[Pc_Support] Nested group security in Active Directory (Win2000)?
Damien McKenna
dmckenna at thelimucompany.com
Tue Sep 27 10:41:08 EDT 2005
Just to revisit this again...
> Hold on, if you don't know the difference between "Domain
> Local" and "Global" groups, you should read up on them.
I'm going to try to get them to pick up that book you recommended.
> 1. Users should _always_ be placed in Global groups
> 2. Domain Local groups should be applied to service objects
> (e.g., share, filesystem, etc...)
> 3. Global groups should then be assigned to Domain Local
> In other words:
> 1. _Never_ assign Global groups to service objects (e.g.,
> share, filesystem, etc...)
> 2. _Avoid_ assigning Users to Domain Local groups
So you should then never assign the built-in AD groups, e.g. Domain
Admins, to the file structure? In effect you're saying to do it this
way:
(files/directories) -> Domain Local group -> Global group -> users
... And the reason for doing it that way is because of AD & NTFS being
pretty screwed up and badly designed to retain backwards compatibility
rather than doing things cleanly?
Part of the reason this whole thing has confused me is that I took a
class in Netware 5.1 a few years ago and it seemed very straight
forward, so AD's group handling seems extremely kludgy in comparison.
--
Damien McKenna - Web Developer - Damien.McKenna at thelimucompany.com
The Limu Company - http://www.thelimucompany.com/ - 407-804-1014
#include <stdjoke.h>
More information about the Pc_support
mailing list