Strange group scope / permissions issue

[Guest SF]

Hello All,

 

Currently on our domain it seems we are unable to add built-in domain

local groups to the ACL any folders on the network.

 

When you try to view groups from the "builtin" container in AD they do

not show up as available.

 

For example: If we want to add the built-in domain local group "Backup

Operators", to the ACL of a folder it cannot be seen by the machine,

no mater which location you have selected. You can point it directly

at the container and still it does not want to find any built-in

group.

 

This is a domain wide issue affecting all machines that I have tested.

The domain functional level is Windows 2000 native and the servers are

mostly 2003 except for a few in an other site.

 

This seems pretty strange to me, can anyone shed some light on it?

 

Thanks in advance.

 

SF

[Guest SF]

Re: Strange group scope / permissions issue

 

On Jul 17, 9:52 am, SF <solutionfo...@gmail.com> wrote:

> Hello All,

>

> Currently on our domain it seems we are unable to add built-in domain

> local groups to the ACL any folders on the network.

>

> When you try to view groups from the "builtin" container in AD they do

> not show up as available.

>

> For example: If we want to add the built-in domain local group "Backup

> Operators", to the ACL of a folder it cannot be seen by the machine,

> no mater which location you have selected. You can point it directly

> at the container and still it does not want to find any built-in

> group.

>

> This is a domain wide issue affecting all machines that I have tested.

> The domain functional level is Windows 2000 native and the servers are

> mostly 2003 except for a few in an other site.

>

> This seems pretty strange to me, can anyone shed some light on it?

>

> Thanks in advance.

>

> SF

 

On second examination this seems to be by design, but I am having

trouble understanding it.

 

Please advise.

[Guest Bruce Sanderson]

Re: Strange group scope / permissions issue

 

This may tell you some things you already know, but perhaps you'll find it

useful anyway.

 

Backup Operators and the other groups in the BuiltIn container are the

Domain Controller equivalent of "local" groups on domain members (or

standalone computers). For example, look in Computer Management, Local

Users and Groups, Groups on a domain member (or standalone server) - you

will see many of the group names you see in the BuiltIn container on the

Domain Controllers.

 

Local groups are, by definition, per computer. In the case of Domain

Controllers the concept of local groups doesn't really exist because all

Domain Controllers of a Domain share all the AD objects (including for

example, the Administrator user account). The equivalant to local groups

for Domain Controllers are those in the BuiltIn container. These groups are

"local" to the Domain Controller and all Domain Controllers have exactly the

same version of BuiltIn groups becuase they all "share" the same Active

Directory. If you look at the General tab of the Properties of one of these

groups (e.g. Backup Operators) on a Domain Controller, you'll see that all

of the "Scope" radio buttons are greyed out and the "Builtin local" one is

selected. These ("domain builtin") groups can not be used on domain

members, only domain controllers.

 

The concept is to make a Domain Group (either one you create or an

appropriate one from the Users container in the Active Directory) a member

of the local group on the domain member computers.

 

If specific domain users require specific access to certain (shared)

folders, then I suggest granting domain groups the permission, rather than

using local groups. If you use an appropriate naming scheme, you can then

easily determine who has access to what without examining all the ACLs and

local group memberships on all the servers.

 

For example, you could create a Domain Group called "Res Server Backup

Operators", add the user accounts for those you want to be backup operators

on your servers as members of that group. Then, either manually, or via

Group Policy, add the domain group "Res Server Backup Operators" to the

Backup Operators local group on the servers. Then, the designated backup

operators will be able to do the "backup operator" functions on those

servers. Don't forget to document what the domain group is for - e.g. in

the Description and Notes attributes of the domain group. If it makes sense

(i.e. all the "backup operators" need the same access to ashared folder),

you could use the same domain group to grant the required permissions on a

shared folder (adjust the documentation accordingly).

 

I don't claim it is the be-all and end-all of how to do things, but you

might find the "rules" in section 2 - Groups of

http://members.shaw.ca/bsanders/WindowsGeneralWeb/GroupsAccountsPermissionsGPOsRules.htm

useful.

 

Using Restricted Groups in a Group Policy is a convenient way to centrally

manage the membership of local groups on servers.

To populate a local group with a domain group via Group Policy, in Group

Policy Editor:

 

1. Expand Computer Configuration, Policies, Windows Settings,

Security Settings

2. click Restricted Groups; right click Restricted Groups, select

Add Group...

3. key the name of the domain group you want to be added to the

local group (in the example above, this would be Res Server Backup

Operators), or use the Browse... button to navigate to the one you want;

press Enter

4. Click Add... beside the "This group is a member of "

5. Key the name of the local group whose membership you want to add

to - in this case Backup Operators; click OK; click OK

 

--

Bruce Sanderson

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"SF" <solutionforge@gmail.com> wrote in message

news:8a0a59e2-fdc7-48cb-b2cc-40f75295dc2c@k13g2000hse.googlegroups.com...

> On Jul 17, 9:52 am, SF <solutionfo...@gmail.com> wrote:

>> Hello All,

>>

>> Currently on our domain it seems we are unable to add built-in domain

>> local groups to the ACL any folders on the network.

>>

>> When you try to view groups from the "builtin" container in AD they do

>> not show up as available.

>>

>> For example: If we want to add the built-in domain local group "Backup

>> Operators", to the ACL of a folder it cannot be seen by the machine,

>> no mater which location you have selected. You can point it directly

>> at the container and still it does not want to find any built-in

>> group.

>>

>> This is a domain wide issue affecting all machines that I have tested.

>> The domain functional level is Windows 2000 native and the servers are

>> mostly 2003 except for a few in an other site.

>>

>> This seems pretty strange to me, can anyone shed some light on it?

>>

>> Thanks in advance.

>>

>> SF

>

> On second examination this seems to be by design, but I am having

> trouble understanding it.

>

> Please advise.

[Guest SF]

Re: Strange group scope / permissions issue

 

On Jul 19, 10:50 pm, "Bruce Sanderson" <bsand...@newsgroups.nospam>

wrote:

> This may tell you some things you already know, but perhaps you'll find it

> useful anyway.

>

> Backup Operators and the other groups in the BuiltIn container are the

> Domain Controller equivalent of "local" groups on domain members (or

> standalone computers).  For example, look in Computer Management, Local

> Users and Groups, Groups on a domain member (or standalone server) - you

> will see many of the group names you see in the BuiltIn container on the

> Domain Controllers.

>

> Local groups are, by definition, per computer.  In the case of Domain

> Controllers the concept of local groups doesn't really exist because all

> Domain Controllers of a Domain share all the AD objects (including for

> example, the Administrator user account).  The equivalant to local groups

> for Domain Controllers are those in the BuiltIn container.  These groups are

> "local" to the Domain Controller and all Domain Controllers have exactly the

> same version of BuiltIn groups becuase they all "share" the same Active

> Directory.  If you look at the General tab of the Properties of one of these

> groups (e.g. Backup Operators) on a Domain Controller, you'll see that all

> of the "Scope" radio buttons are greyed out and the "Builtin local" one is

> selected.  These ("domain builtin") groups can not be used on domain

> members, only domain controllers.

>

> The concept is to make a Domain Group (either one you create or an

> appropriate one from the Users container in the Active Directory) a member

> of the local group on the domain member computers.

>

> If specific domain users require specific access to certain (shared)

> folders, then I suggest granting domain groups the permission, rather than

> using local groups.  If you use an appropriate naming scheme, you can then

> easily determine who has access to what without examining all the ACLs and

> local group memberships on all the servers.

>

> For example, you could create a Domain Group called "Res Server Backup

> Operators", add the user accounts for those you want to be backup operators

> on your servers as members of that group.  Then, either manually, or via

> Group Policy, add the domain group "Res Server Backup Operators" to the

> Backup Operators local group on the servers.  Then, the designated backup

> operators will be able to do the "backup operator" functions on those

> servers.  Don't forget to document what the domain group is for - e.g. in

> the Description and Notes attributes of the domain group.  If it makes sense

> (i.e. all the "backup operators" need the same access to ashared folder),

> you could use the same domain group to grant the required permissions on a

> shared folder (adjust the documentation accordingly).

>

> I don't claim it is the be-all and end-all of how to do things, but you

> might find the "rules" in section 2 - Groups of

>  http://members.shaw.ca/bsanders/WindowsGeneralWeb/GroupsAccountsPermi....

> useful.

>

> Using Restricted Groups in a Group Policy is a convenient way to centrally

> manage the membership of local groups on servers.

> To populate a local group with a domain group via Group Policy, in Group

> Policy Editor:

>

> 1.          Expand Computer Configuration, Policies, Windows Settings,

> Security Settings

> 2.          click Restricted Groups; right click Restricted Groups, select

> Add Group...

> 3.          key the name of the domain group you want to be added to the

> local group (in the example above, this would be Res Server Backup

> Operators), or use the Browse... button to navigate to the one you want;

> press Enter

> 4.          Click Add... beside the "This group is a member of "

> 5.          Key the name of the local group whose membership you want to add

> to - in this case Backup Operators; click OK; click OK

>

> --

> Bruce Sandersonhttp://members.shaw.ca/bsanders

>

> It is perfectly useless to know the right answer to the wrong question.

>

> "SF" <solutionfo...@gmail.com> wrote in message

>

> news:8a0a59e2-fdc7-48cb-b2cc-40f75295dc2c@k13g2000hse.googlegroups.com...

>

>

>

> > On Jul 17, 9:52 am, SF <solutionfo...@gmail.com> wrote:

> >> Hello All,

>

> >> Currently on our domain it seems we are unable to add  built-in domain

> >> local groups to the ACL any folders on the network.

>

> >> When you try to view groups from the "builtin" container in AD they do

> >> not show up as available.

>

> >> For example: If we want to add the built-in domain local group "Backup

> >> Operators", to the ACL of a folder it cannot be seen by the machine,

> >> no mater which location you have selected. You can point it directly

> >> at the container and still it does not want to find any built-in

> >> group.

>

> >> This is a domain wide issue affecting all machines that I have tested.

> >> The domain functional level is Windows 2000 native and the servers are

> >> mostly 2003 except for a few in an other site.

>

> >> This seems pretty strange to me, can anyone shed some light on it?

>

> >> Thanks in advance.

>

> >> SF

>

> > On second examination this seems to be by design, but I am having

> > trouble understanding it.

>

> > Please advise.- Hide quoted text -

>

> - Show quoted text -

 

Thanks Bruce,

 

I think I understand where the issue lies.