Re: Global groups and users in security ACLs issue

• Previous message: Grasshopper: "Re: cached profiles"
• In reply to: Stephane Gregoire: "Global groups and users in security ACLs issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Bart Perrier" <roamdeep@swbell.net>
Date: Thu, 09 May 2002 01:06:57 GMT

Currently, you might say.

Our users are prodominantly in a NT4 Domain. Our approach is to create an AD
that is essentially vLANed off. The two domains trust each other and users
or departments are converted at the switch.

reboot

"Stephane Gregoire" <stephanegregoire@hotmail.com> wrote in message
news:9ed209ed.0205060620.5b2dcd8c@posting.google.com...
> Hi NT admins,
>
> I would like to have some feedback about a big concern in our NT ->
> Win2k migration:
>
>
> We have a multi-domain and huge wan environment. We have one main
> master domains and many
> resources domains which trusts the master domain. But this is not
> constant. Some domains do not trust anyone. And some
> domain trusts the master domain but their user accounts are stored in
> their own PDC (not on the master domain PDC).
> As you can see, it's quite chaotic.
>
>
> Before migrating to win2k, MS recommendations is to consolidate most
> of the domains into one single domain
> (our big master domain). The decision has been made to do so.
>
> But in order to consolidate the domains, we must beforehand clean up
> our current security by ensuring that in any
> existing domain, there should be only local groups applied on the
> folders security ACLs.
> All global groups and users that are directly in the ACL of folders
> should be put in local groups.
> This is no different than the current recommended security model :
> Users -> Global Groups -> Local Groups -> Permissions
>
>
>
> Is there any tool that can simplify this process ? In our environment,
> this task is huge. Many domains were securized
> without the recommended security model in mind (by applying only local
> groups on folders).
>
> So far, the only way we have is to create a Somarsoft's Dumpsec
> security report of the server we're about to clean, then getting out
> folders where the security is not standard (where at least one user or
> one global group is directly applied) and then
> finding a way of cleaning it by creating local groups and adding the
> global groups or user into it.
>
>
> Anyone ever went through this issue ?
>
> Thanks for comments.

• Next message: neo [mvp outlook]: "Re: Connecting internal network to the Internet"
• Previous message: Grasshopper: "Re: cached profiles"
• In reply to: Stephane Gregoire: "Global groups and users in security ACLs issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]