|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
nested group permissions not workingare of global scope. We recently changed some things around so that one of the groups (FLY) contains only other groups (FLYA, FLYB,FLYC), which contain users. Now we have a share on a file server, with full control permissions assigned to FLY, but users in the FLYA (etc.) groups are getting permission denied. If I add FLYA on the security tab for the share, then the users in that group have the expected permissions. According to MS, "Groups with global scope can have as their members: accounts from the same domain and other groups with global scope from the same domain.", but only for native mode domains. We are native mode. I've created FLYtestu and FLYtestdl, universal and domain local groups, given them permissions on the share, added in FLYA, and I still don't get the expected behavior for the users of FLYA unless I explicitly add FLYA to the security tab. Is it possible to assign permissions to a group and have it apply to users of groups contained within that group? Thanks. Inline
neil Show quoteHide quote "captain***@gmail.com" wrote: *** The above is correct.> I have a single Windows 2000 domain in native mode. All of our groups > are of global scope. We recently changed some things around so that > one of the groups (FLY) contains only other groups (FLYA, FLYB,FLYC), > which contain users. Now we have a share on a file server, with full > control permissions assigned to FLY, but users in the FLYA (etc.) > groups are getting permission denied. If I add FLYA on the security > tab for the share, then the users in that group have the expected > permissions. > > According to MS, "Groups with global scope can have as their members: > accounts from the same domain and other groups with global scope from > the same domain.", but only for native mode domains. We are native > mode. > > I've created FLYtestu and FLYtestdl, universal and domain local groups, *** Check the ACLs on the resources carefully. Ensure that there are no Deny > given them permissions on the share, added in FLYA, and I still don't > get the expected behavior for the users of FLYA unless I explicitly add > FLYA to the security tab. ACEs listed. > *** That occurs by default. In fact, you cannot disable this feature AFAIK.> Is it possible to assign permissions to a group and have it apply to > users of groups contained within that group? Show quoteHide quote > > Thanks. > > I checked the ACL, and these are the only ones on there, so there are
no denies that could override. I even created a new resource and added them with full control and got the same results. are ALL those groups SECURITY groups? (instead of distribution groups)
-- Show quoteHide quoteCheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ----------------------------------------------------------------------------- * This posting is provided "AS IS" with no warranties and confers no rights! * Always test before implementing! ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- <captain***@gmail.com> wrote in message news:1141651420.592393.253330@z34g2000cwc.googlegroups.com... >I have a single Windows 2000 domain in native mode. All of our groups > are of global scope. We recently changed some things around so that > one of the groups (FLY) contains only other groups (FLYA, FLYB,FLYC), > which contain users. Now we have a share on a file server, with full > control permissions assigned to FLY, but users in the FLYA (etc.) > groups are getting permission denied. If I add FLYA on the security > tab for the share, then the users in that group have the expected > permissions. > > According to MS, "Groups with global scope can have as their members: > accounts from the same domain and other groups with global scope from > the same domain.", but only for native mode domains. We are native > mode. > > I've created FLYtestu and FLYtestdl, universal and domain local groups, > given them permissions on the share, added in FLYA, and I still don't > get the expected behavior for the users of FLYA unless I explicitly add > FLYA to the security tab. > > Is it possible to assign permissions to a group and have it apply to > users of groups contained within that group? > > Thanks. > Yes, they are all security groups. As far as I know, you can't add
distribution groups to the ACL. 
Other interesting topics
Problem creating DFS roots
Rename Domain Need help with AD trusts Delegation of Control using windows2003 R2 to be a domain controller in exsiting w2k3 do GPO does not apply Event 1000 and AD inconsistencies Looking for a good AD restore utility is it posible to change user's sid Restoring a single OU |
|||||||||||||||||||||||
