Discussion:
A-G-DL-P strategy
(too old to reply)
kr244
2006-01-29 21:09:21 UTC
Permalink
Hi,
I've got a Active Directory domain that contains 2 child domains.

I'd like to publish the A-G-DL-P strategy for network permissions.
But if I create a DL-group on one of the domain controllers and then try to
grant permission to this group on a member server network share, this
DL-group doesn't appear in the list of available groups and users.
If I create a G-group on a DC and try to grant this group on the share, it
works perfect.

Any idea why DL-groups didn't appear on the network share?

Thank U!
Neil Ruston
2006-01-30 09:24:27 UTC
Permalink
DLs are not security groups and as such cannot be used to grant rights to
resources (they have a GUID but no SID).

Either:
1. Convert the DL to a security group
or
2. Create a security group (such as a GG)

then grant rights to that group created/converted above.

neil
Post by kr244
Hi,
I've got a Active Directory domain that contains 2 child domains.
I'd like to publish the A-G-DL-P strategy for network permissions.
But if I create a DL-group on one of the domain controllers and then try to
grant permission to this group on a member server network share, this
DL-group doesn't appear in the list of available groups and users.
If I create a G-group on a DC and try to grant this group on the share, it
works perfect.
Any idea why DL-groups didn't appear on the network share?
Thank U!
kr244
2006-01-30 11:48:26 UTC
Permalink
Hi,

thank you!
But if I can't grant rights to DL groups how should the A-G-DL-P strategy
work? I'm a little bit confused about that.
As far as I understood, permissions should be linked to a DL-group and the
accounts should be linked to G-group?!

Michael
Post by Neil Ruston
DLs are not security groups and as such cannot be used to grant rights to
resources (they have a GUID but no SID).
1. Convert the DL to a security group
or
2. Create a security group (such as a GG)
then grant rights to that group created/converted above.
neil
Post by kr244
Hi,
I've got a Active Directory domain that contains 2 child domains.
I'd like to publish the A-G-DL-P strategy for network permissions.
But if I create a DL-group on one of the domain controllers and then try to
grant permission to this group on a member server network share, this
DL-group doesn't appear in the list of available groups and users.
If I create a G-group on a DC and try to grant this group on the share, it
works perfect.
Any idea why DL-groups didn't appear on the network share?
Thank U!
Neil Ruston
2006-01-30 13:35:41 UTC
Permalink
Sorry - acronym error!

I assumed DL = dist list. You mean DL = domain local group. Let me use "DLG".

DLGs can contain members from any domain but can only be used to permission
resources in the local domain.

GGs can contain members only from the local domain but can be used to
permission resources in any domain.

(Any domain means any trusting/ed domain)

Does that help?
neil
Post by kr244
Hi,
thank you!
But if I can't grant rights to DL groups how should the A-G-DL-P strategy
work? I'm a little bit confused about that.
As far as I understood, permissions should be linked to a DL-group and the
accounts should be linked to G-group?!
Michael
Post by Neil Ruston
DLs are not security groups and as such cannot be used to grant rights to
resources (they have a GUID but no SID).
1. Convert the DL to a security group
or
2. Create a security group (such as a GG)
then grant rights to that group created/converted above.
neil
Post by kr244
Hi,
I've got a Active Directory domain that contains 2 child domains.
I'd like to publish the A-G-DL-P strategy for network permissions.
But if I create a DL-group on one of the domain controllers and then try to
grant permission to this group on a member server network share, this
DL-group doesn't appear in the list of available groups and users.
If I create a G-group on a DC and try to grant this group on the share, it
works perfect.
Any idea why DL-groups didn't appear on the network share?
Thank U!
kr244
2006-01-30 13:46:32 UTC
Permalink
yeah...I know.

But in my case, I can't grant permissions to a DLG group, because on the
preferences of the network share on a member server this DLG group did not
appear.

The only groups I can grant permissions are DG groups.
And I don't kow why.

Any idea???
Post by Neil Ruston
Sorry - acronym error!
I assumed DL = dist list. You mean DL = domain local group. Let me use "DLG".
DLGs can contain members from any domain but can only be used to permission
resources in the local domain.
GGs can contain members only from the local domain but can be used to
permission resources in any domain.
(Any domain means any trusting/ed domain)
Does that help?
neil
Post by kr244
Hi,
thank you!
But if I can't grant rights to DL groups how should the A-G-DL-P strategy
work? I'm a little bit confused about that.
As far as I understood, permissions should be linked to a DL-group and the
accounts should be linked to G-group?!
Michael
Post by Neil Ruston
DLs are not security groups and as such cannot be used to grant rights to
resources (they have a GUID but no SID).
1. Convert the DL to a security group
or
2. Create a security group (such as a GG)
then grant rights to that group created/converted above.
neil
Post by kr244
Hi,
I've got a Active Directory domain that contains 2 child domains.
I'd like to publish the A-G-DL-P strategy for network permissions.
But if I create a DL-group on one of the domain controllers and then try to
grant permission to this group on a member server network share, this
DL-group doesn't appear in the list of available groups and users.
If I create a G-group on a DC and try to grant this group on the share, it
works perfect.
Any idea why DL-groups didn't appear on the network share?
Thank U!
Paul Williams [MVP]
2006-01-30 14:16:45 UTC
Permalink
Please see my other post. This is because of the mode of the domain - you
can only use DL groups on member servers in [Win2k] Native mode.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-30 13:48:42 UTC
Permalink
I believe you are referring to Domain Local groups, and I imagine Neil is
thinking of Distribution Lists. Too many DLs!

You can use Domain Local groups as per the recommendation - and the
recommendation works will in your setup (multiple domains). The reason you
cannot see these groups on your member servers if because you are still
running in Mixed mode. You need to be in at least 2k native to use domain
local groups on non-DCs.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
kr244
2006-01-30 14:06:28 UTC
Permalink
Hi Paul,

thank you very much.
You are right. My DCs are in 2K mixed mode.

So the only thing I can do is to use GlobalDomainGroups instead of
DomainLocalGroups?!

Michael
Post by Paul Williams [MVP]
I believe you are referring to Domain Local groups, and I imagine Neil is
thinking of Distribution Lists. Too many DLs!
You can use Domain Local groups as per the recommendation - and the
recommendation works will in your setup (multiple domains). The reason you
cannot see these groups on your member servers if because you are still
running in Mixed mode. You need to be in at least 2k native to use domain
local groups on non-DCs.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-30 14:33:29 UTC
Permalink
Yes. Going to native will allow DLGs on members and Universal groups.

What is stopping you going native? NT4 BDCs should be the only thing
stopping you. If you don't have BDCs, you don't need to be in mixed mode.
If you have lots of BDCs -- join the club. We'll just sit here and moan
about it. ;-)
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Kurt Roggen
2006-01-30 21:24:47 UTC
Permalink
If not start using LG (local groups) created on your member server(s)...
--
Kurt Roggen
http://blogontheweb.com/roggenk
Post by Paul Williams [MVP]
I believe you are referring to Domain Local groups, and I imagine Neil is
thinking of Distribution Lists. Too many DLs!
You can use Domain Local groups as per the recommendation - and the
recommendation works will in your setup (multiple domains). The reason you
cannot see these groups on your member servers if because you are still
running in Mixed mode. You need to be in at least 2k native to use domain
local groups on non-DCs.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Loading...