AD-Fu a bit rusty so a small sec question

G

Guest

I'm a bit rusty with AD security and groups.

I have security groups that I can assign to resources with specific
permissions.

I want to make another security group that can have other security groups as
members, and still assign it permissions.

I have a Win2000 AD, I have 2 Global Security groups. I can only make
domain local groups that I can add Global security grps to. But I can't
assign the domain local to any shares.

What am I doing wrong?

Thanks,
AlbertP
 
G

Guest

A little more info...

I am running AD2000 in mixed mode, but according to MS info on nesting groups.

"Groups with domain local scope can have as their members other groups with
global scope and accounts." within a mixed 2000AD

My problem is now assigning that domain local group to a resource.
 
H

Ho Chi Toh

AlbertP said:
A little more info...

I am running AD2000 in mixed mode, but according to MS info on nesting
groups.

"Groups with domain local scope can have as their members other groups
with
global scope and accounts." within a mixed 2000AD

My problem is now assigning that domain local group to a resource.
Click to expand...

If your resource resides on a member server, you should use that server's
local group, not domain local group to assign permissions to a resource. .
 
R

Roger Abell [MVP]

If it is not a domain member then how can it utilize
any of the domain's groups ??
 
G

Guest

Let me explain further.

The NAS is unix based, and uses somthing called Sifs? to allow windows based
PC's to use the storage. It uses AD to authenticate permissions. Even
though I can assign permission via windows, I can't connect to it and admin
it like a normal windows member.

As a side note, I also DID try this on windows member server and got the
same results.
 
R

Roger Abell [MVP]

"the same result" being that you could not use the domain local
on the share and/or ntfs permissions ?? or however it is that these
are reflected by that NAS vendor ??
In a W2k3 native domain I have no issues with using either on either.
I no longer have access to a W2k in mixed to check, but I do seem
to recall it being any different in mixed mode where the globals only
would be available since they are what NT4 would consider domain
groups
 
J

Joe Richards [MVP]

Correct, in mixed mode group membership works like it did on NT4. No nesting of
groups with the same scope, domain local groups only had visibility on Domain
Controllers.

This guy has two options

1. Use Global groups and live with the fact you can't nest them.

2. Switch to Native mode.
 
G

Guest

Thanks Gents. After a lot of reading I have chosen to try native mode. I
understand that any NT4 machinces can use the AD client to still connect to
the domain. The NT4 machines are lab device controllers so not sure if they
can be upgraded yet to W2k.

Thanks for the response

AlbertP
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain local group missing 6
Security Group Settings/Usage 5
Group Scope Question 3
Backup and restore Win2k Member server Local groups 7
Help needed using "Restricted Groups" 1
AD structure for users 3
Copy local users and groups 3
NTFS Permissions Architecture - Best Practices? 6

Top