Re: Security - Global group

From: Pravin (pravinkl_at_rediffmail.com)
Date: 08/15/04 

Date: Sun, 15 Aug 2004 09:24:44 -0700

Isn't it a security flaw that even though the Server A is removed from the
global group, still it is not recognized by Server B?
It is surprising that the kerberos service ticket is not updated to reflect
the current settings.

Is there atleast any way to force the checking in Server B?

- Pravin

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:blMTc.157594$eM2.35698@attbi_s51...
> The kerberos service ticket was reissued when server A reboots - not
server B. See
> the link below on how kerberos issues tickets to computers for access to
domain
> resources. --- Steve
>
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx
>
> "Pravin" <pravinkl@rediffmail.com> wrote in message
> news:%23Nk2ZyrgEHA.2848@TK2MSFTNGP10.phx.gbl...
> >I created a global security group and added machine A into the group.
> > When I access the machine B through machine A, machine B checks
> > whether the mahine A is in the global security group. If so, give some
> > permissions. This works fine.
> > But when I remove the machine A from global group, machine B somehow
> > thinks machine A is still in the global group and give permissions to
> > the request.
> > Even after rebooting machine B, it does not help. Surprisingly when I
> > reboot machine A, machine B can realize that machine A is no more in
> > the global group and deny permissions.
> >
> > I guess the machine B checks the group SID in the token supplied by
machine
> > A. Does it never get updated?
> > Is there any way to force this? Doesn't machine B query active directory
at
> > all?
> >
> > Thanks
> > Kumaradhas
> >
> >
>
>

Relevant Pages

  • Best way to assign NTFS permission in order to migrate to AD on W2K3
    ... the main file server is a W2K member server and ... most of its permissions are assigned to groups like Domain Users. ... If I use a Global Group then I cannot include other GGs (that is ... to move the files to a different file server in the future. ...
    (microsoft.public.windows.server.migration)
  • Re: DC added to workgroup now has problems
    ... > to get our department AD server to work properly on this new network. ... A trust relationship essentially says: I, the trusting domain, is giving the ... Never give permissions to a global group, ... user membership to a local group if that user comes from a trusted domain. ...
    (microsoft.public.win2000.networking)
  • Re: Problem with distribution groups
    ... Create a universal group that contains those three global group. ... Double-click Server object. ... Click the server you want to enable Message Tracking on, ... Microsoft Online Partner Support ...
    (microsoft.public.exchange.admin)
  • local group / global group permissions problem
    ... Windows 2003 file server in an Active Directory domain ... The local group has full rights to the share. ... contains a global group from the Active Directory domain. ... User in global group should be able to access the shared folder based on the ...
    (microsoft.public.windows.server.security)
  • Re: Native Mode vs Mixed Mode
    ... domain administrators group and have full control of the ... software application process, the global group creation ... to native mode, but that did not change the error. ... >> The server is unwilling to process the request. ...
    (microsoft.public.win2000.security)