Go Back   TechArena Community > Technical Support > Computer Help > Windows Security
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Re: Domain Local Security vs Global Security vs Universal SecurityGroups

Windows Security


Reply
 
Thread Tools Search this Thread
  #1  
Old 11-01-2007
Kshaeta
 
Posts: n/a
Re: Domain Local Security vs Global Security vs Universal SecurityGroups

Thanks Roger.
I guess my question was "does anyone know why these Domain Local System
(DLS) groups behave like this", for my specific instance. I would
assume a DLS group would allow me to use such a group on any server in
the domain. However, I can ONLY use them on the Domain servers
themselves. Seemed weird to me that you would only be able to grant DLS
access on the Domain Servers itself.

Anyway, I changed our Domain level from Windows 2000/NT Mixed mode, to
Windows 2000 mode, and the issue went away. They now work the way I
expect them to... within the entire domain.

I guess my English is not very good, because I thought I wrote out the
problem quite clearly. But I guess I asked too many at once.

Anyway, thanks again Roger. I now see why MVP's are the top of the pile.

bil


Roger Abell [MVP] wrote:
> It is not really an issue of whether anyone knows, or not, but of the
> huge scale that would be a complete answer. Perhaps if you were
> to review some of the information in the resource kit documentation
> www.reskit.com
> and then post more narrow questions(s).
>
> For an example of how non-simple some aspects of group usage
> can be, take a look at a recent thread we had on
> microsoft.public.windows.server.active_directory
> with subject
> Best practive to clean up AD groups
> that started on
> Thursday, October 12, 2006 2:31 AM
>
> In the particular example with two domains that you presented,
> you cannot use a domain local group except in its domain (hence
> it is local to that domain). So yes, you can use a domain local on
> a member of the same domain, but whether you should or when is
> an entire further discussion. Globals can be seen/used outside of
> their domain, and have limitation that they can only contain objects
> (users or other groups) that are defined in their own domain (hence
> a global group can represent some part of its domain globally
> throughout the forest).
>
> "Kshaeta" <visual.eyes@telus.net> wrote in message
> news:eSuQWf58GHA.4552@TK2MSFTNGP05.phx.gbl...
>> Nobody knows the answer to this?
>>
>>
>> Kshaeta wrote:
>>> I've read lots on these, and I still don't really understand them.
>>>
>>> I know how they work together, how certain ones can't be part of others,
>>> etc. But I don't really understand how they work, or where and when to
>>> use them.
>>>
>>> Where are DLS (Domain Local Security) groups used, and why?
>>> How about Global Groups? Universal Groups?
>>>
>>> Is there any good documentation that explains how these are used and why?
>>>
>>> One reason I ask, is say for this problem. I have two security groups,
>>> within my domain, and two servers in my domain. One server is a domain
>>> server (DOM), the other is a member server (MEM).
>>> I have 2 security groups. The difference between the two is one is a
>>> DLS group, the other is a GS group. The DLS one doesn't allow the
>>> security group to be set on servers other than the domain servers. That
>>> is, if you are on DOM and you create a directory, you can grant it
>>> "Information Systems_DLS" security, or "Information Systems_GS" security.
>>> But if you log on to MEM, and try that it won't work. You need to grant
>>> it "Information Systems_GS". The option to grant any DLS doesn't even
>>> show up in the security selection on the member server.
>>>
>>> I don't really grasp this. Should "Domain level Security" allow you to
>>> grant that security group to any member server?
>>>
>>> Thanks for any info.
>>>
>>> bil

>> --
>> Bill Tkach
>> MSP, A+
>> visual{period}eyes{period}this{at}gmail{period}com

>
>



--
Bill Tkach
MSP, A+
visual{period}eyes{period}this{at}gmail{period}com

Reply With Quote
  #2  
Old 21-01-2007
Roger Abell [MVP]
 
Posts: n/a
Re: Domain Local Security vs Global Security vs Universal Security Groups

Thanks for your followup, nice comment, and I am also sorry
that I overlooked domain mode as part of your issue (pretty
much everyone is at W2k if not one of the W2k3 modes by
now) limiting scope of DL groups, resulting in the questions.

Roger

"Kshaeta" <visual.eyes@telus.net> wrote in message
news:OESBZ8ZNHHA.992@TK2MSFTNGP04.phx.gbl...
> Thanks Roger.
> I guess my question was "does anyone know why these Domain Local System
> (DLS) groups behave like this", for my specific instance. I would assume
> a DLS group would allow me to use such a group on any server in the
> domain. However, I can ONLY use them on the Domain servers themselves.
> Seemed weird to me that you would only be able to grant DLS access on the
> Domain Servers itself.
>
> Anyway, I changed our Domain level from Windows 2000/NT Mixed mode, to
> Windows 2000 mode, and the issue went away. They now work the way I
> expect them to... within the entire domain.
>
> I guess my English is not very good, because I thought I wrote out the
> problem quite clearly. But I guess I asked too many at once.
>
> Anyway, thanks again Roger. I now see why MVP's are the top of the pile.
>
> bil
>
>
> Roger Abell [MVP] wrote:
>> It is not really an issue of whether anyone knows, or not, but of the
>> huge scale that would be a complete answer. Perhaps if you were
>> to review some of the information in the resource kit documentation
>> www.reskit.com
>> and then post more narrow questions(s).
>>
>> For an example of how non-simple some aspects of group usage
>> can be, take a look at a recent thread we had on
>> microsoft.public.windows.server.active_directory
>> with subject
>> Best practive to clean up AD groups
>> that started on
>> Thursday, October 12, 2006 2:31 AM
>>
>> In the particular example with two domains that you presented,
>> you cannot use a domain local group except in its domain (hence
>> it is local to that domain). So yes, you can use a domain local on
>> a member of the same domain, but whether you should or when is
>> an entire further discussion. Globals can be seen/used outside of
>> their domain, and have limitation that they can only contain objects
>> (users or other groups) that are defined in their own domain (hence
>> a global group can represent some part of its domain globally
>> throughout the forest).
>>
>> "Kshaeta" <visual.eyes@telus.net> wrote in message
>> news:eSuQWf58GHA.4552@TK2MSFTNGP05.phx.gbl...
>>> Nobody knows the answer to this?
>>>
>>>
>>> Kshaeta wrote:
>>>> I've read lots on these, and I still don't really understand them.
>>>>
>>>> I know how they work together, how certain ones can't be part of
>>>> others, etc. But I don't really understand how they work, or where and
>>>> when to use them.
>>>>
>>>> Where are DLS (Domain Local Security) groups used, and why?
>>>> How about Global Groups? Universal Groups?
>>>>
>>>> Is there any good documentation that explains how these are used and
>>>> why?
>>>>
>>>> One reason I ask, is say for this problem. I have two security groups,
>>>> within my domain, and two servers in my domain. One server is a domain
>>>> server (DOM), the other is a member server (MEM).
>>>> I have 2 security groups. The difference between the two is one is a
>>>> DLS group, the other is a GS group. The DLS one doesn't allow the
>>>> security group to be set on servers other than the domain servers.
>>>> That is, if you are on DOM and you create a directory, you can grant it
>>>> "Information Systems_DLS" security, or "Information Systems_GS"
>>>> security. But if you log on to MEM, and try that it won't work. You
>>>> need to grant it "Information Systems_GS". The option to grant any DLS
>>>> doesn't even show up in the security selection on the member server.
>>>>
>>>> I don't really grasp this. Should "Domain level Security" allow you to
>>>> grant that security group to any member server?
>>>>
>>>> Thanks for any info.
>>>>
>>>> bil
>>> --
>>> Bill Tkach
>>> MSP, A+
>>> visual{period}eyes{period}this{at}gmail{period}com

>>
>>

>
>
> --
> Bill Tkach
> MSP, A+
> visual{period}eyes{period}this{at}gmail{period}com



Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Security
Tags: , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Re: Domain Local Security vs Global Security vs Universal SecurityGroups"
Thread Thread Starter Forum Replies Last Post
Panda internet security 2011 and Panda Global security 2011 turns red constantly Wild Kat Networking & Security 5 05-02-2012 12:22 PM
Adding Users to Local Security Group from other Domain duke2555 Active Directory 2 30-08-2011 12:36 AM
Minimum security settings of computer accounts for allowing domain user account to join domain Manik Active Directory 1 18-08-2008 10:17 PM
WinXP SP3 - Local Security Policy Dhananjay Windows Security 3 28-07-2008 08:56 AM
How to export list of users from each global, domain, local group? Manik Active Directory 1 10-06-2005 07:52 AM


All times are GMT +5.5. The time now is 12:50 AM.