I guess my question was "does anyone know why these Domain Local System
(DLS) groups behave like this", for my specific instance. I would
assume a DLS group would allow me to use such a group on any server in
the domain. However, I can ONLY use them on the Domain servers
themselves. Seemed weird to me that you would only be able to grant DLS
access on the Domain Servers itself.
Anyway, I changed our Domain level from Windows 2000/NT Mixed mode, to
Windows 2000 mode, and the issue went away. They now work the way I
expect them to... within the entire domain.
I guess my English is not very good, because I thought I wrote out the
problem quite clearly. But I guess I asked too many at once.
Anyway, thanks again Roger. I now see why MVP's are the top of the pile.
Roger Abell [MVP] wrote:
> It is not really an issue of whether anyone knows, or not, but of the
> huge scale that would be a complete answer. Perhaps if you were
> to review some of the information in the resource kit documentation
> and then post more narrow questions(s).
> For an example of how non-simple some aspects of group usage
> can be, take a look at a recent thread we had on
> with subject
> Best practive to clean up AD groups
> that started on
> Thursday, October 12, 2006 2:31 AM
> In the particular example with two domains that you presented,
> you cannot use a domain local group except in its domain (hence
> it is local to that domain). So yes, you can use a domain local on
> a member of the same domain, but whether you should or when is
> an entire further discussion. Globals can be seen/used outside of
> their domain, and have limitation that they can only contain objects
> (users or other groups) that are defined in their own domain (hence
> a global group can represent some part of its domain globally
> throughout the forest).
> "Kshaeta" <firstname.lastname@example.org> wrote in message
>> Nobody knows the answer to this?
>> Kshaeta wrote:
>>> I've read lots on these, and I still don't really understand them.
>>> I know how they work together, how certain ones can't be part of others,
>>> etc. But I don't really understand how they work, or where and when to
>>> use them.
>>> Where are DLS (Domain Local Security) groups used, and why?
>>> How about Global Groups? Universal Groups?
>>> Is there any good documentation that explains how these are used and why?
>>> One reason I ask, is say for this problem. I have two security groups,
>>> within my domain, and two servers in my domain. One server is a domain
>>> server (DOM), the other is a member server (MEM).
>>> I have 2 security groups. The difference between the two is one is a
>>> DLS group, the other is a GS group. The DLS one doesn't allow the
>>> security group to be set on servers other than the domain servers. That
>>> is, if you are on DOM and you create a directory, you can grant it
>>> "Information Systems_DLS" security, or "Information Systems_GS" security.
>>> But if you log on to MEM, and try that it won't work. You need to grant
>>> it "Information Systems_GS". The option to grant any DLS doesn't even
>>> show up in the security selection on the member server.
>>> I don't really grasp this. Should "Domain level Security" allow you to
>>> grant that security group to any member server?
>>> Thanks for any info.
>> Bill Tkach
>> MSP, A+