Changing Primary Group from Domain Users?

S

Steve Hunter

We have a single domain covering a few sites, most of them containing a domain
controller. To prevent people in different sites being allowed by default to
access computer resources in other sites, I'd like to change the Primary Group
of every user to one that reflects the site that they are in.

However when searching the web for the pros and cons of this approach, I keep
coming across comments and articles expressing that this is not a good idea at
all - that the Primary Group should be kept as Domain Users unless Mac clients
are being used.

No-one explained the reasoning behind this though. Can anyone please tell me
why is it recommended that the Primary Group shouldn't be changed?

Thanks
Steve
 
P

ptwilliams

The primary group has no use in Windows --it is there for compatibility with
MACs and UNIX boxes. There is no reason to do what you wish to do.

--

Dan,

The group replication behaviour has been changed in 2003. In 2000 the whole
group was replicated, which imposed additional limitations other than just
more replication; in 2003 it has been changed and only the changes are
replicated.
 
J

Joe Richards [MVP]

The primary group is a normal group. However, its use in Windows is not heavy,
it is primarily a UNIX/MAC type of thing.

The way you are talking, the way to implement this would be to change the
primary group and remove the users from domain users. Reasons for not doing it
are that you could run into apps or other things that are assuming you will be a
domain users member and only work then, if you aren't it could fail.

The more intelligent way of implementing this would be to set up groups for each
site and add the users to those groups and set the share permissions on the
server such that only that group could access that share.

joe
 
J

Joe Richards [MVP]

That is an odd way of saying it.

The issue would come in on 2K domain where you change the primary group of
someone and then don't remove them from domain users. The issues would really
crop up once you approached 5k users in the domain users group as a normal
member versus as a primary group due to the mechanism difference in storing
primary group memberships compared to storing normal group memberships when you
start to bump against version store issues.

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top