Re: Group Scope Question

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/27/05 

Date: Tue, 26 Apr 2005 18:55:11 -0700

Hey Joe, I couldn't pass it up . . .

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:OCpCalnSFHA.3088@TK2MSFTNGP15.phx.gbl...
> I agree with Steve in that if you are in native mode, you can use either
domain
> local or global.
>
> Unlike Steve, possibly, I prefer the domain local in a multidomain
environment.
> I prefer to put groups as close to resources as possible though and am not
a big
> fan of role based ACLing; instead preferring resource based ACLing.

These are not mutually exclusive but are IMO best only when used together

> Then you
> place the users into the domain local groups directly. The person who
manages
> that group then has better control over the folks accessing the resource.
If you
> do the global into local nesting, the power of who can manage a resource
may
> accidently be usurped from the person who should be managing that access.

That is a different case than the poster's question.
Of course one can nest DLGs in DLGs.

>
> For instance, say you have a GG from Dom1 and a DLG from Dom2. The DLG
controls
> access to a file share. Barb controls the access to the file share and has
the
> ability to manage Dom2\DLG. Someone tells her to do the old User into
Global,
> Global into Local strategy. She does it, not realizing fully that she
doesn't
> control the membership of GG but it looks good right now. Someone else who
> controls GG later adds someone else for the other purpose GG has which is
to
> grant access to something else. This person also now has access to the
resource
> granted to DLG and Barb knows nothing about it...

I would argue that
1. the so-called role GG is not correctly understood and
    applied here.
    If it were there would be no using it for "other purpose"
    that should not be a conjoined resource access/right of
    those role members. This is an administrative failing,
    not a failing inherent in only the role/resource adm model.
2. if control over access to a resource is to be delegated
    then that delegatee should have control over all means
    of membership the resource access granting group.
    When this is not to be so, then it should be due to some
    mandated accesses which are supposed to be outside of
    the control of that delegatee. If such mandated access is
    abused/misused, this is not a failing of the delegatee,
    nor is it a failing of the resource/role model usage but
    would likely have happened with a different administrative
    control model as well.

Also, your scenario has exampled for the poster an appropriate
use of GGs, to cross domain boundaries. I also agree that for an
entirely single domain forest, or for use solely within a single
domain (and especially when one intentionally wants to force
that intradomain limitation) then DLGs can be used. There are
a few scattered references in Group Policy docs of the need to
use GGs but I have always been left uncertain of the reasoning
when the GPOs of solely intradomain, and I have not experience
the "issues" GG usage is said to avoid, again when GPO use is
constrained within a domain of multi-domain forest. There is also
fact that the size of a user token can accommodate more groups if
GGs are used instead of DLGs, but it is a rather high limit for
most deployments no matter which is used. 

-- 
Roger
>
>    joe
>
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Corey Arndt wrote:
> > This may sound basic but I need to ask anyway before I get AD
implemented.
> > I am not quite sure what I should set my 'Group Scope' to..Domain Local
or
> > Global.
> > I have 2 sites linked via a slow connection that are similar and are in
a
> > single domain.  I plan on having a Domain Controller in each site to
control
> > security and replicate files from the remote site to the main site.
> > Licenses will be shared between the sites.
> > I plan on having different groups for each site that are similar
(QA_Site1,
> > QA_Site2, Engineers_Site1, Engineers_Site2, etc).
> > Should these groups be Domain Local or Global?
> > Anys suggestions?
> > I appreciate any help you can give.
> > Thank You
> >
> >

Relevant Pages

  • Re: Venting on .NET
    ... the Dialog editor spits out a .rc file. ... as not properly naming a control), hand-editing the generated code to rename a control is ... the field of cognitive psyhcology, Alan Newell and Herb Simon], I can state that NO design ... >That's certainly true is we're talking about resource templates in the Win32 ...
    (microsoft.public.vc.mfc)
  • Re: MFC future?
    ... all ILs assume the programmer wants less control ... ... when people look at IL-based systems today they tend to be thinking of Java ... In Java there can be serious resource management problems because the ...
    (microsoft.public.vc.mfc)
  • Re: Iraq update
    ... >>>wars in history are about population control, ... Population control or resource control? ... > Bison, Buffalo. ... > Lebanon and Israel don't have the great Cedar forests anymore. ...
    (rec.games.frp.dnd)
  • Re: Schwartz counters.
    ... >> Schwartz counters are a variation of the Singleton pattern to control the ... >> of a shared resource such as a file stream such that the resource is ... >> A mgr class controls the shared resource and keeps track of how many times ...
    (comp.lang.cpp)
  • Re: Inserting Controls with Keyboard
    ... Blind people using Access is a thought that has not occurred to me. ... Joe wrote: ... I was applying what we call an Advanced Access Course, that presents Action Queries, SQL queries, Macros, Security, Menu and Tool Bar customization, Controle Menu Form and VBA introduction. ... The best thing I can think to do is to create a form with each type of control that she can switch to -- and select what she wants, ...
    (microsoft.public.access.forms)