ummmmmm ok so why couldn't you make that user a domain admin again? Sorry if I sem stupid but it just is not sinking in.
Dana On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > You can nest in any group so long as is a equal or lesser scope. > > Builtin Local is an exception, you can nest any level into a Builtin > Local group. > > -----Original Message----- > From: Dana [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 14, 2005 9:43 PM > To: CF-Community > Subject: Re: one more time - universal groups > > I'm lost again. I'll reread this again when I am not also trying to > get through a gpo lab. I understand the bit about renaming groups, and > it's a good point. The part I am stuck on is if you can nest in a > local group... just not a *built-in* local group, is that it? > > Dana > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > Well, I guess it all depends on your point of view. > > > > He used the name Domain Admins. Now somebody like me that is anal > about > > security does things to both protect and obscure. I like to rename the > > Domain Admins group to something else, and then keep the group named > > Domain Admins around and give it no rights at all. > > > > That way should somebody break in and try to leave themselves a > backdoor > > they have to know a little more about the system than your average 13 > > year old from Singapore. > > > > You can nest Local groups in other Local groups, but that isn't > terribly > > useful, but you can do it. You can put both Local and Global groups > into > > Global Groups, and you can put Local, Global, and Universal groups > into > > Universal Groups. > > > > But the real rights of your groups come from "Builtin" OU. > > > > -----Original Message----- > > From: Dana [mailto:[EMAIL PROTECTED] > > Sent: Thursday, July 14, 2005 9:30 PM > > To: CF-Community > > Subject: Re: one more time - universal groups > > > > I can see this..... but you can't nest anything in a local group huh. > > I swear that particular point isn't in the MOAC. Thanks for > > researching it cause I thought for sure the guy was wrong. > > > > Dana > > > > > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > > Well, Nested groups can come in handy in a large organization. > > > > > > For instance, we have a domain with two forests containing roughly > 60k > > > user accounts and I don't know how many computers and groups. > > > > > > Say I maintain a system that is used by various departments and a > > total > > > of 1000 people need to connect to it. Well instead of me having to > add > > > all those people to my one group. I create a group for each > department > > > and allow them to manage the people they let in. > > > > > > So for instance I have a system called Timber, its job is to take in > > the > > > syslogs for around 200 or so servers and routers. Well these logs > > needs > > > to be accessed by people in various departments in various OUs in > > > various subdomains and forests. > > > > > > I have a TimberReader group, which contains some users, and some > > groups. > > > Control of the Nested groups is delegated out to the people in > charge > > of > > > those departments. > > > > > > In a small domain, it doesn't do much, but in a large organization > it > > > can be very handy. > > > > > > -----Original Message----- > > > From: Dana [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, July 14, 2005 9:11 PM > > > To: CF-Community > > > Subject: Re: one more time - universal groups > > > > > > ya, actually. Thank you. So what would you use nested groups for, do > > you > > > know? > > > > > > Dana > > > > > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > > > No, I was not able to do it. The Domain Admin group cannot have a > > > member > > > > that is not part of the same domain. > > > > > > > > It also cannot contain a group that could have a member that is > not > > in > > > > the same domain. > > > > > > > > Now you can mimic the functionality by adding the user to the > > > Enterprise > > > > Admins Group in the parent domain. Or by adding the user to the > > > > Builtin\Administrators group in the child domain. > > > > > > > > Clear as mud? > > > > > > > > -----Original Message----- > > > > From: Dana [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, July 14, 2005 8:18 PM > > > > To: CF-Community > > > > Subject: Re: one more time - universal groups > > > > > > > > so, bottom line, you were able to add a user from the parent > domain > > to > > > > the domain admins group of the child domain? Sorry to be so slow > > > > answering this -- I do not always have access to this setup. > > > > > > > > Dana > > > > > > > > On 7/14/05, Nick McClure <[EMAIL PROTECTED]> wrote: > > > > > OK, so here is what I learned. > > > > > > > > > > The Domain Admins group is a Global Group, for some reason I > > thought > > > > it was > > > > > a Universal Group. A global group is only able to see the local > > > > domain, it > > > > > is able to see all objects in the local domain, but only the > local > > > > domain. > > > > > > > > > > Now, the other thing I was playing with, why does the user have > to > > > be > > > > a > > > > > member of the Domain Admins group? Why not just make them a > member > > > of > > > > the > > > > > Administrators Group? > > > > > > > > > > The Domain Admins group is just a global group, therefore it > > cannot > > > > see > > > > > Universal Groups, nor can it see people outside its domain. > > > > > > > > > > One thing I tried was to use the command prompt to change the > > Group > > > > Type of > > > > > the Domain Admin group to Universal, however that didn't work. > > > > > > > > > > The next thing I did was I renamed Domain Admins to Domain > > Admins2, > > > > Created > > > > > a new group called Domain Admins, set it to Universal, added > that > > > > group to > > > > > the Builin/Administrators group, then added the user from the > > parent > > > > domain. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Dana [mailto:[EMAIL PROTECTED] > > > > > > Sent: Wednesday, July 13, 2005 9:30 PM > > > > > > To: CF-Community > > > > > > Subject: Re: one more time - universal groups > > > > > > > > > > > > thanks :) > > > > > > > > > > > > Dana > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:164881 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
