Managing Access to Resources by Using Groups

Discussion in 'Active Directory' started by stephany_2000, Mar 6, 2006.

  1. Security Groups - Native mode:
    We have a Windows Server 2003 Active Directory domain in Native mode. We
    are planning the setup for member servers and permissions to files and
    directories. A consultant has told us that Local groups should be set up on
    member servers, corresponding Domain Global groups should be set up in AD,
    users should be added to the Domain Global groups, the Domain Global groups
    should be added to the member server Local groups and permissions should be
    granted on the directory to the member server Local Groups.

    In a Microsoft class that I went to the scenario described above was said to
    be a Workgroup setup. In a Domain environment, the book said to create
    Domain Local groups and Domain Global groups, add the users to the Domain
    Global group, add the Domain Global group to the Domain Local group and
    assign permissions on the directory to the Domain Local group (A G DL P).

    For the Workgroup scenario it also said:
    Set up local groups only on computers that do not belong to a domain.
    Although you can set up local groups on domain client computers and member
    servers, it is recommended you do not.
    Membership rules for local groups:
    Local groups can only contain local user accounts from the computer where
    you create the local groups.

    Can anyone tell me which way is the correct way? Shouldn't I assume
    Microsoft is teaching the correct method? What problems are we lightly to
    encounter if we follow the workgroup method? What benefits might we realize
    if we follow the Domain menthod?
    stephany_2000, Mar 6, 2006
    1. Advertisements

  2. Answer below.


    The one from the class.
    You will have to re-create each local group on every member server and go
    through every group each time you have to add or remove a user.
    Opposite of the problems.
    Pierrot Robert, Mar 7, 2006
    1. Advertisements

  3. Thank you for the reply. If you create a Local group for each directory on
    the member server (actually two, one for Modify rights and one for Read
    rights), and then create corresponding Domain Global Groups and put the users
    into the Domain Global Group and the Global Groups into the member server
    Local groups, there shouldn't be a need to re-create each local group on
    every member server. It seems to me that the plus here is you minimize the
    load on AD, but I am worried that doing this will negatively impact us in the
    future because Microsoft is assuming you follow their recommendations when
    they make changes to their products.

    I am curious as to the reason why Microsoft advocates a different method
    depending on whether you are in a Workgroup environment versus a domain
    environment. Knowing that would help me determine which method we should use
    because a lot of people seem to be advocating the "Workgroup" method in a
    Domain environment.
    stephany_2000, Mar 7, 2006
  4. Stephany,

    In a workgroup model there is not a central directory to reference for
    information. Therefore all resources must be created on each client/server
    in the workgroup. In an AD environment you have a central directory to
    reference. It is much less work to manage the AD than to manage each and
    every server/client. Whenever possible use the Domain Local groups and nest
    your Global groups there. Avoid assigning users to a resource as this can
    make administration difficult.

    I hope this clears up some of your confusion!
    Paul Lawrence, Mar 7, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.