Yep, add user to DLGA. Here is a theretical example, mine is bigger. Say you have an environment with 3 geographic domains, America, Europe, Asia. Say in America you have some 180 sites and each site has at least one file and print server. Each file and print server has both home drive shares (userid$) for all of the users at the site (from 100-10,0000 users at a site). Each file and print also has a shared applications share called something like progs and also each file and print as a shared project shared called something like Shared. Each site has local admins who manage the local file and print and the resources on it. The home drive gets mapped to the users' W drive, progs to Z, and Shared to Y:. Progs is set to authenticated users READ so no groups needed. Any dept or workgroup that has to share data together gets a folder under the Shared share and two DLG's are created for that folder, Site#-FolderName-RW and Site#-FolderName-R. The ACE's are set up so that FolderName-RW gets Modify and FolderName-R gets read. This is standard configuration for any folder created so that everyone knows what to expect when they get a folder. Usually there will be no further security below that root level so that a rebuild from scratch is relatively painless and scriptable. So anyway, the local site has acl'ed this folder under Shared with the two groups. Anytime they want to give users from any domain access to that folder in Shared, they simply add that user to the proper DLG. This could be a bit of a pain if someone has to add a couple of hundred people but that would be a rare case and is easily scripted, most shared project areas have a couple of hundred total, they don't add hundreds after the initial setup. You want to add YLee2 from Asia to the WidgetA folder for read only access, you add Asia\YLee2 to Site#-WidgetA-R. If the local site would rather do things based on roles, they can have role DLGs created and then nest those in the other groups. Very flexible in that way for the local site and when the auditor comes to them and says, hey who has change access to Site#-PerformanceReviews they can look at Site#-PerformanceReviews-RW and rattle it off quickly, if they did a role based membership, they may have to chase into one or more DLG's that were nested, but all groups are right there on their local DC. Overall most data sharing is within a site. The design allows cross site and cross domain data sharing though. And the local Admin of the resource has FULL control over who has the access to their resource. With a global in another domain, most likely they will add the global because there are certain people in it but then say the admin of that group over in the other domain thinks, hey I can use this group for this other resource as well but will have to add 3 more people so I don't have to create a whole new group. In the meanwhile the owner of the resource over on the other domain has no clue this happened and may not necessarily want these 3 more people getting access. Only recourse would be to set up deny's or kick out the global group. Sorry if that isn't the clearest explanation. I am wiped out from moving crap around all day and trying to find the perfect computer chair. :op Yeah Exchange... That needs to be rewritten from the ground up. More flexible and granular for security and the option to use AD/AM for the data.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, August 23, 2003 3:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What I mean by 'I can't imagine all of the explicit grants' is where I probably need to have a clearer explanation on what you are doing if you're NOT using Globals (I'll leave Unis out of it) in a multi-domain environment. What I mean is this: I have a resource in DomainA that userB needs to get to from DomainB. We'll assume that DLGA is managing permissions to the resource. If that user is a member of DLGB in DomainB, I can't get him to DLGA in DomainA - Unless there is something that I'm really missing (Because I can't make a DLG a member of a DLG in another domain). In my experience - you have two options: * Explicitly grant the user membership to DLGA * Create a Global group (GGB), put the user in GGB, then make GGB a member of DLGA. So, please - enlighten me. You've opened my eyes before on things that I've just flat discounted. Clearly, I'm missing something here. As to Exchange, you and I have already beat the crap out of that dead horse. IMHO, the only way to fix the very flawed security model is to strip it down to protocol and database, and build from there. It's a mess with no possibility of real redemption or repair. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, August 23, 2003 10:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NT Native Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands of machines). With W2K3 we will probably end up looking at Uni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site. Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait... joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 17, 2003 11:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Hmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and membership trail to the point were I wouldn't want a Global group managing the cross domain 'collection' of users. And, the only denies that I have are on IIS servers. I don't know of another deny in our entire structure. But, then - you're dealing with something that, as I remember - is about 7 times as large as mine. But, then, I am the guy who forgot that DC Administrators group and a member server local Administrators group weren't actually the same thing. So, what do I know.... ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Sunday, August 17, 2003 12:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group We like to limit the security scope of the groups. Very difficult to chase permissions across the world when someone asks, what does this group have access to? At the worst, the permissions can only be applied within a specific geographic region or at least the machines that are part of it. Additionally, DLG's can take members from all domains and we don't have to have two or more groups for every resource being tied down (i.e. no user-global-local-permission nesting). People can do as much DLG nesting as they feel they may want to do which is ok. Resolution of the groups is easy as you don't have to have DC's chasing over to other Domain's DC's for the resolution. All of our permissions on the directory are grant perms with passive denies and most of that delegation is within the default partitions so it all works well. I HATE active denies, troubleshooting is a nightmare when you have to chase through that. Exchange has been a bit of a challenge since the E2K Dev guys figured AD was specifically built for them and so they just figured anything they thought was good for Exchange was good for an entire company but I will let you know how we fair with that in the end and they figured they should just put everything important to them in the config container. Personally I think that MS has to treat Exchange like a foreign app that they purchased and do the whole rewrite from the ground up strategy but this time use people who actually understand the directory they are trying to tie into. Also this time make heavy use of AD/AM, no point in all of that data being sent over an entire company when they use a centralized Exchange architecture. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 10:59 PM To: AD mailing list (Send) Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group "Put down the beer Rick", come now - Rick is far too sophisticated to be drinking beer ... "Put down the Beaujolais" seems more apt (actually, with all that crap said ... I know for a fact he drinks beer ... the phrase like a fish actually springs to mind) - just teasing Rick! Joe, I was wondering why you choose to use mostly DLGs and if you've encountered any behavioral oddities when using them to assign permission to the directory itself. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com <http://msetechnology.com/> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Put down the beer Rick... DC's have the local groups, especially administrators. If you didn't block you would get the specialgroup in your Domain Controllers administrators group. I have tens of thousands of local groups on my domains. We don't use Global/Universal except builting, everything else is DLG. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, August 16, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Deji, Good example - I like it, but I'm curious on one thing. You state that you block it at Domain Controllers. I'm not sure why, as DCs have no local groups. If you're just being specifically cautious, great. Me, I don't see the need to block it at the DC OU as it won't affect anything. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 16, 2003 1:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group This is what I have in a batch file: net localgroup administrators if NOT %errorlevel%==0 GOTO :GERMAN net localgroup administrators /add myDomain\specialGroup GOTO :END :GERMAN net localgroup administratoren /add cmyDomain\specialGroup :END I then add the batch file to a Machine Startup GPO at the Domain Level, blocking it at the Domain Controllers. HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ From: [EMAIL PROTECTED] on behalf of Narkinsky, Brian Sent: Fri 8/15/2003 7:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Add junior admin to Local workstations admin group I need to add two users to the local administrators group of every machine in an OU. I've looked at restricted groups GPO but, this doesn't really seem to do what I want. I don't need to restrict just add. I am also looking at writing a script to run at boot ,but again not sure there isn't an easier way. Any Ideas? Brian Narkinsky List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<attachment: winmail.dat>>
