On days when I'm feeling unnaturally control-freakish, I think about setting up DLGs to represent what I call aggregated rights. This allows me to take a bunch of commonly associated ACEs and set up a logical name for them like "Right to manage computer objects in OU X". I think about creating other DLGs that represent roles in the RBAC sense, something like "Role - OU X Administrators". I wonder if it's worth the effort so that I can say "Role - OU X Administrators" has the following logical rights: "Right to manage computer objects in OU X", etc. I could then use the logical rights hierarchically so that I can create a "Right to manage computer objects for Business A" which the "Right to manage computer objects in OU X", "... OU Y" and "... OU Z".
It's one more level of abstraction than you usually get in group-based role models. It makes some things easier, but of course introduces its own set of headaches. Wook -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Wednesday, April 19, 2006 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD I think the rational for using domain local groups is that memberships can be from outside the domain and this group only exists for purposes within the domain of origin. The way I see it DLG's can act as a poor-person's Role based security model and as you point out be used to reduce the ACL's directly on the OU delegation, basically you can create delegations based on "roles" and then add the GG from other domains or the domain of origin to facilitate the delegation without having to create delegations repeatidly. Like I said earlier though, I have ran into third-party delegation software that doesn't like or doesn't function as expected using DLG's. So it got me to wondering is there limitations using a DLG for delegation that aren't obvious? Thanks for the feedback Wook, Todd -----Original Message----- From: Lee, Wook [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD In general, I would make the decision based on who needed to be allowed access and who needed to control that access. Assuming that you want to have a point of control to be in the domain where the OU and groups are, then here's what I'd do. Admins can only be from the same domain as the OU: use a domain global group. Admins can be from any domain in the forest but not from trusted domains: use a universal group. Admins can be from any trusted domain: use a domain local group. If you want to retain control over exactly who gets rights over the OU, then you use an appropriately scoped group whose membership is controlled by you and add user accounts individually. If you want to delegate the membership issue, then you can populate your group with groups from other jurisdictions. Whoever owns those groups will now have a say in who has rights. You of course still retain some control since you can still add or remove other groups or users. If you don't want to have that local control, then you could just add groups from other domains directly, but the ACLs start getting messy very quickly. Better to at least aggregate all of those into a single group to keep the ACLs clean. Wook -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Wednesday, April 19, 2006 11:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD Quick Question, I was teaching a class the other day when the question came up about what group scope should you use for delegated permissions of an OU. I was teaching an earlier class where I explained how to use Domain Local Groups on Files Shares and Printers to centralize management of these resources via AD. The question from the students was could / should they use the same principles for AD Delegation? I said no based on past experience with 3rd party delegation tools didn't like Domain Local Groups used for delegation. This got me to thinking why and wondering what you all do and why? I know this question is open ended, and depends on your domain structure etc, but I just am trying to identify a real reason to say no, only use global groups for delegation within a domain. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
