Re: Strange group scope / permissions issue
This may tell you some things you already know, but perhaps you'll find it
useful anyway.
Backup Operators and the other groups in the BuiltIn container are the
Domain Controller equivalent of "local" groups on domain members (or
standalone computers). For example, look in Computer Management, Local
Users and Groups, Groups on a domain member (or standalone server) - you
will see many of the group names you see in the BuiltIn container on the
Domain Controllers.
Local groups are, by definition, per computer. In the case of Domain
Controllers the concept of local groups doesn't really exist because all
Domain Controllers of a Domain share all the AD objects (including for
example, the Administrator user account). The equivalant to local groups
for Domain Controllers are those in the BuiltIn container. These groups are
"local" to the Domain Controller and all Domain Controllers have exactly the
same version of BuiltIn groups becuase they all "share" the same Active
Directory. If you look at the General tab of the Properties of one of these
groups (e.g. Backup Operators) on a Domain Controller, you'll see that all
of the "Scope" radio buttons are greyed out and the "Builtin local" one is
selected. These ("domain builtin") groups can not be used on domain
members, only domain controllers.
The concept is to make a Domain Group (either one you create or an
appropriate one from the Users container in the Active Directory) a member
of the local group on the domain member computers.
If specific domain users require specific access to certain (shared)
folders, then I suggest granting domain groups the permission, rather than
using local groups. If you use an appropriate naming scheme, you can then
easily determine who has access to what without examining all the ACLs and
local group memberships on all the servers.
For example, you could create a Domain Group called "Res Server Backup
Operators", add the user accounts for those you want to be backup operators
on your servers as members of that group. Then, either manually, or via
Group Policy, add the domain group "Res Server Backup Operators" to the
Backup Operators local group on the servers. Then, the designated backup
operators will be able to do the "backup operator" functions on those
servers. Don't forget to document what the domain group is for - e.g. in
the Description and Notes attributes of the domain group. If it makes sense
(i.e. all the "backup operators" need the same access to ashared folder),
you could use the same domain group to grant the required permissions on a
shared folder (adjust the documentation accordingly).
I don't claim it is the be-all and end-all of how to do things, but you
might find the "rules" in section 2 - Groups of
http://members.shaw.ca/bsanders/WindowsGeneralWeb/GroupsAccountsPermissionsGPOsRules.htm
useful.
Using Restricted Groups in a Group Policy is a convenient way to centrally
manage the membership of local groups on servers.
To populate a local group with a domain group via Group Policy, in Group
Policy Editor:
1. Expand Computer Configuration, Policies, Windows Settings,
Security Settings
2. click Restricted Groups; right click Restricted Groups, select
Add Group...
3. key the name of the domain group you want to be added to the
local group (in the example above, this would be Res Server Backup
Operators), or use the Browse... button to navigate to the one you want;
press Enter
4. Click Add... beside the "This group is a member of "
5. Key the name of the local group whose membership you want to add
to - in this case Backup Operators; click OK; click OK
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"SF" <solutionforge@gmail.com> wrote in message
news:8a0a59e2-fdc7-48cb-b2cc-40f75295dc2c@k13g2000hse.googlegroups.com...
> On Jul 17, 9:52 am, SF <solutionfo...@gmail.com> wrote:
>> Hello All,
>>
>> Currently on our domain it seems we are unable to add built-in domain
>> local groups to the ACL any folders on the network.
>>
>> When you try to view groups from the "builtin" container in AD they do
>> not show up as available.
>>
>> For example: If we want to add the built-in domain local group "Backup
>> Operators", to the ACL of a folder it cannot be seen by the machine,
>> no mater which location you have selected. You can point it directly
>> at the container and still it does not want to find any built-in
>> group.
>>
>> This is a domain wide issue affecting all machines that I have tested.
>> The domain functional level is Windows 2000 native and the servers are
>> mostly 2003 except for a few in an other site.
>>
>> This seems pretty strange to me, can anyone shed some light on it?
>>
>> Thanks in advance.
>>
>> SF
>
> On second examination this seems to be by design, but I am having
> trouble understanding it.
>
> Please advise.