Results 1 to 2 of 2

Thread: Re: Domain Local Security vs Global Security vs Universal SecurityGroups

  1. #1
    Kshaeta Guest

    Re: Domain Local Security vs Global Security vs Universal SecurityGroups

    Thanks Roger.
    I guess my question was "does anyone know why these Domain Local System
    (DLS) groups behave like this", for my specific instance. I would
    assume a DLS group would allow me to use such a group on any server in
    the domain. However, I can ONLY use them on the Domain servers
    themselves. Seemed weird to me that you would only be able to grant DLS
    access on the Domain Servers itself.

    Anyway, I changed our Domain level from Windows 2000/NT Mixed mode, to
    Windows 2000 mode, and the issue went away. They now work the way I
    expect them to... within the entire domain.

    I guess my English is not very good, because I thought I wrote out the
    problem quite clearly. But I guess I asked too many at once.

    Anyway, thanks again Roger. I now see why MVP's are the top of the pile.

    bil


    Roger Abell [MVP] wrote:
    > It is not really an issue of whether anyone knows, or not, but of the
    > huge scale that would be a complete answer. Perhaps if you were
    > to review some of the information in the resource kit documentation
    > www.reskit.com
    > and then post more narrow questions(s).
    >
    > For an example of how non-simple some aspects of group usage
    > can be, take a look at a recent thread we had on
    > microsoft.public.windows.server.active_directory
    > with subject
    > Best practive to clean up AD groups
    > that started on
    > Thursday, October 12, 2006 2:31 AM
    >
    > In the particular example with two domains that you presented,
    > you cannot use a domain local group except in its domain (hence
    > it is local to that domain). So yes, you can use a domain local on
    > a member of the same domain, but whether you should or when is
    > an entire further discussion. Globals can be seen/used outside of
    > their domain, and have limitation that they can only contain objects
    > (users or other groups) that are defined in their own domain (hence
    > a global group can represent some part of its domain globally
    > throughout the forest).
    >
    > "Kshaeta" <visual.eyes@telus.net> wrote in message
    > news:eSuQWf58GHA.4552@TK2MSFTNGP05.phx.gbl...
    >> Nobody knows the answer to this?
    >>
    >>
    >> Kshaeta wrote:
    >>> I've read lots on these, and I still don't really understand them.
    >>>
    >>> I know how they work together, how certain ones can't be part of others,
    >>> etc. But I don't really understand how they work, or where and when to
    >>> use them.
    >>>
    >>> Where are DLS (Domain Local Security) groups used, and why?
    >>> How about Global Groups? Universal Groups?
    >>>
    >>> Is there any good documentation that explains how these are used and why?
    >>>
    >>> One reason I ask, is say for this problem. I have two security groups,
    >>> within my domain, and two servers in my domain. One server is a domain
    >>> server (DOM), the other is a member server (MEM).
    >>> I have 2 security groups. The difference between the two is one is a
    >>> DLS group, the other is a GS group. The DLS one doesn't allow the
    >>> security group to be set on servers other than the domain servers. That
    >>> is, if you are on DOM and you create a directory, you can grant it
    >>> "Information Systems_DLS" security, or "Information Systems_GS" security.
    >>> But if you log on to MEM, and try that it won't work. You need to grant
    >>> it "Information Systems_GS". The option to grant any DLS doesn't even
    >>> show up in the security selection on the member server.
    >>>
    >>> I don't really grasp this. Should "Domain level Security" allow you to
    >>> grant that security group to any member server?
    >>>
    >>> Thanks for any info.
    >>>
    >>> bil

    >> --
    >> Bill Tkach
    >> MSP, A+
    >> visual{period}eyes{period}this{at}gmail{period}com

    >
    >



    --
    Bill Tkach
    MSP, A+
    visual{period}eyes{period}this{at}gmail{period}com

  2. #2
    Roger Abell [MVP] Guest

    Re: Domain Local Security vs Global Security vs Universal Security Groups

    Thanks for your followup, nice comment, and I am also sorry
    that I overlooked domain mode as part of your issue (pretty
    much everyone is at W2k if not one of the W2k3 modes by
    now) limiting scope of DL groups, resulting in the questions.

    Roger

    "Kshaeta" <visual.eyes@telus.net> wrote in message
    news:OESBZ8ZNHHA.992@TK2MSFTNGP04.phx.gbl...
    > Thanks Roger.
    > I guess my question was "does anyone know why these Domain Local System
    > (DLS) groups behave like this", for my specific instance. I would assume
    > a DLS group would allow me to use such a group on any server in the
    > domain. However, I can ONLY use them on the Domain servers themselves.
    > Seemed weird to me that you would only be able to grant DLS access on the
    > Domain Servers itself.
    >
    > Anyway, I changed our Domain level from Windows 2000/NT Mixed mode, to
    > Windows 2000 mode, and the issue went away. They now work the way I
    > expect them to... within the entire domain.
    >
    > I guess my English is not very good, because I thought I wrote out the
    > problem quite clearly. But I guess I asked too many at once.
    >
    > Anyway, thanks again Roger. I now see why MVP's are the top of the pile.
    >
    > bil
    >
    >
    > Roger Abell [MVP] wrote:
    >> It is not really an issue of whether anyone knows, or not, but of the
    >> huge scale that would be a complete answer. Perhaps if you were
    >> to review some of the information in the resource kit documentation
    >> www.reskit.com
    >> and then post more narrow questions(s).
    >>
    >> For an example of how non-simple some aspects of group usage
    >> can be, take a look at a recent thread we had on
    >> microsoft.public.windows.server.active_directory
    >> with subject
    >> Best practive to clean up AD groups
    >> that started on
    >> Thursday, October 12, 2006 2:31 AM
    >>
    >> In the particular example with two domains that you presented,
    >> you cannot use a domain local group except in its domain (hence
    >> it is local to that domain). So yes, you can use a domain local on
    >> a member of the same domain, but whether you should or when is
    >> an entire further discussion. Globals can be seen/used outside of
    >> their domain, and have limitation that they can only contain objects
    >> (users or other groups) that are defined in their own domain (hence
    >> a global group can represent some part of its domain globally
    >> throughout the forest).
    >>
    >> "Kshaeta" <visual.eyes@telus.net> wrote in message
    >> news:eSuQWf58GHA.4552@TK2MSFTNGP05.phx.gbl...
    >>> Nobody knows the answer to this?
    >>>
    >>>
    >>> Kshaeta wrote:
    >>>> I've read lots on these, and I still don't really understand them.
    >>>>
    >>>> I know how they work together, how certain ones can't be part of
    >>>> others, etc. But I don't really understand how they work, or where and
    >>>> when to use them.
    >>>>
    >>>> Where are DLS (Domain Local Security) groups used, and why?
    >>>> How about Global Groups? Universal Groups?
    >>>>
    >>>> Is there any good documentation that explains how these are used and
    >>>> why?
    >>>>
    >>>> One reason I ask, is say for this problem. I have two security groups,
    >>>> within my domain, and two servers in my domain. One server is a domain
    >>>> server (DOM), the other is a member server (MEM).
    >>>> I have 2 security groups. The difference between the two is one is a
    >>>> DLS group, the other is a GS group. The DLS one doesn't allow the
    >>>> security group to be set on servers other than the domain servers.
    >>>> That is, if you are on DOM and you create a directory, you can grant it
    >>>> "Information Systems_DLS" security, or "Information Systems_GS"
    >>>> security. But if you log on to MEM, and try that it won't work. You
    >>>> need to grant it "Information Systems_GS". The option to grant any DLS
    >>>> doesn't even show up in the security selection on the member server.
    >>>>
    >>>> I don't really grasp this. Should "Domain level Security" allow you to
    >>>> grant that security group to any member server?
    >>>>
    >>>> Thanks for any info.
    >>>>
    >>>> bil
    >>> --
    >>> Bill Tkach
    >>> MSP, A+
    >>> visual{period}eyes{period}this{at}gmail{period}com

    >>
    >>

    >
    >
    > --
    > Bill Tkach
    > MSP, A+
    > visual{period}eyes{period}this{at}gmail{period}com




Similar Threads

  1. Replies: 5
    Last Post: 05-02-2012, 12:22 PM
  2. Adding Users to Local Security Group from other Domain
    By duke2555 in forum Active Directory
    Replies: 2
    Last Post: 30-08-2011, 12:36 AM
  3. Replies: 1
    Last Post: 18-08-2008, 10:17 PM
  4. WinXP SP3 - Local Security Policy
    By Dhananjay in forum Windows Security
    Replies: 3
    Last Post: 28-07-2008, 08:56 AM
  5. Replies: 1
    Last Post: 10-06-2005, 07:52 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •