Google Answers: Global Groups in Active Directory

View Question

Q: Global Groups in Active Directory ( No Answer, 2 Comments )

Question

Subject: Global Groups in Active Directory
Category: Computers > Security
Asked by: dremcg21-ga
List Price: $10.00

Posted: 16 Sep 2004 11:16 PDT
Expires: 29 Oct 2004 18:21 PDT
Question ID: 402122

the question is: there are two user domains, A and B, connecting to a
domain controller DC and there is a SQL server which I would like to
allow users in domainB to have global access. Right now, domainA users
have a global group to connect to this server. I know that I could
make another global group for domainB them to connect to this server,
but I need to understand the optimal way to set up the AD for this
particular resource (because it is optimal now to make another global
group, but what if I have domains AA to ZZ?)

Clarification of Question by dremcg21-ga on 19 Sep 2004 19:12 PDT
The domains are in the same forest and it is mixed-mode.

Answer

There is no answer at this time.

Comments

Subject: Re: Global Groups in Active Directory
From: jasonbellz-ga on 17 Sep 2004 07:13 PDT

Are both domains in the same active directory forest? Seperate
Forests? NT4 and AD domain? You have trusts?

Subject: Re: Global Groups in Active Directory
From: jmulvey-ga on 24 Sep 2004 13:31 PDT

The appropriate way to accomplish this is as follows:

1. In domain A, create a Global Group and add the users from domain A
that require access to the SQL server.
2. In domain B, create a Global Group and add the users from domain B
that require access to the SQL server.
3. In the domain that the SQL server is a member, create a Domain
Local Group. Make the Global Groups from domains A & B members of this
new Domain Local Group.
4. Assign permissions to the SQL server to the Domain Local Group.
5. When new domains appear in your forest, simply create a Global
Group in them representing the users in that domain that require
access, and add this new Global Group to the Domain Local Group in the
domain where the SQL server lives.

This approach is in conformance with Microsoft's "UGLR" approach to
cross-domain group membership (UGLR refers to the fact that "Users"
are assigned to "Global Groups" which are added to "Local Groups"
which are given privileges to the "Resources"). There's some good
additional background on this approach at the following link:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/adusers.mspx

(search the page for the bullet "Medium to large organizations")

As an aside, if/when you go to Active Directory Native Mode, this will
be a lot easier because you will only need to have a single Universal
Group to contain users throughout the forest.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy