AD-Fu a bit rusty so a small sec question

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm a bit rusty with AD security and groups.

I have security groups that I can assign to resources with specific
permissions.

I want to make another security group that can have other security groups as
members, and still assign it permissions.

I have a Win2000 AD, I have 2 Global Security groups. I can only make
domain local groups that I can add Global security grps to. But I can't
assign the domain local to any shares.

What am I doing wrong?

Thanks,
AlbertP
 
A little more info...

I am running AD2000 in mixed mode, but according to MS info on nesting groups.

"Groups with domain local scope can have as their members other groups with
global scope and accounts." within a mixed 2000AD

My problem is now assigning that domain local group to a resource.
 
AlbertP said:
A little more info...

I am running AD2000 in mixed mode, but according to MS info on nesting
groups.

"Groups with domain local scope can have as their members other groups
with
global scope and accounts." within a mixed 2000AD

My problem is now assigning that domain local group to a resource.
Click to expand...

If your resource resides on a member server, you should use that server's
local group, not domain local group to assign permissions to a resource. .
 
If it is not a domain member then how can it utilize
any of the domain's groups ??
 
Let me explain further.

The NAS is unix based, and uses somthing called Sifs? to allow windows based
PC's to use the storage. It uses AD to authenticate permissions. Even
though I can assign permission via windows, I can't connect to it and admin
it like a normal windows member.

As a side note, I also DID try this on windows member server and got the
same results.
 
"the same result" being that you could not use the domain local
on the share and/or ntfs permissions ?? or however it is that these
are reflected by that NAS vendor ??
In a W2k3 native domain I have no issues with using either on either.
I no longer have access to a W2k in mixed to check, but I do seem
to recall it being any different in mixed mode where the globals only
would be available since they are what NT4 would consider domain
groups
 
Correct, in mixed mode group membership works like it did on NT4. No nesting of
groups with the same scope, domain local groups only had visibility on Domain
Controllers.

This guy has two options

1. Use Global groups and live with the fact you can't nest them.

2. Switch to Native mode.
 
Thanks Gents. After a lot of reading I have chosen to try native mode. I
understand that any NT4 machinces can use the AD client to still connect to
the domain. The NT4 machines are lab device controllers so not sure if they
can be upgraded yet to W2k.

Thanks for the response

AlbertP
 
Back
Top