Well, I guess it all depends on your point of view. He used the name Domain Admins. Now somebody like me that is anal about security does things to both protect and obscure. I like to rename the Domain Admins group to something else, and then keep the group named Domain Admins around and give it no rights at all.
That way should somebody break in and try to leave themselves a backdoor they have to know a little more about the system than your average 13 year old from Singapore. You can nest Local groups in other Local groups, but that isn't terribly useful, but you can do it. You can put both Local and Global groups into Global Groups, and you can put Local, Global, and Universal groups into Universal Groups. But the real rights of your groups come from "Builtin" OU. -----Original Message----- From: Dana [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 9:30 PM To: CF-Community Subject: Re: one more time - universal groups I can see this..... but you can't nest anything in a local group huh. I swear that particular point isn't in the MOAC. Thanks for researching it cause I thought for sure the guy was wrong. Dana On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > Well, Nested groups can come in handy in a large organization. > > For instance, we have a domain with two forests containing roughly 60k > user accounts and I don't know how many computers and groups. > > Say I maintain a system that is used by various departments and a total > of 1000 people need to connect to it. Well instead of me having to add > all those people to my one group. I create a group for each department > and allow them to manage the people they let in. > > So for instance I have a system called Timber, its job is to take in the > syslogs for around 200 or so servers and routers. Well these logs needs > to be accessed by people in various departments in various OUs in > various subdomains and forests. > > I have a TimberReader group, which contains some users, and some groups. > Control of the Nested groups is delegated out to the people in charge of > those departments. > > In a small domain, it doesn't do much, but in a large organization it > can be very handy. > > -----Original Message----- > From: Dana [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 14, 2005 9:11 PM > To: CF-Community > Subject: Re: one more time - universal groups > > ya, actually. Thank you. So what would you use nested groups for, do you > know? > > Dana > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > No, I was not able to do it. The Domain Admin group cannot have a > member > > that is not part of the same domain. > > > > It also cannot contain a group that could have a member that is not in > > the same domain. > > > > Now you can mimic the functionality by adding the user to the > Enterprise > > Admins Group in the parent domain. Or by adding the user to the > > Builtin\Administrators group in the child domain. > > > > Clear as mud? > > > > -----Original Message----- > > From: Dana [mailto:[EMAIL PROTECTED] > > Sent: Thursday, July 14, 2005 8:18 PM > > To: CF-Community > > Subject: Re: one more time - universal groups > > > > so, bottom line, you were able to add a user from the parent domain to > > the domain admins group of the child domain? Sorry to be so slow > > answering this -- I do not always have access to this setup. > > > > Dana > > > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > > OK, so here is what I learned. > > > > > > The Domain Admins group is a Global Group, for some reason I thought > > it was > > > a Universal Group. A global group is only able to see the local > > domain, it > > > is able to see all objects in the local domain, but only the local > > domain. > > > > > > Now, the other thing I was playing with, why does the user have to > be > > a > > > member of the Domain Admins group? Why not just make them a member > of > > the > > > Administrators Group? > > > > > > The Domain Admins group is just a global group, therefore it cannot > > see > > > Universal Groups, nor can it see people outside its domain. > > > > > > One thing I tried was to use the command prompt to change the Group > > Type of > > > the Domain Admin group to Universal, however that didn't work. > > > > > > The next thing I did was I renamed Domain Admins to Domain Admins2, > > Created > > > a new group called Domain Admins, set it to Universal, added that > > group to > > > the Builin/Administrators group, then added the user from the parent > > domain. > > > > > > > > > > -----Original Message----- > > > > From: Dana [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, July 13, 2005 9:30 PM > > > > To: CF-Community > > > > Subject: Re: one more time - universal groups > > > > > > > > thanks :) > > > > > > > > Dana > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:164877 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
