From LedHed's Wiki
(6 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
By default most groups are created as Global Groups. | By default most groups are created as Global Groups. | ||
+ | |||
+ | |||
+ | == Granting Group Permissions To Trusted Domains/Forests == | ||
+ | |||
+ | Universal Groups: Exist across all Domains that Trust each other.<br> | ||
+ | Global Groups: Good for containing Users and Groups (and thats about it)<br> | ||
+ | Domain Local Groups: Good for Delegating Control.<br> | ||
+ | |||
+ | === Example === | ||
+ | Goal: Delegate control of password resets, across all trusted domains within one forest. | ||
+ | # Create a Domain Local group named 'PasswordReset', in each domain. | ||
+ | # Create a Globl Group named 'HelpDesk', in each domain. | ||
+ | # Create a Universal Group named 'Enterprise Password Reset', on only one domain. | ||
+ | # Make users you want to be able to reset passwords MembersOf of the 'HelpDesk' Global group, in each domain. | ||
+ | # Make 'HelpDesk' on each domain a MemberOf the 'Enterprise Password Reset' Universal group. | ||
+ | # Make the 'Enterprise Password Reset' Universal Group a MemberOf the 'PasswordReset' Domain Local group, on each domain. | ||
+ | |||
+ | Domain A | ||
+ | (DL) PasswordReset | ||
+ | (GG) HelpDesk (MemberOf: Domain A\Enterprise Password Reset) | ||
+ | (UG) Enterprise Password Reset (MemberOf: Domain A\PasswordReset) | ||
+ | |||
+ | Domain B | ||
+ | (DL) PasswordReset | ||
+ | (GG) HelpDesk (MemberOf: Domain A\Enterprise Password Reset) | ||
+ | |||
+ | Domain C | ||
+ | (DL) PasswordReset | ||
+ | (GG) HelpDesk (MemberOf: Domain A\Enterprise Password Reset) | ||
+ | This would allow members of the HelpDesk group in any domain to reset passwords in trusted domains (A,B,C) | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | == Group Scope == | ||
{| class="wikitable" | {| class="wikitable" | ||
!Source Group Type !!Relationship !!Target Group Type !!Local Domain !!Trusted Domain | !Source Group Type !!Relationship !!Target Group Type !!Local Domain !!Trusted Domain | ||
|- | |- | ||
− | | Domain Local || Members ||Domain Local | + | | Domain Local || Members ||Domain Local |
+ | !style="color: green;"| Yes | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
− | | Domain Local || Members ||Global | + | | Domain Local || Members ||Global |
+ | !style="color: green;"| Yes | ||
+ | !style="color: green;"| Yes | ||
|- | |- | ||
− | | Domain Local || Members ||Universal | + | | Domain Local || Members ||Universal |
+ | !style="color: green;"| Yes | ||
+ | !style="color: green;"| Yes | ||
|- | |- | ||
!style="background-color: grey;" colspan="6"| | !style="background-color: grey;" colspan="6"| | ||
|- | |- | ||
− | | Global || Members ||Domain Local | + | | Global || Members ||Domain Local |
+ | !style="color: red;"| No | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
− | | Global || Members ||Global | + | | Global || Members ||Global |
+ | !style="color: green;"| Yes | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
− | | Global || Members ||Universal | + | | Global || Members ||Universal |
+ | !style="color: red;"| No | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
!style="background-color: grey;" colspan="6"| | !style="background-color: grey;" colspan="6"| | ||
|- | |- | ||
− | | Universal || Members ||Domain Local | + | | Universal || Members ||Domain Local |
+ | !style="color: red;"| No | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
− | | Universal || Members ||Global | + | | Universal || Members ||Global |
+ | !style="color: green;"| Yes | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
− | | Universal || Members ||Universal | + | | Universal || Members ||Universal |
+ | !style="color: green;"| Yes | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
|} | |} | ||
Line 38: | Line 91: | ||
!Source Group Type !!Relationship !!Target Group Type !!Local Domain !!Trusted Domain | !Source Group Type !!Relationship !!Target Group Type !!Local Domain !!Trusted Domain | ||
|- | |- | ||
− | | Domain Local || MemberOf ||Domain Local | + | | Domain Local || MemberOf ||Domain Local |
+ | !style="color: green;"| Yes | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
− | | Domain Local || MemberOf ||Global | + | | Domain Local || MemberOf ||Global |
+ | !style="color: red;"| No | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
− | | Domain Local || MemberOf ||Universal | + | | Domain Local || MemberOf ||Universal |
+ | !style="color: red;"| No | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
!style="background-color: grey;" colspan="6"| | !style="background-color: grey;" colspan="6"| | ||
|- | |- | ||
− | | Global || MemberOf ||Domain Local | + | | Global || MemberOf ||Domain Local |
+ | !style="color: green;"| Yes | ||
+ | !style="color: green;"| Yes | ||
|- | |- | ||
− | | Global || MemberOf ||Global | + | | Global || MemberOf ||Global |
+ | !style="color: green;"| Yes | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
− | | Global || MemberOf ||Universal | + | | Global || MemberOf ||Universal |
+ | !style="color: green;"| Yes | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
!style="background-color: grey;" colspan="6"| | !style="background-color: grey;" colspan="6"| | ||
|- | |- | ||
− | | Universal || MemberOf ||Domain Local | + | | Universal || MemberOf ||Domain Local |
+ | !style="color: green;"| Yes | ||
+ | !style="color: green;"| Yes | ||
|- | |- | ||
− | | Universal || MemberOf ||Global | + | | Universal || MemberOf ||Global |
+ | !style="color: red;"| No | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
− | | Universal || MemberOf ||Universal | + | | Universal || MemberOf ||Universal |
+ | !style="color: green;"| Yes | ||
+ | !style="color: red;"| No | ||
|- | |- | ||
|} | |} | ||
+ | |||
+ | |||
+ | |||
+ | == Reference == | ||
+ | http://ss64.com/nt/syntax-groups.html | ||
+ | |||
+ | https://web.archive.org/web/20150705052045/http://networkadminkb.com/KB/a5/the-golden-rules-of-permissions-administration.aspx | ||
+ | |||
[[Category:Windows]] | [[Category:Windows]] |
Latest revision as of 22:51, 31 January 2017
Active Directory supports 4 types of groups: BuiltIn Domain Local Global Universal
By default most groups are created as Global Groups.
Contents
Granting Group Permissions To Trusted Domains/Forests
Universal Groups: Exist across all Domains that Trust each other.
Global Groups: Good for containing Users and Groups (and thats about it)
Domain Local Groups: Good for Delegating Control.
Example
Goal: Delegate control of password resets, across all trusted domains within one forest.
- Create a Domain Local group named 'PasswordReset', in each domain.
- Create a Globl Group named 'HelpDesk', in each domain.
- Create a Universal Group named 'Enterprise Password Reset', on only one domain.
- Make users you want to be able to reset passwords MembersOf of the 'HelpDesk' Global group, in each domain.
- Make 'HelpDesk' on each domain a MemberOf the 'Enterprise Password Reset' Universal group.
- Make the 'Enterprise Password Reset' Universal Group a MemberOf the 'PasswordReset' Domain Local group, on each domain.
Domain A (DL) PasswordReset (GG) HelpDesk (MemberOf: Domain A\Enterprise Password Reset) (UG) Enterprise Password Reset (MemberOf: Domain A\PasswordReset)
Domain B (DL) PasswordReset (GG) HelpDesk (MemberOf: Domain A\Enterprise Password Reset)
Domain C (DL) PasswordReset (GG) HelpDesk (MemberOf: Domain A\Enterprise Password Reset)
This would allow members of the HelpDesk group in any domain to reset passwords in trusted domains (A,B,C)
Group Scope
Source Group Type | Relationship | Target Group Type | Local Domain | Trusted Domain | |
---|---|---|---|---|---|
Domain Local | Members | Domain Local | Yes | No | |
Domain Local | Members | Global | Yes | Yes | |
Domain Local | Members | Universal | Yes | Yes | |
Global | Members | Domain Local | No | No | |
Global | Members | Global | Yes | No | |
Global | Members | Universal | No | No | |
Universal | Members | Domain Local | No | No | |
Universal | Members | Global | Yes | No | |
Universal | Members | Universal | Yes | No |
Source Group Type | Relationship | Target Group Type | Local Domain | Trusted Domain | |
---|---|---|---|---|---|
Domain Local | MemberOf | Domain Local | Yes | No | |
Domain Local | MemberOf | Global | No | No | |
Domain Local | MemberOf | Universal | No | No | |
Global | MemberOf | Domain Local | Yes | Yes | |
Global | MemberOf | Global | Yes | No | |
Global | MemberOf | Universal | Yes | No | |
Universal | MemberOf | Domain Local | Yes | Yes | |
Universal | MemberOf | Global | No | No | |
Universal | MemberOf | Universal | Yes | No |