Global groups and users in security ACLs issue

From: Stephane Gregoire (stephanegregoire@hotmail.com)
Date: 05/06/02

• Next message: Eric Fitzgerald [MSFT]: "Re: trace user logon"
• Previous message: Arndt, Tobias: "Re: trace user logon"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: stephanegregoire@hotmail.com (Stephane Gregoire)
Date: 6 May 2002 07:20:49 -0700

Hi NT admins,

I would like to have some feedback about a big concern in our NT ->
Win2k migration:

We have a multi-domain and huge wan environment. We have one main
master domains and many
resources domains which trusts the master domain. But this is not
constant. Some domains do not trust anyone. And some
domain trusts the master domain but their user accounts are stored in
their own PDC (not on the master domain PDC).
As you can see, it's quite chaotic.

Before migrating to win2k, MS recommendations is to consolidate most
of the domains into one single domain
(our big master domain). The decision has been made to do so.

But in order to consolidate the domains, we must beforehand clean up
our current security by ensuring that in any
existing domain, there should be only local groups applied on the
folders security ACLs.
All global groups and users that are directly in the ACL of folders
should be put in local groups.
This is no different than the current recommended security model :
Users -> Global Groups -> Local Groups -> Permissions

Is there any tool that can simplify this process ? In our environment,
this task is huge. Many domains were securized
without the recommended security model in mind (by applying only local
groups on folders).

So far, the only way we have is to create a Somarsoft's Dumpsec
security report of the server we're about to clean, then getting out
folders where the security is not standard (where at least one user or
one global group is directly applied) and then
finding a way of cleaning it by creating local groups and adding the
global groups or user into it.

Anyone ever went through this issue ?

Thanks for comments.

---

• Next message: Eric Fitzgerald [MSFT]: "Re: trace user logon"
• Previous message: Arndt, Tobias: "Re: trace user logon"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Global groups and users in security ACLs issue ... > resources domains which trusts the master domain. ... there should be only local groups applied on the ... > folders security ACLs. ... (comp.os.ms-windows.nt.admin.security) Re: Migrating security & sharing permissions and local groups ... What is the reason here for use of local groups? ... You can still move existing shares from one server to another. ... Microsoft MVP - Windows Security ... I need to migrate these folders and files along with the ... (microsoft.public.windows.server.general) Re: Security tab on files or folders and automatic login at Windows startup ... To display the Security tab... ... [[Specifies that simplified sharing is enabled. ... share folders with everyone on your workgroup or network and make folders in ... Remove the Security tab ... (microsoft.public.windowsxp.general) Re: Access to folders ... Yet even though I am the administrator and only user, I still have to give myself permission before I can do certain things or run certain programs. ... I have managed to change the security settings on various folders by going into Properties so that I can access the folders freely and see and access all files. ... > frustrated by the layers of security I have to constantly wade through. ... (microsoft.public.windows.vista.security) Re: I need to change the folder attributes but the changes do not stay ... Security dialog will be available on every object in the ... > We are using Xp pro with the service pack 1 installed. ... >>> accounts for the children. ... The folders always show ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)