|
Hello, I
have a question regarding group structure and administration of such. We run a multi-domain AD environment
with basically an empty root domain and 2 child domains where the users live. The problem is if we structure groups
the way it is recommended (accounts into Global groups which are then placed into
Universal Groups which are then placed into Domain Local groups in the domain
where the resource lives and permissions applied using the Domain local group. The
problem is we prefer our distribution lists (universal groups) to be managed/administered
by the users/owner of the list. All distribution lists are composed of
individual users presently (came from an NT 4 domain) and if we follow the recommended
group practices we will nest the Global group(s) from both domains inside the Universal
groups and remove the individual users presently in them and effectively they
will have the same members, but when the owners try to modify the members
through their Outlook client they will only see the Global group(s) and not the
members of the group who will receive the messages sent to the distribution
list. Is there a better way to
administer permissions in a multi domain Active Directory environment or do we
set every owner of a distribution list up with rights and a tool to manage the global
groups effectively adding these users to the Universal groups by nesting the global
groups? Any feedback is appreciated, thank you. |
- Re: [ActiveDir] group structure -universal groups Cariglia, Daniel
- Re: [ActiveDir] group structure -universal groups Tony Murray
- RE: [ActiveDir] group structure -universal groups Grillenmeier, Guido
