List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] REPOST DFS Permissions

Prev Next

You are not authorized to post a reply.

Author

Messages

jasalandra@xxxx.yyy

09/14/2005 5:11 AM
Since I did not get any responses, I thought I might repost this message If I am using a DFS share that has copies of that share between child domains am I not able to use Domain Local Groups in conjunction with Global and Universal groups to grant permissions? I noticed that I cannot choose Domain Local groups from the list. Here is what I am trying to do DFSshare Servers participating in share are: serverA.parent ServerB.child1.parent ServerC.child2.parent ServerD.child3.parent Users in Parent, Child1, Child2 and Child3 all need to be able to access and potentially edit files. How would you recommend that I setup the permissions? I was thinking Parent DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent DFS Share Workgroup Universal - Granted rights to files and folders Child 1 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 2 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 3 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent I could use this same methodology to grant permissions to different kinds of users and folders as needed. What do you think Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell jasalandra@xxxxxxxxxxx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

GuidoG

Posts:114

09/15/2005 8:45 AM
I see you've still not received a reply... yep - the described solution should work fine. I assume you want to use nested groups to grant admins from different domains to add users from their domain. Otherwise you could also use a single UG to reach your goal and manage this group centrally. The reason you can't use DLGs is quite simple: their scope is _local_ to the domain they're hosted in. While you can actually use them to grant rights to the FS (and they'll also be replicated), they are not valid on any of the DFS link-targets outside of the originating domain. Compare this with permissions on AD objects in a multi-domain forest using local groups => they also don't work on GCs in other domains... (there was a recent discussion about this on this list) /Guido -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Salandra, Justin A. Sent: Mittwoch, 14. September 2005 19:01 To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] REPOST DFS Permissions Since I did not get any responses, I thought I might repost this message If I am using a DFS share that has copies of that share between child domains am I not able to use Domain Local Groups in conjunction with Global and Universal groups to grant permissions? I noticed that I cannot choose Domain Local groups from the list. Here is what I am trying to do DFSshare Servers participating in share are: serverA.parent ServerB.child1.parent ServerC.child2.parent ServerD.child3.parent Users in Parent, Child1, Child2 and Child3 all need to be able to access and potentially edit files. How would you recommend that I setup the permissions? I was thinking Parent DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent DFS Share Workgroup Universal - Granted rights to files and folders Child 1 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 2 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 3 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent I could use this same methodology to grant permissions to different kinds of users and folders as needed. What do you think Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell jasalandra@xxxxxxxxxxx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

jasalandra@xxxx.yyy

09/16/2005 2:55 AM
Thanks -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Grillenmeier, Guido Sent: Thursday, September 15, 2005 4:15 PM To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: RE: [ActiveDir] REPOST DFS Permissions I see you've still not received a reply... yep - the described solution should work fine. I assume you want to use nested groups to grant admins from different domains to add users from their domain. Otherwise you could also use a single UG to reach your goal and manage this group centrally. The reason you can't use DLGs is quite simple: their scope is _local_ to the domain they're hosted in. While you can actually use them to grant rights to the FS (and they'll also be replicated), they are not valid on any of the DFS link-targets outside of the originating domain. Compare this with permissions on AD objects in a multi-domain forest using local groups => they also don't work on GCs in other domains... (there was a recent discussion about this on this list) /Guido -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Salandra, Justin A. Sent: Mittwoch, 14. September 2005 19:01 To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] REPOST DFS Permissions Since I did not get any responses, I thought I might repost this message If I am using a DFS share that has copies of that share between child domains am I not able to use Domain Local Groups in conjunction with Global and Universal groups to grant permissions? I noticed that I cannot choose Domain Local groups from the list. Here is what I am trying to do DFSshare Servers participating in share are: serverA.parent ServerB.child1.parent ServerC.child2.parent ServerD.child3.parent Users in Parent, Child1, Child2 and Child3 all need to be able to access and potentially edit files. How would you recommend that I setup the permissions? I was thinking Parent DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent DFS Share Workgroup Universal - Granted rights to files and folders Child 1 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 2 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 3 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent I could use this same methodology to grant permissions to different kinds of users and folders as needed. What do you think Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell jasalandra@xxxxxxxxxxx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] REPOST DFS Permissions

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads