Guest SF Posted July 17, 2008 Posted July 17, 2008 Hello All, Currently on our domain it seems we are unable to add built-in domain local groups to the ACL any folders on the network. When you try to view groups from the "builtin" container in AD they do not show up as available. For example: If we want to add the built-in domain local group "Backup Operators", to the ACL of a folder it cannot be seen by the machine, no mater which location you have selected. You can point it directly at the container and still it does not want to find any built-in group. This is a domain wide issue affecting all machines that I have tested. The domain functional level is Windows 2000 native and the servers are mostly 2003 except for a few in an other site. This seems pretty strange to me, can anyone shed some light on it? Thanks in advance. SF
Guest SF Posted July 17, 2008 Posted July 17, 2008 Re: Strange group scope / permissions issue On Jul 17, 9:52 am, SF <solutionfo...@gmail.com> wrote: > Hello All, > > Currently on our domain it seems we are unable to add built-in domain > local groups to the ACL any folders on the network. > > When you try to view groups from the "builtin" container in AD they do > not show up as available. > > For example: If we want to add the built-in domain local group "Backup > Operators", to the ACL of a folder it cannot be seen by the machine, > no mater which location you have selected. You can point it directly > at the container and still it does not want to find any built-in > group. > > This is a domain wide issue affecting all machines that I have tested. > The domain functional level is Windows 2000 native and the servers are > mostly 2003 except for a few in an other site. > > This seems pretty strange to me, can anyone shed some light on it? > > Thanks in advance. > > SF On second examination this seems to be by design, but I am having trouble understanding it. Please advise.
Guest Bruce Sanderson Posted July 20, 2008 Posted July 20, 2008 Re: Strange group scope / permissions issue This may tell you some things you already know, but perhaps you'll find it useful anyway. Backup Operators and the other groups in the BuiltIn container are the Domain Controller equivalent of "local" groups on domain members (or standalone computers). For example, look in Computer Management, Local Users and Groups, Groups on a domain member (or standalone server) - you will see many of the group names you see in the BuiltIn container on the Domain Controllers. Local groups are, by definition, per computer. In the case of Domain Controllers the concept of local groups doesn't really exist because all Domain Controllers of a Domain share all the AD objects (including for example, the Administrator user account). The equivalant to local groups for Domain Controllers are those in the BuiltIn container. These groups are "local" to the Domain Controller and all Domain Controllers have exactly the same version of BuiltIn groups becuase they all "share" the same Active Directory. If you look at the General tab of the Properties of one of these groups (e.g. Backup Operators) on a Domain Controller, you'll see that all of the "Scope" radio buttons are greyed out and the "Builtin local" one is selected. These ("domain builtin") groups can not be used on domain members, only domain controllers. The concept is to make a Domain Group (either one you create or an appropriate one from the Users container in the Active Directory) a member of the local group on the domain member computers. If specific domain users require specific access to certain (shared) folders, then I suggest granting domain groups the permission, rather than using local groups. If you use an appropriate naming scheme, you can then easily determine who has access to what without examining all the ACLs and local group memberships on all the servers. For example, you could create a Domain Group called "Res Server Backup Operators", add the user accounts for those you want to be backup operators on your servers as members of that group. Then, either manually, or via Group Policy, add the domain group "Res Server Backup Operators" to the Backup Operators local group on the servers. Then, the designated backup operators will be able to do the "backup operator" functions on those servers. Don't forget to document what the domain group is for - e.g. in the Description and Notes attributes of the domain group. If it makes sense (i.e. all the "backup operators" need the same access to ashared folder), you could use the same domain group to grant the required permissions on a shared folder (adjust the documentation accordingly). I don't claim it is the be-all and end-all of how to do things, but you might find the "rules" in section 2 - Groups of http://members.shaw.ca/bsanders/WindowsGeneralWeb/GroupsAccountsPermissionsGPOsRules.htm useful. Using Restricted Groups in a Group Policy is a convenient way to centrally manage the membership of local groups on servers. To populate a local group with a domain group via Group Policy, in Group Policy Editor: 1. Expand Computer Configuration, Policies, Windows Settings, Security Settings 2. click Restricted Groups; right click Restricted Groups, select Add Group... 3. key the name of the domain group you want to be added to the local group (in the example above, this would be Res Server Backup Operators), or use the Browse... button to navigate to the one you want; press Enter 4. Click Add... beside the "This group is a member of " 5. Key the name of the local group whose membership you want to add to - in this case Backup Operators; click OK; click OK -- Bruce Sanderson http://members.shaw.ca/bsanders It is perfectly useless to know the right answer to the wrong question. "SF" <solutionforge@gmail.com> wrote in message news:8a0a59e2-fdc7-48cb-b2cc-40f75295dc2c@k13g2000hse.googlegroups.com... > On Jul 17, 9:52 am, SF <solutionfo...@gmail.com> wrote: >> Hello All, >> >> Currently on our domain it seems we are unable to add built-in domain >> local groups to the ACL any folders on the network. >> >> When you try to view groups from the "builtin" container in AD they do >> not show up as available. >> >> For example: If we want to add the built-in domain local group "Backup >> Operators", to the ACL of a folder it cannot be seen by the machine, >> no mater which location you have selected. You can point it directly >> at the container and still it does not want to find any built-in >> group. >> >> This is a domain wide issue affecting all machines that I have tested. >> The domain functional level is Windows 2000 native and the servers are >> mostly 2003 except for a few in an other site. >> >> This seems pretty strange to me, can anyone shed some light on it? >> >> Thanks in advance. >> >> SF > > On second examination this seems to be by design, but I am having > trouble understanding it. > > Please advise.
Guest SF Posted July 24, 2008 Posted July 24, 2008 Re: Strange group scope / permissions issue On Jul 19, 10:50 pm, "Bruce Sanderson" <bsand...@newsgroups.nospam> wrote: > This may tell you some things you already know, but perhaps you'll find it > useful anyway. > > Backup Operators and the other groups in the BuiltIn container are the > Domain Controller equivalent of "local" groups on domain members (or > standalone computers). For example, look in Computer Management, Local > Users and Groups, Groups on a domain member (or standalone server) - you > will see many of the group names you see in the BuiltIn container on the > Domain Controllers. > > Local groups are, by definition, per computer. In the case of Domain > Controllers the concept of local groups doesn't really exist because all > Domain Controllers of a Domain share all the AD objects (including for > example, the Administrator user account). The equivalant to local groups > for Domain Controllers are those in the BuiltIn container. These groups are > "local" to the Domain Controller and all Domain Controllers have exactly the > same version of BuiltIn groups becuase they all "share" the same Active > Directory. If you look at the General tab of the Properties of one of these > groups (e.g. Backup Operators) on a Domain Controller, you'll see that all > of the "Scope" radio buttons are greyed out and the "Builtin local" one is > selected. These ("domain builtin") groups can not be used on domain > members, only domain controllers. > > The concept is to make a Domain Group (either one you create or an > appropriate one from the Users container in the Active Directory) a member > of the local group on the domain member computers. > > If specific domain users require specific access to certain (shared) > folders, then I suggest granting domain groups the permission, rather than > using local groups. If you use an appropriate naming scheme, you can then > easily determine who has access to what without examining all the ACLs and > local group memberships on all the servers. > > For example, you could create a Domain Group called "Res Server Backup > Operators", add the user accounts for those you want to be backup operators > on your servers as members of that group. Then, either manually, or via > Group Policy, add the domain group "Res Server Backup Operators" to the > Backup Operators local group on the servers. Then, the designated backup > operators will be able to do the "backup operator" functions on those > servers. Don't forget to document what the domain group is for - e.g. in > the Description and Notes attributes of the domain group. If it makes sense > (i.e. all the "backup operators" need the same access to ashared folder), > you could use the same domain group to grant the required permissions on a > shared folder (adjust the documentation accordingly). > > I don't claim it is the be-all and end-all of how to do things, but you > might find the "rules" in section 2 - Groups of > http://members.shaw.ca/bsanders/WindowsGeneralWeb/GroupsAccountsPermi.... > useful. > > Using Restricted Groups in a Group Policy is a convenient way to centrally > manage the membership of local groups on servers. > To populate a local group with a domain group via Group Policy, in Group > Policy Editor: > > 1. Expand Computer Configuration, Policies, Windows Settings, > Security Settings > 2. click Restricted Groups; right click Restricted Groups, select > Add Group... > 3. key the name of the domain group you want to be added to the > local group (in the example above, this would be Res Server Backup > Operators), or use the Browse... button to navigate to the one you want; > press Enter > 4. Click Add... beside the "This group is a member of " > 5. Key the name of the local group whose membership you want to add > to - in this case Backup Operators; click OK; click OK > > -- > Bruce Sandersonhttp://members.shaw.ca/bsanders > > It is perfectly useless to know the right answer to the wrong question. > > "SF" <solutionfo...@gmail.com> wrote in message > > news:8a0a59e2-fdc7-48cb-b2cc-40f75295dc2c@k13g2000hse.googlegroups.com... > > > > > On Jul 17, 9:52 am, SF <solutionfo...@gmail.com> wrote: > >> Hello All, > > >> Currently on our domain it seems we are unable to add built-in domain > >> local groups to the ACL any folders on the network. > > >> When you try to view groups from the "builtin" container in AD they do > >> not show up as available. > > >> For example: If we want to add the built-in domain local group "Backup > >> Operators", to the ACL of a folder it cannot be seen by the machine, > >> no mater which location you have selected. You can point it directly > >> at the container and still it does not want to find any built-in > >> group. > > >> This is a domain wide issue affecting all machines that I have tested. > >> The domain functional level is Windows 2000 native and the servers are > >> mostly 2003 except for a few in an other site. > > >> This seems pretty strange to me, can anyone shed some light on it? > > >> Thanks in advance. > > >> SF > > > On second examination this seems to be by design, but I am having > > trouble understanding it. > > > Please advise.- Hide quoted text - > > - Show quoted text - Thanks Bruce, I think I understand where the issue lies.
Recommended Posts