Well, Nested groups can come in handy in a large organization. For instance, we have a domain with two forests containing roughly 60k user accounts and I don't know how many computers and groups.
Say I maintain a system that is used by various departments and a total of 1000 people need to connect to it. Well instead of me having to add all those people to my one group. I create a group for each department and allow them to manage the people they let in. So for instance I have a system called Timber, its job is to take in the syslogs for around 200 or so servers and routers. Well these logs needs to be accessed by people in various departments in various OUs in various subdomains and forests. I have a TimberReader group, which contains some users, and some groups. Control of the Nested groups is delegated out to the people in charge of those departments. In a small domain, it doesn't do much, but in a large organization it can be very handy. -----Original Message----- From: Dana [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 9:11 PM To: CF-Community Subject: Re: one more time - universal groups ya, actually. Thank you. So what would you use nested groups for, do you know? Dana On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > No, I was not able to do it. The Domain Admin group cannot have a member > that is not part of the same domain. > > It also cannot contain a group that could have a member that is not in > the same domain. > > Now you can mimic the functionality by adding the user to the Enterprise > Admins Group in the parent domain. Or by adding the user to the > Builtin\Administrators group in the child domain. > > Clear as mud? > > -----Original Message----- > From: Dana [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 14, 2005 8:18 PM > To: CF-Community > Subject: Re: one more time - universal groups > > so, bottom line, you were able to add a user from the parent domain to > the domain admins group of the child domain? Sorry to be so slow > answering this -- I do not always have access to this setup. > > Dana > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > OK, so here is what I learned. > > > > The Domain Admins group is a Global Group, for some reason I thought > it was > > a Universal Group. A global group is only able to see the local > domain, it > > is able to see all objects in the local domain, but only the local > domain. > > > > Now, the other thing I was playing with, why does the user have to be > a > > member of the Domain Admins group? Why not just make them a member of > the > > Administrators Group? > > > > The Domain Admins group is just a global group, therefore it cannot > see > > Universal Groups, nor can it see people outside its domain. > > > > One thing I tried was to use the command prompt to change the Group > Type of > > the Domain Admin group to Universal, however that didn't work. > > > > The next thing I did was I renamed Domain Admins to Domain Admins2, > Created > > a new group called Domain Admins, set it to Universal, added that > group to > > the Builin/Administrators group, then added the user from the parent > domain. > > > > > > > -----Original Message----- > > > From: Dana [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, July 13, 2005 9:30 PM > > > To: CF-Community > > > Subject: Re: one more time - universal groups > > > > > > thanks :) > > > > > > Dana > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Purchase Studio MX from House of Fusion, a Macromedia Authorized Affiliate and support the CF community. http://www.houseoffusion.com/banners/view.cfm?bannerid=50 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:164873 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
