allowed to what
accounts (groups). From this view the groups are only used to
name the principals.

Roger

 

[Diane]

Roger - your explanation is very helpful, thank you. In the AD security tab
for the group, what should I pay attention to there - anything? I am unclear
as to the significance of the listed items with respect to the security group
I am defining.

Also, if you can recommend a reference resource I would appreciate.

Thanks again - at least I feel I was on the right track.

Diane

 

[Roger Abell [MVP]]

When you are looking at a group (the AD object, not its membership)
the security tab is showing you the permissions on the AD group object
(such as who can manage the membership is the group, who can delete
it, etc.). Everything with a name is securable with permissions, and
that is what you are looking at for the group, i.e. how it is secured.
Unless you are delegating to non-admins the ability to manage the
group, then the default permissions on the group are likely correct
for your uses.

Roger

 

[Diane]

Thank you Roger! My Security Groups are working just fine - I appreciate
your guidance.

Diane

 

[Roger Abell [MVP]]

Thank you Roger! My Security Groups are working just fine - I appreciate
your guidance.

Diane

No problem Diane, you are welcome.