I'm lost again. I'll reread this again when I am not also trying to get through a gpo lab. I understand the bit about renaming groups, and it's a good point. The part I am stuck on is if you can nest in a local group... just not a *built-in* local group, is that it?
Dana On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > Well, I guess it all depends on your point of view. > > He used the name Domain Admins. Now somebody like me that is anal about > security does things to both protect and obscure. I like to rename the > Domain Admins group to something else, and then keep the group named > Domain Admins around and give it no rights at all. > > That way should somebody break in and try to leave themselves a backdoor > they have to know a little more about the system than your average 13 > year old from Singapore. > > You can nest Local groups in other Local groups, but that isn't terribly > useful, but you can do it. You can put both Local and Global groups into > Global Groups, and you can put Local, Global, and Universal groups into > Universal Groups. > > But the real rights of your groups come from "Builtin" OU. > > -----Original Message----- > From: Dana [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 14, 2005 9:30 PM > To: CF-Community > Subject: Re: one more time - universal groups > > I can see this..... but you can't nest anything in a local group huh. > I swear that particular point isn't in the MOAC. Thanks for > researching it cause I thought for sure the guy was wrong. > > Dana > > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > Well, Nested groups can come in handy in a large organization. > > > > For instance, we have a domain with two forests containing roughly 60k > > user accounts and I don't know how many computers and groups. > > > > Say I maintain a system that is used by various departments and a > total > > of 1000 people need to connect to it. Well instead of me having to add > > all those people to my one group. I create a group for each department > > and allow them to manage the people they let in. > > > > So for instance I have a system called Timber, its job is to take in > the > > syslogs for around 200 or so servers and routers. Well these logs > needs > > to be accessed by people in various departments in various OUs in > > various subdomains and forests. > > > > I have a TimberReader group, which contains some users, and some > groups. > > Control of the Nested groups is delegated out to the people in charge > of > > those departments. > > > > In a small domain, it doesn't do much, but in a large organization it > > can be very handy. > > > > -----Original Message----- > > From: Dana [mailto:[EMAIL PROTECTED] > > Sent: Thursday, July 14, 2005 9:11 PM > > To: CF-Community > > Subject: Re: one more time - universal groups > > > > ya, actually. Thank you. So what would you use nested groups for, do > you > > know? > > > > Dana > > > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > > No, I was not able to do it. The Domain Admin group cannot have a > > member > > > that is not part of the same domain. > > > > > > It also cannot contain a group that could have a member that is not > in > > > the same domain. > > > > > > Now you can mimic the functionality by adding the user to the > > Enterprise > > > Admins Group in the parent domain. Or by adding the user to the > > > Builtin\Administrators group in the child domain. > > > > > > Clear as mud? > > > > > > -----Original Message----- > > > From: Dana [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, July 14, 2005 8:18 PM > > > To: CF-Community > > > Subject: Re: one more time - universal groups > > > > > > so, bottom line, you were able to add a user from the parent domain > to > > > the domain admins group of the child domain? Sorry to be so slow > > > answering this -- I do not always have access to this setup. > > > > > > Dana > > > > > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > > > OK, so here is what I learned. > > > > > > > > The Domain Admins group is a Global Group, for some reason I > thought > > > it was > > > > a Universal Group. A global group is only able to see the local > > > domain, it > > > > is able to see all objects in the local domain, but only the local > > > domain. > > > > > > > > Now, the other thing I was playing with, why does the user have to > > be > > > a > > > > member of the Domain Admins group? Why not just make them a member > > of > > > the > > > > Administrators Group? > > > > > > > > The Domain Admins group is just a global group, therefore it > cannot > > > see > > > > Universal Groups, nor can it see people outside its domain. > > > > > > > > One thing I tried was to use the command prompt to change the > Group > > > Type of > > > > the Domain Admin group to Universal, however that didn't work. > > > > > > > > The next thing I did was I renamed Domain Admins to Domain > Admins2, > > > Created > > > > a new group called Domain Admins, set it to Universal, added that > > > group to > > > > the Builin/Administrators group, then added the user from the > parent > > > domain. > > > > > > > > > > > > > -----Original Message----- > > > > > From: Dana [mailto:[EMAIL PROTECTED] > > > > > Sent: Wednesday, July 13, 2005 9:30 PM > > > > > To: CF-Community > > > > > Subject: Re: one more time - universal groups > > > > > > > > > > thanks :) > > > > > > > > > > Dana > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:164879 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
