Re: Group Scope Question
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 04/26/05
- Previous message: Joe Richards [MVP]: "Re: Anyone know how to Use DSACLS to add perms to Machine account?"
- In reply to: Corey Arndt: "Group Scope Question"
- Next in thread: Roger Abell: "Re: Group Scope Question"
- Reply: Roger Abell: "Re: Group Scope Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Apr 2005 12:02:29 -0400
I agree with Steve in that if you are in native mode, you can use either domain
local or global.
Unlike Steve, possibly, I prefer the domain local in a multidomain environment.
I prefer to put groups as close to resources as possible though and am not a big
fan of role based ACLing; instead preferring resource based ACLing. Then you
place the users into the domain local groups directly. The person who manages
that group then has better control over the folks accessing the resource. If you
do the global into local nesting, the power of who can manage a resource may
accidently be usurped from the person who should be managing that access.
For instance, say you have a GG from Dom1 and a DLG from Dom2. The DLG controls
access to a file share. Barb controls the access to the file share and has the
ability to manage Dom2\DLG. Someone tells her to do the old User into Global,
Global into Local strategy. She does it, not realizing fully that she doesn't
control the membership of GG but it looks good right now. Someone else who
controls GG later adds someone else for the other purpose GG has which is to
grant access to something else. This person also now has access to the resource
granted to DLG and Barb knows nothing about it...
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Corey Arndt wrote: > This may sound basic but I need to ask anyway before I get AD implemented. > I am not quite sure what I should set my 'Group Scope' to..Domain Local or > Global. > I have 2 sites linked via a slow connection that are similar and are in a > single domain. I plan on having a Domain Controller in each site to control > security and replicate files from the remote site to the main site. > Licenses will be shared between the sites. > I plan on having different groups for each site that are similar (QA_Site1, > QA_Site2, Engineers_Site1, Engineers_Site2, etc). > Should these groups be Domain Local or Global? > Anys suggestions? > I appreciate any help you can give. > Thank You > >
- Previous message: Joe Richards [MVP]: "Re: Anyone know how to Use DSACLS to add perms to Machine account?"
- In reply to: Corey Arndt: "Group Scope Question"
- Next in thread: Roger Abell: "Re: Group Scope Question"
- Reply: Roger Abell: "Re: Group Scope Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
