Groups

I have two questions:

1.I have a 2003 native multi-domain model. DomA and DomB. Users in Dom A
have to be granted rights to access a shared Folder in Dom B. I want to know
if i hv to follow the MS recommendation if 1.Create a GG in source domain
2.Adding users to the Global Groups, 3. Create Domain Local in Target
domain 4.Adding Global Group from source domain to Target domain local
group.

Why cant i just add users from Dom B into the Dom A's Domain Local Group?

2. When a global group from Dom A is added to domain local group of DomB and
domain local group is assigned permissions on the group. Assumng that the
local group is removed from the permissions list of \\sales. Now how can i
detect such groups that have been created for some administrative purpose,
however there is no clue as to how to detect the changes.

Any assistance in this regards?

Howdie!

Am 07.06.2010 20:19, schrieb Greg:
> 1.I have a 2003 native multi-domain model. DomA and DomB. Users in Dom A
> have to be granted rights to access a shared Folder in Dom B. I want to know
> if i hv to follow the MS recommendation if 1.Create a GG in source domain
> 2.Adding users to the Global Groups, 3. Create Domain Local in Target
> domain 4.Adding Global Group from source domain to Target domain local
> group.
>
> Why cant i just add users from Dom B into the Dom A's Domain Local Group?

You could -- but if you were ever to use this set of users again on a
different resource, you'd have to add them again to that other resource
one by one. Groups help make administration easier.

> 2. When a global group from Dom A is added to domain local group of DomB and
> domain local group is assigned permissions on the group. Assumng that the
> local group is removed from the permissions list of \\sales. Now how can i
> detect such groups that have been created for some administrative purpose,
> however there is no clue as to how to detect the changes.

You can't really detect that. You'd either notice if the ACL on the
share/volume changed (you removed the group's access permission) and
check what other groups are members of the removed group. That's rather
complicated.

Cheers,
Florian

We have the same problem, we have a multi domain AD structure where we
follow MS Best Practise withe regards to groups. We add users in our domain
to global groups and add them to domain local groups in other domains for
cross domain resource access. Note that these gloal groups are created ONLY
for acccessing these resources. We are seeing a increase in number of such
groups, however we do not have any control in place to detect which groups
are still being used to access the resources in the other domains. We
suspect that there are many such defuct groups which are no longer iven
access to resources, i want to know if there are any tools or suggested
process that i need to follow to ensure that i dont keep adding defunct
groups.




"Florian Frommherz [MVP]" <> wrote in
message news:%23%23TX8$...
> Howdie!
>
> Am 07.06.2010 20:19, schrieb Greg:
>> 1.I have a 2003 native multi-domain model. DomA and DomB. Users in Dom A
>> have to be granted rights to access a shared Folder in Dom B. I want to
>> know
>> if i hv to follow the MS recommendation if 1.Create a GG in source domain
>> 2.Adding users to the Global Groups, 3. Create Domain Local in Target
>> domain 4.Adding Global Group from source domain to Target domain local
>> group.
>>
>> Why cant i just add users from Dom B into the Dom A's Domain Local Group?
>
> You could -- but if you were ever to use this set of users again on a
> different resource, you'd have to add them again to that other resource
> one by one. Groups help make administration easier.
>
>> 2. When a global group from Dom A is added to domain local group of DomB
>> and
>> domain local group is assigned permissions on the group. Assumng that the
>> local group is removed from the permissions list of \\sales. Now how can
>> i
>> detect such groups that have been created for some administrative
>> purpose,
>> however there is no clue as to how to detect the changes.
>
> You can't really detect that. You'd either notice if the ACL on the
> share/volume changed (you removed the group's access permission) and check
> what other groups are members of the removed group. That's rather
> complicated.
>
> Cheers,
> Florian
>

Thanks for your quick response.

So apart from management issues, there will not be any other issue like
increase in AD Replication due to addition and removal of members from
domain local group?
"Florian Frommherz [MVP]" <> wrote in
message news:%23%23TX8$...
> Howdie!
>
> Am 07.06.2010 20:19, schrieb Greg:
>> 1.I have a 2003 native multi-domain model. DomA and DomB. Users in Dom A
>> have to be granted rights to access a shared Folder in Dom B. I want to
>> know
>> if i hv to follow the MS recommendation if 1.Create a GG in source domain
>> 2.Adding users to the Global Groups, 3. Create Domain Local in Target
>> domain 4.Adding Global Group from source domain to Target domain local
>> group.
>>
>> Why cant i just add users from Dom B into the Dom A's Domain Local Group?
>
> You could -- but if you were ever to use this set of users again on a
> different resource, you'd have to add them again to that other resource
> one by one. Groups help make administration easier.
>
>> 2. When a global group from Dom A is added to domain local group of DomB
>> and
>> domain local group is assigned permissions on the group. Assumng that the
>> local group is removed from the permissions list of \\sales. Now how can
>> i
>> detect such groups that have been created for some administrative
>> purpose,
>> however there is no clue as to how to detect the changes.
>
> You can't really detect that. You'd either notice if the ACL on the
> share/volume changed (you removed the group's access permission) and check
> what other groups are members of the removed group. That's rather
> complicated.
>
> Cheers,
> Florian
>

Howdie!

On 08.06.2010 12:41, Greg wrote:
> So apart from management issues, there will not be any other issue like
> increase in AD Replication due to addition and removal of members from
> domain local group?

Removing a group from a resource's ACL won't trigger replication at all.
Removing members of a group will trigger replication among the DCs but
that won't hurt from Windows Server 2003 and its forest functional level
on. Replication shouldn't be a big deal if it isn't done repeatedly for
thousands of group memberships.

Cheers,
Florian

Thanks Florian.

I would like to know which among these is recommended and why?

1.Adding Users in DOM 1 to Global Group in DOM 1 and Adding DOM1\Global
Group to DOM2\Local Group>> Assig permissions to resources
2. Adding Users in DOM 1 to Global Group in DOM 1 and Adding DOM1\Global
Group to DOM2\Universal Group >>Assign permissions to resources

We are adopting Option 1 now and my problem is, being an administrator of
Dom 1, i have no clue whether my Dom1\Global Group is still part of
Dom2\Local Group, unless Dom2 admin gives us a repprt of the members of
Dom2\Local Group. As Dom1 admin i cannot know the complete member of
attribute details (members from other domains are not listed) of Dom1\Global
Group.

However if i opt for Option 2, i can use a tool like Member Of from Joe
Utils to check if my Dom1\Global Group is still part of Dom2\Univ Group,
that way i know that my Dom1\Global Group is being used.

I would like to know if Option 2 has any cons?


"Florian Frommherz [MVP]" <> wrote in
message news:...
> Howdie!
>
> On 08.06.2010 12:41, Greg wrote:
>> So apart from management issues, there will not be any other issue like
>> increase in AD Replication due to addition and removal of members from
>> domain local group?
>
> Removing a group from a resource's ACL won't trigger replication at all.
> Removing members of a group will trigger replication among the DCs but
> that won't hurt from Windows Server 2003 and its forest functional level
> on. Replication shouldn't be a big deal if it isn't done repeatedly for
> thousands of group memberships.
>
> Cheers,
> Flori