|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Managing Access to Resources by Using GroupsWe have a Windows Server 2003 Active Directory domain in Native mode. We are planning the setup for member servers and permissions to files and directories. A consultant has told us that Local groups should be set up on member servers, corresponding Domain Global groups should be set up in AD, users should be added to the Domain Global groups, the Domain Global groups should be added to the member server Local groups and permissions should be granted on the directory to the member server Local Groups. In a Microsoft class that I went to the scenario described above was said to be a Workgroup setup. In a Domain environment, the book said to create Domain Local groups and Domain Global groups, add the users to the Domain Global group, add the Domain Global group to the Domain Local group and assign permissions on the directory to the Domain Local group (A G DL P). For the Workgroup scenario it also said: Set up local groups only on computers that do not belong to a domain. Although you can set up local groups on domain client computers and member servers, it is recommended you do not. Membership rules for local groups: Local groups can only contain local user accounts from the computer where you create the local groups. Can anyone tell me which way is the correct way? Shouldn't I assume Microsoft is teaching the correct method? What problems are we lightly to encounter if we follow the workgroup method? What benefits might we realize if we follow the Domain menthod? Answer below.
Pierrot stephany_2000 wrote: Show quoteHide quote > Security Groups - Native mode: The one from the class.> We have a Windows Server 2003 Active Directory domain in Native mode. > We are planning the setup for member servers and permissions to files > and directories. A consultant has told us that Local groups should > be set up on member servers, corresponding Domain Global groups > should be set up in AD, users should be added to the Domain Global > groups, the Domain Global groups should be added to the member server > Local groups and permissions should be granted on the directory to > the member server Local Groups. > > In a Microsoft class that I went to the scenario described above was > said to be a Workgroup setup. In a Domain environment, the book said > to create Domain Local groups and Domain Global groups, add the users > to the Domain Global group, add the Domain Global group to the Domain > Local group and assign permissions on the directory to the Domain > Local group (A G DL P). > > Can anyone tell me which way is the correct way? > Shouldn't I assume Yes.> Microsoft is teaching the correct method? > What problems are we You will have to re-create each local group on every member server and go > lightly to encounter if we follow the workgroup method? through every group each time you have to add or remove a user. > What Opposite of the problems.> benefits might we realize if we follow the Domain menthod? Thank you for the reply. If you create a Local group for each directory on
the member server (actually two, one for Modify rights and one for Read rights), and then create corresponding Domain Global Groups and put the users into the Domain Global Group and the Global Groups into the member server Local groups, there shouldn't be a need to re-create each local group on every member server. It seems to me that the plus here is you minimize the load on AD, but I am worried that doing this will negatively impact us in the future because Microsoft is assuming you follow their recommendations when they make changes to their products. I am curious as to the reason why Microsoft advocates a different method depending on whether you are in a Workgroup environment versus a domain environment. Knowing that would help me determine which method we should use because a lot of people seem to be advocating the "Workgroup" method in a Domain environment. Show quoteHide quote "Pierrot Robert" wrote: > Answer below. > > Pierrot > > stephany_2000 wrote: > > Security Groups - Native mode: > > We have a Windows Server 2003 Active Directory domain in Native mode. > > We are planning the setup for member servers and permissions to files > > and directories. A consultant has told us that Local groups should > > be set up on member servers, corresponding Domain Global groups > > should be set up in AD, users should be added to the Domain Global > > groups, the Domain Global groups should be added to the member server > > Local groups and permissions should be granted on the directory to > > the member server Local Groups. > > > > In a Microsoft class that I went to the scenario described above was > > said to be a Workgroup setup. In a Domain environment, the book said > > to create Domain Local groups and Domain Global groups, add the users > > to the Domain Global group, add the Domain Global group to the Domain > > Local group and assign permissions on the directory to the Domain > > Local group (A G DL P). > > > > Can anyone tell me which way is the correct way? > > The one from the class. > > > Shouldn't I assume > > Microsoft is teaching the correct method? > > Yes. > > > What problems are we > > lightly to encounter if we follow the workgroup method? > > You will have to re-create each local group on every member server and go > through every group each time you have to add or remove a user. > > > What > > benefits might we realize if we follow the Domain menthod? > > Opposite of the problems. > > > Stephany,
In a workgroup model there is not a central directory to reference for information. Therefore all resources must be created on each client/server in the workgroup. In an AD environment you have a central directory to reference. It is much less work to manage the AD than to manage each and every server/client. Whenever possible use the Domain Local groups and nest your Global groups there. Avoid assigning users to a resource as this can make administration difficult. I hope this clears up some of your confusion! Show quoteHide quote "stephany_2000" <stephany2***@discussions.microsoft.com> wrote in message news:41FBBF15-8EA0-4493-9907-2745564DFF05@microsoft.com... > Thank you for the reply. If you create a Local group for each directory > on > the member server (actually two, one for Modify rights and one for Read > rights), and then create corresponding Domain Global Groups and put the > users > into the Domain Global Group and the Global Groups into the member server > Local groups, there shouldn't be a need to re-create each local group on > every member server. It seems to me that the plus here is you minimize > the > load on AD, but I am worried that doing this will negatively impact us in > the > future because Microsoft is assuming you follow their recommendations when > they make changes to their products. > > I am curious as to the reason why Microsoft advocates a different method > depending on whether you are in a Workgroup environment versus a domain > environment. Knowing that would help me determine which method we should > use > because a lot of people seem to be advocating the "Workgroup" method in a > Domain environment. > "Pierrot Robert" wrote: > >> Answer below. >> >> Pierrot >> >> stephany_2000 wrote: >> > Security Groups - Native mode: >> > We have a Windows Server 2003 Active Directory domain in Native mode. >> > We are planning the setup for member servers and permissions to files >> > and directories. A consultant has told us that Local groups should >> > be set up on member servers, corresponding Domain Global groups >> > should be set up in AD, users should be added to the Domain Global >> > groups, the Domain Global groups should be added to the member server >> > Local groups and permissions should be granted on the directory to >> > the member server Local Groups. >> > >> > In a Microsoft class that I went to the scenario described above was >> > said to be a Workgroup setup. In a Domain environment, the book said >> > to create Domain Local groups and Domain Global groups, add the users >> > to the Domain Global group, add the Domain Global group to the Domain >> > Local group and assign permissions on the directory to the Domain >> > Local group (A G DL P). >> > >> > Can anyone tell me which way is the correct way? >> >> The one from the class. >> >> > Shouldn't I assume >> > Microsoft is teaching the correct method? >> >> Yes. >> >> > What problems are we >> > lightly to encounter if we follow the workgroup method? >> >> You will have to re-create each local group on every member server and go >> through every group each time you have to add or remove a user. >> >> > What >> > benefits might we realize if we follow the Domain menthod? >> >> Opposite of the problems. >> >> >> Workgroups work differently to domains. There is no central management,
therefore you have to do things differently. > there shouldn't be a need to re-create each local group on every member True. You only create the group on the server that has the resources you > server. wish to permission. However, as stated in my other post, this is a serious burden to manage. Seriously, don't consider it. Use a different consultant, as this one doesn't really know what he's on about. > It seems to me that the plus here is you minimize the load on AD, Not really. You don't need to worry about a bunch of groups. AD can handle it. > but I am worried that doing this will negatively impact us in the future The only thing not following this particular advice is going to do is cause > because Microsoft is assuming you follow their recommendations when they > make changes to their products. you a headache. There's more to document, more to consider with server migrations, failures, etc. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net > Can anyone tell me which way is the correct way? There's no correct way. How you do this depends on your environment. One thing I will say though is that you're consultant is years out of date and shouldn't be used further. > Shouldn't I assume Microsoft is teaching the correct method? That is up to you - I might not make such assumptions too lightly <grin>> What problems are we lightly to encounter if we follow the workgroup That will be a nightmare to manage. Don't do it!> method? > What benefits might we realize if we follow the Domain menthod? Well, if you have more than one domain in your forest, or have a trust relationship with another domain, this is the right way to go. This is more or less how I always design (and implement) such things. If you have a single domain forest, it isn't as important. You can just use global or even universal groups. However, you should still consider using this method as you might later expand and have more domains, or you might establish trusts with other domains. In a single domain forest it's more work to setup, but is still probably the best way to do it in case of future expansion. It is also logical and neat. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net  
Thread options
Other interesting topics
Problem creating DFS roots
using windows2003 R2 to be a domain controller in exsiting w2k3 do Another 2003 and Exchange 2003 Server upgrade question Please help Promote NT 4.0 BDC to Windows 2000 Active Directory Event 1000 and AD inconsistencies GPO does not apply PDC and Exchange - [WildPacket] Laptop configuration via GPO ADAM VSS Backup/Permissions As a Scheduled Task nested group permissions not working |
|||||||||||||||||||||||
