You should create a domain local group to govern access to the share (or multiple DL groups if you want to regulate Read only access, Read/Write access etc).
Then you should put your users into Global groups (e.g. based on functionality/role/business group/project/whatever). You then add the Global groups to your DL groups: Users -> Global functional groups -> Domain Local resource groups -> Resource ACL I think I posted a link to Microsoft's various authorization strategies (Active Directory Group design) a few months ago. It's a link to the stuff on TechNet. Cheers Ken From: David Lum [mailto:[EMAIL PROTECTED] Sent: Wednesday, 30 April 2008 6:01 AM To: NT System Admin Issues Subject: AD groups Domain local, global, universal Scenario: Two domains, domain.local and a child domain called subdomain. All users in the company are in subdomain.domain.local, Exchange servers are in subdomain as well. Effectively *everything* is in subdomain I have a share \\ServerA.subdomain.domain.local\share<file:///\\ServerA.subdomain.domain.local\share> and I want to create a security group to access this share. I'll name it _Servername\Share. A quick Goggle-fu refresher makes me think in my case the security groups should be domain local and distribution lists should be global. I have a separate forest (otherdomain.local) that sometimes subdomain.domain accounts hit, but I don't think it has any bearing on this decision. Comments? Dave Lum - Systems Engineer [EMAIL PROTECTED] - (971)-222-1025 "When you step on the brakes your life is in your foot's hands" ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
