What is the difference between domain local and computer local group. what i am trying to get here is...what happend to end users if you place them in the power user on your local and domain local group?
Domain Local and local Group
Started by
slyaii
, Apr 20 2007 03:25 PM
#1
Posted 20 April 2007 - 03:25 PM
slyaii
-
- Member
-
- 25 posts
Member
What is the difference between domain local and computer local group. what i am trying to get here is...what happend to end users if you place them in the power user on your local and domain local group?
#2
Posted 24 April 2007 - 04:19 AM
cheyenne 09
-
- Member
-
- 1,258 posts
Member 1K
Hi slyaii
The basic answer is it's where the accounts are kept. The Domain user's are Entered into the Domain user's Controller and Object's in the Active Directory. The Operating Systems that can Support Domains such as Windows 2001 or Windows XP Professional and then can log into the Domain and Allow all the User's Desktop Access and then Access to the Network Resources Available then these Users can be centrally managed at the Server. I hope this Helps Answer your Question. Good Luck
Cheyenne 09 
The basic answer is it's where the accounts are kept. The Domain user's are Entered into the Domain user's Controller and Object's in the Active Directory. The Operating Systems that can Support Domains such as Windows 2001 or Windows XP Professional and then can log into the Domain and Allow all the User's Desktop Access and then Access to the Network Resources Available then these Users can be centrally managed at the Server. I hope this Helps Answer your Question. Good Luck
Cheyenne 09
#3
Posted 24 April 2007 - 07:36 AM
dsenette
-
- Community Leader
-
- 26,047 posts
Je suis Napoléon!
good answer!
it's all about authentication...and where that authentication occurs...if you authenticate to the PC...then the PC holds all your information about what you can and cannot access....which basically would be things on that computer...if you authenticate to your domain (i.e. your domain controller) then the domain holds all your authentication information...thereby allowing you to configure permissions domain wide etc... instead of having to go to each pc and tell it that you're ok to log in there....
in a domain structure...adding domain users to the local groups can sometimes be effective...i have certain software that WILL NOT run unless the domain user is in the power users group on the local machine...for example
it's all about authentication...and where that authentication occurs...if you authenticate to the PC...then the PC holds all your information about what you can and cannot access....which basically would be things on that computer...if you authenticate to your domain (i.e. your domain controller) then the domain holds all your authentication information...thereby allowing you to configure permissions domain wide etc... instead of having to go to each pc and tell it that you're ok to log in there....
in a domain structure...adding domain users to the local groups can sometimes be effective...i have certain software that WILL NOT run unless the domain user is in the power users group on the local machine...for example
#4
Posted 25 April 2007 - 11:27 AM
slyaii
- Topic Starter
-
- Member
-
- 25 posts
Member
Do you know a lot about administering groups? I am asking because I have users and global security groups that I do not understand well enough. I want to do this right…What I understand so far…within Active Directory and computers, we have users and security groups. Users can access the domain and security groups are what resources are granted. Within security group, we have something call global security which enables members from only local domain to access resources in any domain. Then there is domain local group, which members can come from any domain and access resources only in local domain.
Proper way to organize users is to: Add users to Global Groups then to Domain Local Group. What I have here is:
Users: A,B,C,D
Global Security Groups: Sales, Accounting, HR.
*do I create within Security Groups, another set of Domain Local Groups which has:
Domain Local Groups: Sales, Accounting, HR ???
Then place Users (A,B,C,D) into these Global Security Groups (Sales, Accounting, HR) and then into Domain Local Group that includes Global Security Groups respectively?
for example, Users A >> Global Security Group Sales >> Domain Local Group Sales >> Resources
Users BC >> Global Security Group Accounting >> Domain Local Group Accounting >> Resources
Users D >> Global Security Group HR >> Domain Local Group HR >> Resources
Assigning Domain Local Groups to resources (folders within the servers) and assign permission…
What about Local Users and Groups in Computer Management that is located in local computer and non Domain Controller? What do I do with them???
I took administrative rights and power user rights from local computer (end users). I then went on to remove any administrative rights to any users and did the same on power users on servers that are non DC (domain controller).
Proper way to organize users is to: Add users to Global Groups then to Domain Local Group. What I have here is:
Users: A,B,C,D
Global Security Groups: Sales, Accounting, HR.
*do I create within Security Groups, another set of Domain Local Groups which has:
Domain Local Groups: Sales, Accounting, HR ???
Then place Users (A,B,C,D) into these Global Security Groups (Sales, Accounting, HR) and then into Domain Local Group that includes Global Security Groups respectively?
for example, Users A >> Global Security Group Sales >> Domain Local Group Sales >> Resources
Users BC >> Global Security Group Accounting >> Domain Local Group Accounting >> Resources
Users D >> Global Security Group HR >> Domain Local Group HR >> Resources
Assigning Domain Local Groups to resources (folders within the servers) and assign permission…
What about Local Users and Groups in Computer Management that is located in local computer and non Domain Controller? What do I do with them???
I took administrative rights and power user rights from local computer (end users). I then went on to remove any administrative rights to any users and did the same on power users on servers that are non DC (domain controller).
#5
Posted 25 April 2007 - 11:34 AM
dsenette
-
- Community Leader
-
- 26,047 posts
Je suis Napoléon!
you're a little mixed up
...the global groups will allow you to assign permissions to users...and allow those permisions to cross over to different domains within your organization....domain local groups CANNOT cross domains (i.e. i have domain A and domain B....the accounting Dept in domain A needs access to the accounting dept in domain B...i would make a global group in domain A named DOMA-Acct...then on the accounting Dept folder in domain B i would assign read permissions to DOMA-Acct group...thus giving them access)
if you make a global group..you do not have to make a domain local group for the same users...either will function the same as far as your local domain is concerened
...the global groups will allow you to assign permissions to users...and allow those permisions to cross over to different domains within your organization....domain local groups CANNOT cross domains (i.e. i have domain A and domain B....the accounting Dept in domain A needs access to the accounting dept in domain B...i would make a global group in domain A named DOMA-Acct...then on the accounting Dept folder in domain B i would assign read permissions to DOMA-Acct group...thus giving them access)
if you make a global group..you do not have to make a domain local group for the same users...either will function the same as far as your local domain is concerened
if you have a domain set up...then you do not need local users at all (except the admin)What about Local Users and Groups in Computer Management that is located in local computer and non Domain Controller? What do I do with them???
#6
Posted 25 April 2007 - 12:20 PM
slyaii
- Topic Starter
-
- Member
-
- 25 posts
Member
dsenette, would this strategy gives you the most flexibility for growth and reduces permissions assignments?
1) Assign users with common job responsbilites to global groups
2) Create a domain local group for resources to be shared
3) Add global groups who need access to the resources to the domain local group
4) Assign resource permissions to the domain local group
(1)sales person >> (3)sales global group of Domain A >> (2)Accounting Domain Local Group
................................................................<< (4) Permission to access Accounting in Domain A
(1)accounting person >> (3)accounting global group of Domain B >> (2)Accounting Domain Local Group
Some of the possible limitations of other strategies include the following.
Placing user accounts in domain local groups and assigning permissions to the domain local groups This strategy does not allow you to assign permissions for resources outside of the domain. This strategy reduces the flexibility when your network grows
Placing user accounts in global gorups and assigning permissions to the global groups This strategy can complicate administration when you are using multiple domains. If global groups from multiple domains require the same permissions, you have to assign permissions for each global group.
page: 8-16 of Windows Server 2003 Active Directory Infrastructure
1) Assign users with common job responsbilites to global groups
2) Create a domain local group for resources to be shared
3) Add global groups who need access to the resources to the domain local group
4) Assign resource permissions to the domain local group
(1)sales person >> (3)sales global group of Domain A >> (2)Accounting Domain Local Group
................................................................<< (4) Permission to access Accounting in Domain A
(1)accounting person >> (3)accounting global group of Domain B >> (2)Accounting Domain Local Group
Some of the possible limitations of other strategies include the following.
Placing user accounts in domain local groups and assigning permissions to the domain local groups This strategy does not allow you to assign permissions for resources outside of the domain. This strategy reduces the flexibility when your network grows
Placing user accounts in global gorups and assigning permissions to the global groups This strategy can complicate administration when you are using multiple domains. If global groups from multiple domains require the same permissions, you have to assign permissions for each global group.
page: 8-16 of Windows Server 2003 Active Directory Infrastructure
Edited by slyaii, 25 April 2007 - 12:21 PM.
#7
Posted 25 April 2007 - 12:28 PM
dsenette
-
- Community Leader
-
- 26,047 posts
Je suis Napoléon!
this is why i hate permissions...and those guides even more...
the only domain local groups that i've got in my domain were either built in...or created by software that needed them to exist....all of the groups that i actually use are either global or universal
in my opinion there's no extra overhead associated with just using global groups for everything...and there's no valid reason to have two groups for the same purpose
the only domain local groups that i've got in my domain were either built in...or created by software that needed them to exist....all of the groups that i actually use are either global or universal
in my opinion there's no extra overhead associated with just using global groups for everything...and there's no valid reason to have two groups for the same purpose
#8
Posted 26 April 2007 - 10:06 AM
slyaii
- Topic Starter
-
- Member
-
- 25 posts
Member
I don't like to be confused either. Just want to do the right thing now so that later on, I won't be so stress out. I have so much to do and if I can make things easier on myself, it will help out in the long run. do you have a site that has a lot of server 2003 forum topics?
#9
Posted 26 April 2007 - 10:09 AM
dsenette
-
- Community Leader
-
- 26,047 posts
Je suis Napoléon!
not really
#10
Posted 26 April 2007 - 11:05 AM
slyaii
- Topic Starter
-
- Member
-
- 25 posts
Member
this group thing is stalling me...I want to get an answer for it. in my active directory, all i have are global security. I place users into these global security respectively of course and just assign them to folder that need access. However, other IT before me, did a mix of things. Say you have a folder call Sales. Within Sales you have a global group call Sales.
Sales Folder<< Global Group Sales << Users
however, in the security tab of Sales' Folder, we have the Global Group Sales and additional users that are not in Sales. This is just one folder, seems like a lot that I have to fix up.
What is your recommendation? yes, i am new.
only place global security group in Sales' Folder and not individual user.....
now....what to do with the domain local issue...just forget about it? you are not using it...i guess for most, it should be fine.
Sales Folder<< Global Group Sales << Users
however, in the security tab of Sales' Folder, we have the Global Group Sales and additional users that are not in Sales. This is just one folder, seems like a lot that I have to fix up.
What is your recommendation? yes, i am new.
only place global security group in Sales' Folder and not individual user.....
now....what to do with the domain local issue...just forget about it? you are not using it...i guess for most, it should be fine.
#11
Posted 26 April 2007 - 11:11 AM
dsenette
-
- Community Leader
-
- 26,047 posts
Je suis Napoléon!
if the individual users are not members of the sales group, but need access to the sales folder...then that's probably why they have individual permissions to the folder....such as administartive assistance...who need access but aren't in sales....
you could rectify this by making another group called "sales access" that would allow you to add users to that group that aren't in sales but need access to the sales folder...and set the permissions accordingly...
the worst thing is coming into a network that you didn't build...things are always crazy....what i would suggest you do is find out who these users are...what department they're in...and why they have access to the sales folder...that way you can decide why they have individual permissions...and assign things accordingly
it's best practice NOT to assign permissions to users...only groups (unless it's a single user and there's never a chance of there being more users that need these permissions)
the domain local deal...just forget about it
you could rectify this by making another group called "sales access" that would allow you to add users to that group that aren't in sales but need access to the sales folder...and set the permissions accordingly...
the worst thing is coming into a network that you didn't build...things are always crazy....what i would suggest you do is find out who these users are...what department they're in...and why they have access to the sales folder...that way you can decide why they have individual permissions...and assign things accordingly
it's best practice NOT to assign permissions to users...only groups (unless it's a single user and there's never a chance of there being more users that need these permissions)
the domain local deal...just forget about it
#12
Posted 26 April 2007 - 02:10 PM
slyaii
- Topic Starter
-
- Member
-
- 25 posts
Member
inside one of my folder >> right click properties >> security, I have an unknow user with no name, just a bunch of letter-number.
for example, ?s-1-5-21-1152 ( a long string) ...do u know what that is all about?
for example, ?s-1-5-21-1152 ( a long string) ...do u know what that is all about?
#13
Posted 26 April 2007 - 02:13 PM
dsenette
-
- Community Leader
-
- 26,047 posts
Je suis Napoléon!
that number is an SID (security ID)...that corresponds to a user...
http://www.google.co...ername from SID
those are google results for how to get a usrename from an SID...i know i've done it before...but not any time recently
http://www.google.co...ername from SID
those are google results for how to get a usrename from an SID...i know i've done it before...but not any time recently
#14
Posted 26 April 2007 - 02:32 PM
slyaii
- Topic Starter
-
- Member
-
- 25 posts
Member
i read the article, still lost in la la land. how does the user name switch over to those number in the first place? the code samples, i don't know where it can be ran.
#15
Posted 26 April 2007 - 02:45 PM
dsenette
-
- Community Leader
-
- 26,047 posts
Je suis Napoléon!
well....the DC (domain controller) technically only sees those numbers....when the administrator logs on...it doesn't see "administrator has logged on" it sees "s-1-5-21-1152-x-x-x-x-xwhatever" each of those numbers is 100% unique on your domain...so much so that if you delete a user and recreate it after the user has truly been purged from AD...that new user...even though it has the same username...will have a different SID...and won't have the same access as the old user....sometimes if you see the numbers instead of the name...it's because the user doesn't exist anymore...but not all of it got cleared...and sometimes...it's...well it's just a windows glitch from my experience sometimes with no explanation
go here and download pstools to your server....then extract the psgetsid file to c:\windows\system32
then open a command prompt on the server and type
psgetsid <sid number>
<Sid number> is that number you see in the permissions list...SOMETIMES this will actually give you the username attached to the SID....sometimes it wont
\
go here and download pstools to your server....then extract the psgetsid file to c:\windows\system32
then open a command prompt on the server and type
psgetsid <sid number>
<Sid number> is that number you see in the permissions list...SOMETIMES this will actually give you the username attached to the SID....sometimes it wont
\
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
