Re: Microsoft Security Groups
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/27/05
- Next message: John Corliss: "Re: MS05-002 on 9x and ME"
- Previous message: Galen: "Re: Firewall Rules"
- In reply to: matthewpascucci_at_yahoo.com: "Microsoft Security Groups"
- Next in thread: matthewpascucci_at_yahoo.com: "Re: Microsoft Security Groups"
- Reply: matthewpascucci_at_yahoo.com: "Re: Microsoft Security Groups"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 27 Mar 2005 04:21:47 -0700
One further point . . .
we put a group on the resource to grant the permissions and then
populate this resource group with other group(s) instead of just
using one group because this facilitates simplicity in changing
who is granted what.
If we used only one group, then to change things one would either
have to change membership in that one group - and that would change
who had what permisssions everywhere that group is used
or
one would need to define another group and then locate where to
set that group on the resources and then cause it to be applied over
the area.
With the use of resource groups that grant the premissions on the
resources (like a combination of filesystem areas that "marketing" uses),
and also of principal groups that group users into roles, then all we
need to do to alter the inital established premissioning is to look
at the memberships of the groups and adjust them (no locate and
set grants over the resources). If this strategy is used incorrectly
one ends up with two basically identical groups one with users
and one with the other group in it. To use this to advantage, try
to organize your resources and set groups named to indicate the
category of access and to what; and more importantly, define your
principal groups to identify roles held by people in the organization,
as usually access to categories of resources maps to job roles/titles.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA <matthewpascucci@yahoo.com> wrote in message news:1111890737.210033.284220@z14g2000cwz.googlegroups.com... > I have a couple questions regarding groups in Windows 2003. I have been > going over Universal, Global and Domain local groups for the past few > days and I can't seem to completey grasp the subject. > > Assuming that everything is in either Windows 2000 native or Windows > 2003 domain fuctionality. > > Universal Mode > When would you use this group over a global group and why? > Members can be pretty much anything added to it from any domain? > > Global Group > Why do they get applied to local groups? Why can't you just use them > its place?? > They can't have members from outside there domain?? But can they be > added to other domains?? > > Domain Local > What are the differece between Global and Domain Local groups?? > They can only be nested with other domain local groups? > > Microsoft recommends that you don't apply any permissions to the user > itself but to apply them to the groups and have them inherit them. I > have been reading that you should add users to global groups then apply > the global group to a local group and apply permissions on that. Why > would you do this?? And if you have only a single domain is this > neccsary?? > > What is the difference between group membership and permissons?? Like > how a global group can be assigned permissons from any domain but a > domain local group can only be assinged permissons from the same > domain. > > Can anyone possibly give me examples of when each type would be used so > that I can see how they work in a real enviroment or if you have any > good documentation? >
- Next message: John Corliss: "Re: MS05-002 on 9x and ME"
- Previous message: Galen: "Re: Firewall Rules"
- In reply to: matthewpascucci_at_yahoo.com: "Microsoft Security Groups"
- Next in thread: matthewpascucci_at_yahoo.com: "Re: Microsoft Security Groups"
- Reply: matthewpascucci_at_yahoo.com: "Re: Microsoft Security Groups"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
