Groups and Privileges

S

Scott

On a WIN 2003 Standard edition PDC, I created a universal group called
myAdminGroup. Then I made the Administrator, Domain Admins, Enterprise
Admins, Group Policy Creator Owners, and Domain Users a member of
myAdminGroup.

I added my account as a member of myAdminGroup. I thought I would have all
of the rights of the 5 groups that made up myAdminGroup, but I didn't. I
seemed to simply have the rights of the Domain Users account. So, I tried
subtracting the Domain Users account from membership in myAdminGroup and
even deleted Domain Users from my membership groups.

Nothing ever worked. Finally, I gave up and just added the Administrator,
Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Domain
Users Groups to my account as I have always done and that works.

How can I create a new Group and give it all the super Admin Group
privileges?
 
H

Herb Martin

Scott said:
On a WIN 2003 Standard edition PDC, I created a universal group called
myAdminGroup. Then I made the Administrator, Domain Admins, Enterprise
Admins, Group Policy Creator Owners, and Domain Users a member of
myAdminGroup.

I added my account as a member of myAdminGroup. I thought I would have all
of the rights of the 5 groups that made up myAdminGroup, but I didn't. I
seemed to simply have the rights of the Domain Users account. So, I tried
subtracting the Domain Users account from membership in myAdminGroup and
even deleted Domain Users from my membership groups.
Click to expand...

No, you don't get the rights of other accounts listed with yours.

You get the rights (and permissions) of the Groups your account
is listed within (directly or indirectly.)

If you make such changes you must also log back on to see the
effect or Group membership or Rights changes.

(Permissions take effect immediately unless they are dependent
on new group memberships.)
Nothing ever worked. Finally, I gave up and just added the Administrator,
Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Domain
Users Groups to my account as I have always done and that works.
Click to expand...

Ok, mayber you are just describing it backwards -- even if you
use the tool that gives the list of Groups your account is in --
always describe it from the point of view of your account is IN
some groups, those groups are IN other groups. Some of those
groups have rights (in general) or permissions on files and other
objects.
How can I create a new Group and give it all the super Admin Group
privileges?
Click to expand...

You can put a group in Enterprise admins and have it obtain
all the privileges of that group and those that contain it.
[/QUOTE]
 
S

Scott

i'll try at work again in morning and get back.


Herb Martin said:
No, you don't get the rights of other accounts listed with yours.

You get the rights (and permissions) of the Groups your account
is listed within (directly or indirectly.)

If you make such changes you must also log back on to see the
effect or Group membership or Rights changes.

(Permissions take effect immediately unless they are dependent
on new group memberships.)


Ok, mayber you are just describing it backwards -- even if you
use the tool that gives the list of Groups your account is in --
always describe it from the point of view of your account is IN
some groups, those groups are IN other groups. Some of those
groups have rights (in general) or permissions on files and other
objects.


You can put a group in Enterprise admins and have it obtain
all the privileges of that group and those that contain it.
Click to expand...
[/QUOTE]
 
J

Joe Richards [MVP]

This is exactly correct.

You added the groups to your UNI group. You didn't add the UNI group to those
groups. So that means the groups have any powers the UNI group has, not the
other way around.

You actually can't do what you were trying to do that way.

You will have to create a global group, put yourself in that group. Then add
that group to the other groups you mentioned. You can't do it with a universal
group because a global group can not have a universal group as a member. It can
only have other global groups (assuming native mode) and users from the same
domain as members.
 
H

Herb Martin

You added the groups to your UNI group. You didn't add the UNI group to those
groups. So that means the groups have any powers the UNI group has, not the
other way around.
Click to expand...

I agree with you -- and posted something similar.

But he also may have been using the user account
where it LOOKS like one adds groups to users so
I suggested he also report the membership listing
rather than HOW he adds it.

And in fact he may have done it backwards and even
used that other dialog also. <grin>

He's going to take another look and get back to us.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Change Default Groups added to Local Administrator group when joiningdomain. 1
error trying to open Domain Security Console 2
Permissions not applied to every user 4
Problem accessing groups and users of two trusting domains 2
User Access to a DC 8
Can i use the Group Domainadmins for two Domains? 1
dcpromo help 1

Top