Creating groups and permissions

[Guest]

I am restructuring the way permissions are allocated within the domain due to
a dc crash "win2kserver" what i am trying to accomplish is creating global
security groups that mimick the dept. for instance i have a dept. called HR
and i am creating the GS group HR and putting the ppl within the dept. in
that group and assigning that group permissons to the appropiate shares. the
problems i am having is the permissions are not carrying over accordingly.
for instance i give the group change and read on the share and modify on the
security and the users are getting access denied. i then have to go in and
assign the individual user full control on everything to that share and
security just so they can access thier data. why would this be happening and
how can i correct this never ending nightmare?

 

[Manny Borges]

U-G-DL-P ; the microsoft mantra.
Users into global, global into domain local, domain local get permissions.

I hear the first part as being correct. You are assigning users to the
Global Groups.

Step 2, make domain local groups with descriptive names like
"marketingShareRD" .The RD would stand for read.

On the share, what I usually do is rip off the default share permission and
give the needed Domain Local groups full control.

Then I modify the NTFS permissions granularly down the folder tree using the
domain local groups. These will be your effective permissions.

Finally, drop any global groups into the correct DL groups, have them log
off then log on and you should be golden.

Don't use explicit deny anywhere. 90 times out of 100 needing an explicit
deny on permissions means that you designed you storage and security plan
badly.

--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

The pen is mightier than the sword, and considerably easier to write with.
-- Marty Feldman