 |
|
|
|
Next: rtawe
|
| Author |
Message |
External
Since: Feb 01, 2008
Posts: 4
|
(Msg. 1) Posted: Fri Feb 01, 2008 7:16 am
Post subject: Group nesting troubles
Archived from groups: microsoft>public>win2000>active_directory, others (more info?)
|
|
|
Hi folks, I'm having a bit a problem with some group nesting issues and I
hope some of you might be able to point out the errors of me ways. Please
see the problem below:
A user cannot access a folder on a file server. This folder has NTFS modify
access permission set for "Group C".
The user is a member of "Group A" which is nested in "Group B" which is in
turn nested in "Group C".
Folder Resource -> Group C -> Group B -> Group A -> User
Native mode 2003 domain
Group A (Universal Distribution)
Group B (Universal Security Group)
Group C (Universal Security Group)
If the user is added directly to the folder resource he can access the
folder so I am wondering if this a nesting issue (access token limitation)
or an issue with Security/Distribution? Very much appreciate any help or
pointers. Thank you. |
|
| Back to top |
|
 | |
External
Since: Oct 09, 2006
Posts: 119
|
(Msg. 2) Posted: Fri Feb 01, 2008 8:00 am
Post subject: Re: Group nesting troubles [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Try creating Group A as a Security Group and mail enable it, I'm not 100%
sure this is your problem but distribution groups don't have sid's assigned
to them, but mail enabled security groups should.
http://www.windowsecurity.com/articles/How-Nest-Users-Groups-Permissions.html
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"barkley bees" <barkbees DeleteThis @nomail.com> wrote in message
news:%23rUbU8LZIHA.5980@TK2MSFTNGP04.phx.gbl...
> Hi folks, I'm having a bit a problem with some group nesting issues and I
> hope some of you might be able to point out the errors of me ways. Please
> see the problem below:
>
> A user cannot access a folder on a file server. This folder has NTFS
> modify access permission set for "Group C".
> The user is a member of "Group A" which is nested in "Group B" which is in
> turn nested in "Group C".
>
> Folder Resource -> Group C -> Group B -> Group A -> User
>
> Native mode 2003 domain
> Group A (Universal Distribution)
> Group B (Universal Security Group)
> Group C (Universal Security Group)
>
> If the user is added directly to the folder resource he can access the
> folder so I am wondering if this a nesting issue (access token limitation)
> or an issue with Security/Distribution? Very much appreciate any help or
> pointers. Thank you.
>
> |
|
| Back to top |
|
| |
External
Since: Feb 01, 2008
Posts: 1
|
(Msg. 3) Posted: Fri Feb 01, 2008 9:02 am
Post subject: Re: Group nesting troubles [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Actually, they do have SIDs, but SIDs for distribution groups are not
included in the token. It is a minor technical difference, but I wanted to
point it out.
The problem is as Paul said. Group A needs the security bit set.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson.RemoveThis@allete_nospam.com> wrote in message
news:OfnHIrNZIHA.4332@TK2MSFTNGP04.phx.gbl...
> Try creating Group A as a Security Group and mail enable it, I'm not 100%
> sure this is your problem but distribution groups don't have sid's
> assigned to them, but mail enabled security groups should.
>
> http://www.windowsecurity.com/articles/How-Nest-Users-Groups-Permissions.html
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "barkley bees" <barkbees.RemoveThis@nomail.com> wrote in message
> news:%23rUbU8LZIHA.5980@TK2MSFTNGP04.phx.gbl...
>> Hi folks, I'm having a bit a problem with some group nesting issues and I
>> hope some of you might be able to point out the errors of me ways.
>> Please see the problem below:
>>
>> A user cannot access a folder on a file server. This folder has NTFS
>> modify access permission set for "Group C".
>> The user is a member of "Group A" which is nested in "Group B" which is
>> in turn nested in "Group C".
>>
>> Folder Resource -> Group C -> Group B -> Group A -> User
>>
>> Native mode 2003 domain
>> Group A (Universal Distribution)
>> Group B (Universal Security Group)
>> Group C (Universal Security Group)
>>
>> If the user is added directly to the folder resource he can access the
>> folder so I am wondering if this a nesting issue (access token
>> limitation) or an issue with Security/Distribution? Very much appreciate
>> any help or pointers. Thank you.
>>
>>
>
> >> Stay informed about: Group nesting troubles |
|
| Back to top |
|
| |
External
Since: Feb 01, 2008
Posts: 4
|
(Msg. 4) Posted: Fri Feb 01, 2008 12:46 pm
Post subject: Re: Group nesting troubles [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Thanks to you both Paul and Joe! I will take a look at it and test it out in
the morning. Cheers.
"Joe Kaplan" <joseph.e.kaplan RemoveThis @removethis.accenture.com> wrote in message
news:uDOMvNOZIHA.1204@TK2MSFTNGP03.phx.gbl...
> Actually, they do have SIDs, but SIDs for distribution groups are not
> included in the token. It is a minor technical difference, but I wanted
> to point it out.
>
> The problem is as Paul said. Group A needs the security bit set.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Paul Bergson [MVP-DS]" <pbergson RemoveThis @allete_nospam.com> wrote in message
> news:OfnHIrNZIHA.4332@TK2MSFTNGP04.phx.gbl...
>> Try creating Group A as a Security Group and mail enable it, I'm not 100%
>> sure this is your problem but distribution groups don't have sid's
>> assigned to them, but mail enabled security groups should.
>>
>> http://www.windowsecurity.com/articles/How-Nest-Users-Groups-Permissions.html
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "barkley bees" <barkbees RemoveThis @nomail.com> wrote in message
>> news:%23rUbU8LZIHA.5980@TK2MSFTNGP04.phx.gbl...
>>> Hi folks, I'm having a bit a problem with some group nesting issues and
>>> I hope some of you might be able to point out the errors of me ways.
>>> Please see the problem below:
>>>
>>> A user cannot access a folder on a file server. This folder has NTFS
>>> modify access permission set for "Group C".
>>> The user is a member of "Group A" which is nested in "Group B" which is
>>> in turn nested in "Group C".
>>>
>>> Folder Resource -> Group C -> Group B -> Group A -> User
>>>
>>> Native mode 2003 domain
>>> Group A (Universal Distribution)
>>> Group B (Universal Security Group)
>>> Group C (Universal Security Group)
>>>
>>> If the user is added directly to the folder resource he can access the
>>> folder so I am wondering if this a nesting issue (access token
>>> limitation) or an issue with Security/Distribution? Very much appreciate
>>> any help or pointers. Thank you.
>>>
>>>
>>
>>
>
> >> Stay informed about: Group nesting troubles |
|
| Back to top |
|
| |
External
Since: Oct 09, 2006
Posts: 119
|
(Msg. 5) Posted: Mon Feb 04, 2008 7:42 am
Post subject: Re: Group nesting troubles [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I didn't realize that, thanks for pointing out the difference.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Joe Kaplan" <joseph.e.kaplan.RemoveThis@removethis.accenture.com> wrote in message
news:uDOMvNOZIHA.1204@TK2MSFTNGP03.phx.gbl...
> Actually, they do have SIDs, but SIDs for distribution groups are not
> included in the token. It is a minor technical difference, but I wanted
> to point it out.
>
> The problem is as Paul said. Group A needs the security bit set.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
> Programming"
> http://www.directoryprogramming.net
> --
> "Paul Bergson [MVP-DS]" <pbergson.RemoveThis@allete_nospam.com> wrote in message
> news:OfnHIrNZIHA.4332@TK2MSFTNGP04.phx.gbl...
>> Try creating Group A as a Security Group and mail enable it, I'm not 100%
>> sure this is your problem but distribution groups don't have sid's
>> assigned to them, but mail enabled security groups should.
>>
>> http://www.windowsecurity.com/articles/How-Nest-Users-Groups-Permissions.html
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "barkley bees" <barkbees.RemoveThis@nomail.com> wrote in message
>> news:%23rUbU8LZIHA.5980@TK2MSFTNGP04.phx.gbl...
>>> Hi folks, I'm having a bit a problem with some group nesting issues and
>>> I hope some of you might be able to point out the errors of me ways.
>>> Please see the problem below:
>>>
>>> A user cannot access a folder on a file server. This folder has NTFS
>>> modify access permission set for "Group C".
>>> The user is a member of "Group A" which is nested in "Group B" which is
>>> in turn nested in "Group C".
>>>
>>> Folder Resource -> Group C -> Group B -> Group A -> User
>>>
>>> Native mode 2003 domain
>>> Group A (Universal Distribution)
>>> Group B (Universal Security Group)
>>> Group C (Universal Security Group)
>>>
>>> If the user is added directly to the folder resource he can access the
>>> folder so I am wondering if this a nesting issue (access token
>>> limitation) or an issue with Security/Distribution? Very much appreciate
>>> any help or pointers. Thank you.
>>>
>>>
>>
>>
>
> >> Stay informed about: Group nesting troubles |
|
| Back to top |
|
| |
| Related Topics: | Group Policy - I have setup numerous group policies for my AD. I'm now being asked to setup a group policy for a singe stand alone machine for our HR Kiosk. Is there a way to apply a group policy to a single windows 2000 machine. I don't want to have anyone login...
Group policy - I have a problem I'm trying to resolve. I have to manualy configure local profiles whenever a new user is set up or moves to a different worksation. I was wondering if I can allievate this need by using group policy or login scripts. Some of the..
Group policy problem, Win Xp sp2 - In our Windows 2000 AD domain, we have five domain controllers: PDC 1 (dns server) BDC 2 (dns server) BDC 3 BDC 4 BDC 5 Few days ago, three windows Xp SP2 machines started to cause problems. When I turn computer on, everything goes well, but..
group-provisioning utility - Does anyone know if there's a group-provisioning utility for Backing up AD group membersip info from the group prespective ? Thanks Shawn
group policy object - Hi, I have a win 2000 pdc that stores a local copys of the group policy objects. I want to retire this server by demoting it to a member server but before doing this I want to know if the GPOs will be moved to another server when it is demoted. |
|
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
Win 2000/NT/98/ME