Domain local group missing

[Steve STeinbeck]

I am in the process of building our W2K domain with AD.

I have one AD controller, I intend to add 2 more once I
get some resource moved. I have also added our first
member server.

This member server has a share that I tried to assign
security permission to. I am able to create the share,
thate share permssions are all for everyone, then I go to
the security tab and attemp to assign security
permissions there to the domain local groups I created on
the domain controller and I cannot see the domain local
groups. I can see the users and the domain global
groups.

As I understand it the process is to assign users to
domain global groups, domain global groups to domain
local groups and permissions/rights to resources, i.e.
shares, to domain local groups. hard to do when you
can't see the domain locals.

I double checked to ensure that we had defined the groups
correctly and we had. I'll add that we are not in native
mode. We have two domains on the same infrastructure,
one is NT4 the other W2K using AD. We setup two way
trusts between the two domains for access to the data
while we move towards AD.

I also tried to create a share within AD in a specific OU
and while successful I also have no ability to assign
securty there.

What have I missed or misunderstood?

Thanks for the help.

Steve

 

[Curtis Clay III [MSFT]]

Hello Steve,
Domain local groups only exist on domain controllers unless your domain is
in native mode.

260534 Members of a Domain Local Group Are Not Granted Rights
http://support.microsoft.com/?id=260534

326265 Description of the Group Scopes That You Can Use to Help Secure
Active
http://support.microsoft.com/?id=326265

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steve Steinbeck]

Thanks, I knew I was doing something or thinking
something stupid.

 

[Steve Steinbeck]

Clay,

One more quick question if I may. Mixed mode vs. native
mode... In mixed mode I can have NT based controllers in
the domain. In native mode I can't, but, I can access an
NT domain using two way trusts.

Is this understanding correct? I'd like to build my
security only one time. I don't want ot have to revisit
it after I go native. If I can start there great.

Steve

 

[Curtis Clay III [MSFT]]

Yes Steve,
You are correct. In native mode WIndows 2000 domain controllers will no
longer replicate to and from NT4 domain controllers. You're on target.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steve Steinbeck]

Curtis,

Sorry, one very last thing. I'm in heated discussions
with my partner in crime here.

If we go native in the new domain, we know that security
will NOT replicate. But, given the two way trust can we
still get email from the old domain if the "new" user
account is granted rights to the "old" user account mail
box in Exchange 5.5. Also soon to be converted to 2000.

Thnanks again,

Steve

 

[Curtis Clay III [MSFT]]

Hello Steve,
I cannot give a definitive answer to that question. I'd give the exchange
newsgroup a buzz on that. However being in native mode does not affect the
way clients communicate across a trust.

This posting is provided "AS IS" with no warranties, and confers no rights.