Re: Win2K can't see domain local group of a NT 4 pdc
From: Sylvie (sylviep_at_videotron.net)
Date: 03/22/05
- Next message: Sylvie: "Re: sharing out folders on their computers <-- Must Stop -->"
- Previous message: Stefano: "User cannot change password"
- In reply to: Steven L Umbach: "Re: Win2K can't see domain local group of a NT 4 pdc"
- Next in thread: Roger Abell: "Re: Win2K can't see domain local group of a NT 4 pdc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Mar 2005 06:43:14 -0500
Thank you Steven
It was in fact a misunderstanding of terminology because I completely agree
with you. Unfortunately I found an article in the KB that says that the same
problem could happen on a NT4 and even worse, that one could get an "access
denied" error message if he tried to access a resource if local groups are
used instead of global groups.
http://support.microsoft.com/default.aspx?scid=kb;en-us;148639
http://support.microsoft.com/default.aspx?scid=kb;en-us;199162
So until we can unify all those NT 4 domains under a single Windows 2003
domain, we are stuck with the global groups.
Thanks again to everyone
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eE0B0cpLFHA.1308@TK2MSFTNGP15.phx.gbl...
> Well maybe we have a misunderstanding of terminology. In Windows 2000/2003
> there is a group scope called "domain local" while NT4.0 domains have
> "local" groups. A "local" group in a NT4.0 domain controller can be used
to
> give permissions to any domain controller while "domain local" groups in a
> Native AD domain can be used to give the group members permissions to any
> resource on any domain computer including domain controllers. If your
> Windows 2000/2003 computer can not give permissions to domain global
groups
> such as adding them to local groups on them, then maybe they can not
contact
> the domain controller, lack network connectivity, or do not have a secure
> channel/computer account in good standing. Make sure that they are wins
> clients and see the KB link below about possible incompatibilities with
> security settings with mixed operating systems in a domain. You can use
the
> support tool netdiag on Windows 2000/2003 computers to check for dc
> discovery and secure channel/trust. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --- use
> secpol.msc to open Local Security Policy
>
> From your link ----
> Users and Groups
> Windows NT Server security is based on the following four types of
entities:
>
> . Global user accounts. User accounts that originate in the Windows
NT
> environment.
>
> . Local user accounts. User accounts that originate in server
> environments other than Windows NT.
>
> . Global groups. Used to manage groups in a domain. Also can be used
> to export groups of users to other domains.
>
> . Local groups. Used to manage users and to import global groups
from
> other domains.
>
>
> http://kb.indiana.edu/data/aedz.html?cust=072937.83257.30
>
> Local groups
> On a Windows NT workstation or stand-alone server, local groups can be
> created to provide users with rights and permissions for resources, such
as
> files or printers, located on that computer. Local groups can contain both
> individual user accounts and global groups. (Local groups cannot include
> other local groups.) On a Primary Domain Controller, however, local groups
> can be assigned resources on any domain controller in the domain. For
> example, if you create a local group called "Database Users" on a Primary
> Domain Controller, that group along with its membership will also be
present
> on any other domain controller within the same domain
>
>
> "Sylvie" <sylviep@videotron.net> wrote in message
> news:e0y66aoLFHA.1472@TK2MSFTNGP14.phx.gbl...
> > Sorry Steven but domain local group is not a new concept that came with
> > windows 2000. It was even there in Windows 3.51
> >
http://www.microsoft.com/technet/archive/winntas/maintain/featusability/acctgrps.mspx
> >
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:upxMMHoLFHA.904@tk2msftngp13.phx.gbl...
> >> Domain local groups are a group type that was new to a Windows 2000
> >> Active
> >> Directory domain [which you do not have] when in Native mode. The link
> > below
> >> explains more. --- Steve
> >>
> >> http://www.jsifaq.com/SUBG/TIP3000/rh3049.htm
> >>
> >> "Sylvie" <sylviep@videotron.net> wrote in message
> >> news:uiLQVtnLFHA.2492@TK2MSFTNGP14.phx.gbl...
> >> > Hi,
> >> >
> >> > Can anyone tell me why a Windows 2000 or 2003 member server of a NT 4
> >> > domain
> >> > can't see nor use the domain local groups ? Is it posible to fix this
> >> > or
> >> > is
> >> > it "by design" ?
> >> >
> >> > tks
> >> >
> >> > Sylvie
> >> >
> >> >
> >>
> >>
> >
> >
>
>
- Next message: Sylvie: "Re: sharing out folders on their computers <-- Must Stop -->"
- Previous message: Stefano: "User cannot change password"
- In reply to: Steven L Umbach: "Re: Win2K can't see domain local group of a NT 4 pdc"
- Next in thread: Roger Abell: "Re: Win2K can't see domain local group of a NT 4 pdc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
