Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Domain Local and local Group


  • Please log in to reply

#1
slyaii

slyaii

    Member

  • Member
  • PipPip
  • 25 posts
I wanted to put this in a windows server 2003 forum, but couldn't find one.

What is the difference between domain local and computer local group. what i am trying to get here is...what happend to end users if you place them in the power user on your local and domain local group?
  • 0

Advertisements


#2
cheyenne 09

cheyenne 09

    Member 1K

  • Member
  • PipPipPipPip
  • 1,258 posts
Hi slyaii
The basic answer is it's where the accounts are kept. The Domain user's are Entered into the Domain user's Controller and Object's in the Active Directory. The Operating Systems that can Support Domains such as Windows 2001 or Windows XP Professional and then can log into the Domain and Allow all the User's Desktop Access and then Access to the Network Resources Available then these Users can be centrally managed at the Server. I hope this Helps Answer your Question. Good Luck

:whistling: Cheyenne 09 :blink:
  • 0

#3
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
good answer!

it's all about authentication...and where that authentication occurs...if you authenticate to the PC...then the PC holds all your information about what you can and cannot access....which basically would be things on that computer...if you authenticate to your domain (i.e. your domain controller) then the domain holds all your authentication information...thereby allowing you to configure permissions domain wide etc... instead of having to go to each pc and tell it that you're ok to log in there....

in a domain structure...adding domain users to the local groups can sometimes be effective...i have certain software that WILL NOT run unless the domain user is in the power users group on the local machine...for example
  • 0

#4
slyaii

slyaii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Do you know a lot about administering groups? I am asking because I have users and global security groups that I do not understand well enough. I want to do this right…What I understand so far…within Active Directory and computers, we have users and security groups. Users can access the domain and security groups are what resources are granted. Within security group, we have something call global security which enables members from only local domain to access resources in any domain. Then there is domain local group, which members can come from any domain and access resources only in local domain.

Proper way to organize users is to: Add users to Global Groups then to Domain Local Group. What I have here is:


Users: A,B,C,D



Global Security Groups: Sales, Accounting, HR.



*do I create within Security Groups, another set of Domain Local Groups which has:



Domain Local Groups: Sales, Accounting, HR ???



Then place Users (A,B,C,D) into these Global Security Groups (Sales, Accounting, HR) and then into Domain Local Group that includes Global Security Groups respectively?

for example, Users A >> Global Security Group Sales >> Domain Local Group Sales >> Resources
Users BC >> Global Security Group Accounting >> Domain Local Group Accounting >> Resources
Users D >> Global Security Group HR >> Domain Local Group HR >> Resources


Assigning Domain Local Groups to resources (folders within the servers) and assign permission…


What about Local Users and Groups in Computer Management that is located in local computer and non Domain Controller? What do I do with them???



I took administrative rights and power user rights from local computer (end users). I then went on to remove any administrative rights to any users and did the same on power users on servers that are non DC (domain controller).
  • 0

#5
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
you're a little mixed up
...the global groups will allow you to assign permissions to users...and allow those permisions to cross over to different domains within your organization....domain local groups CANNOT cross domains (i.e. i have domain A and domain B....the accounting Dept in domain A needs access to the accounting dept in domain B...i would make a global group in domain A named DOMA-Acct...then on the accounting Dept folder in domain B i would assign read permissions to DOMA-Acct group...thus giving them access)

if you make a global group..you do not have to make a domain local group for the same users...either will function the same as far as your local domain is concerened


What about Local Users and Groups in Computer Management that is located in local computer and non Domain Controller? What do I do with them???

if you have a domain set up...then you do not need local users at all (except the admin)
  • 0

#6
slyaii

slyaii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
dsenette, would this strategy gives you the most flexibility for growth and reduces permissions assignments?

1) Assign users with common job responsbilites to global groups
2) Create a domain local group for resources to be shared
3) Add global groups who need access to the resources to the domain local group
4) Assign resource permissions to the domain local group


(1)sales person >> (3)sales global group of Domain A >> (2)Accounting Domain Local Group
................................................................<< (4) Permission to access Accounting in Domain A

(1)accounting person >> (3)accounting global group of Domain B >> (2)Accounting Domain Local Group


Some of the possible limitations of other strategies include the following.

Placing user accounts in domain local groups and assigning permissions to the domain local groups This strategy does not allow you to assign permissions for resources outside of the domain. This strategy reduces the flexibility when your network grows

Placing user accounts in global gorups and assigning permissions to the global groups This strategy can complicate administration when you are using multiple domains. If global groups from multiple domains require the same permissions, you have to assign permissions for each global group.


page: 8-16 of Windows Server 2003 Active Directory Infrastructure

Edited by slyaii, 25 April 2007 - 12:21 PM.

  • 0

#7
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
this is why i hate permissions...and those guides even more...

the only domain local groups that i've got in my domain were either built in...or created by software that needed them to exist....all of the groups that i actually use are either global or universal

in my opinion there's no extra overhead associated with just using global groups for everything...and there's no valid reason to have two groups for the same purpose
  • 0

#8
slyaii

slyaii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I don't like to be confused either. Just want to do the right thing now so that later on, I won't be so stress out. I have so much to do and if I can make things easier on myself, it will help out in the long run. do you have a site that has a lot of server 2003 forum topics?
  • 0

#9
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
not really
  • 0

#10
slyaii

slyaii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
this group thing is stalling me...I want to get an answer for it. in my active directory, all i have are global security. I place users into these global security respectively of course and just assign them to folder that need access. However, other IT before me, did a mix of things. Say you have a folder call Sales. Within Sales you have a global group call Sales.

Sales Folder<< Global Group Sales << Users

however, in the security tab of Sales' Folder, we have the Global Group Sales and additional users that are not in Sales. This is just one folder, seems like a lot that I have to fix up.

What is your recommendation? yes, i am new.

only place global security group in Sales' Folder and not individual user.....

now....what to do with the domain local issue...just forget about it? you are not using it...i guess for most, it should be fine.
  • 0

Advertisements


#11
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
if the individual users are not members of the sales group, but need access to the sales folder...then that's probably why they have individual permissions to the folder....such as administartive assistance...who need access but aren't in sales....

you could rectify this by making another group called "sales access" that would allow you to add users to that group that aren't in sales but need access to the sales folder...and set the permissions accordingly...

the worst thing is coming into a network that you didn't build...things are always crazy....what i would suggest you do is find out who these users are...what department they're in...and why they have access to the sales folder...that way you can decide why they have individual permissions...and assign things accordingly

it's best practice NOT to assign permissions to users...only groups (unless it's a single user and there's never a chance of there being more users that need these permissions)

the domain local deal...just forget about it
  • 0

#12
slyaii

slyaii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
inside one of my folder >> right click properties >> security, I have an unknow user with no name, just a bunch of letter-number.

for example, ?s-1-5-21-1152 ( a long string) ...do u know what that is all about?
  • 0

#13
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
that number is an SID (security ID)...that corresponds to a user...

http://www.google.co...ername from SID

those are google results for how to get a usrename from an SID...i know i've done it before...but not any time recently
  • 0

#14
slyaii

slyaii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
i read the article, still lost in la la land. how does the user name switch over to those number in the first place? the code samples, i don't know where it can be ran.
  • 0

#15
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
well....the DC (domain controller) technically only sees those numbers....when the administrator logs on...it doesn't see "administrator has logged on" it sees "s-1-5-21-1152-x-x-x-x-xwhatever" each of those numbers is 100% unique on your domain...so much so that if you delete a user and recreate it after the user has truly been purged from AD...that new user...even though it has the same username...will have a different SID...and won't have the same access as the old user....sometimes if you see the numbers instead of the name...it's because the user doesn't exist anymore...but not all of it got cleared...and sometimes...it's...well it's just a windows glitch from my experience sometimes with no explanation


go here and download pstools to your server....then extract the psgetsid file to c:\windows\system32

then open a command prompt on the server and type
psgetsid <sid number>

<Sid number> is that number you see in the permissions list...SOMETIMES this will actually give you the username attached to the SID....sometimes it wont
\
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP