[Pc_Support] RE: Nested group security in Active Directory (Win2000)?

Bryan J. Smith b.j.smith at ieee.org
Wed Aug 17 13:03:42 EDT 2005 

Damien McKenna <dmckenna at thelimucompany.com> wrote:
> Some more detail, might help explain what I want to do.
> We have the following OUs:
> Root
> OU=Our Company
> 	-> OU=User Accounts
> 		-> OU=Departments
> 			-> OU=Customer Service
> 				-> User=Joe User
> 				-> User=Jo User
> 			-> OU=Operations
> 			-> OU=Technology
> 				-> User=Damien McKenna
> 		-> OU=Aliases
> 			-> alias email addresses..
> 	-> OU=Groups
> 		-> OU=Distribution
> 			-> email distribution addresses
> 		-> OU=Security
> 			-> OU=Departments
> 				-> Group=Customer Service
> 			-> Special Access
> 				-> Group=Customer Service Supervisors
> 				-> Group=Customer Service Managers

Not sure this is how you should tree your ADS/OU, but I'm not
in charge of your network.

> What I'd like to do is make Group=Customer Service Managers
> a member of Group=Customer Service Supervisors so that e.g.
> they can read all of the supervisor's email, access their
> files, etc.  So what do I need?

If your domain is in "mixed mode" you can_not_ nest Global or
Domain Local groups.  You can only place Global groups into
Domain Local groups.  It has to do with CIFS compatibility.

If you put the domain in "native mode," you can nest Global
or Domain Local groups with each other.  You can also use the
Universal Group (whose use is recommended only sparingly).

As I mentioned, you should learn the proper use of Domain
Local and Global groups regardless of mode, because they help
avoid NTFS file corruption due to unavailable SIDs on ACL and
other NTFS filesystem information.  While Microsoft doesn't
tell you that technical fact (the limitation of NTFS' design
is why you should use Domain Local and Global as approprate),
but they do give you sound planning on how to use both Domain
Local and Global groups regardless.


-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)

More information about the Pc_support mailing list