NT4 Local Groups and Global Groups
Discussion
Bit of a head scratcher, this one.
Got two domains, an accounts domain and a resource domain. There are appropriate trust relationships between the two.
I've also got a member server in the resource domain, upon which security needs setting on some shares. On this server at the share level, security is set as the default - Everyone Full Control. Security is set at the folder level, and for this I want to use the default of Resource Local groups, with the Account domain global groups contained within it. All well and good so far?
However, theres a slight problem. If the Account global is in a Resource local on the member server folder, the users I'm testing with get Access Denied. If however, I take the Global out of the Local and apply that directly at the folder, it works a treat.
Any ideas, folks? Its a bit of a head scratcher.....
Methinks it might be a known problem....
Thanks,
Greg
Got two domains, an accounts domain and a resource domain. There are appropriate trust relationships between the two.
I've also got a member server in the resource domain, upon which security needs setting on some shares. On this server at the share level, security is set as the default - Everyone Full Control. Security is set at the folder level, and for this I want to use the default of Resource Local groups, with the Account domain global groups contained within it. All well and good so far?
However, theres a slight problem. If the Account global is in a Resource local on the member server folder, the users I'm testing with get Access Denied. If however, I take the Global out of the Local and apply that directly at the folder, it works a treat.
Any ideas, folks? Its a bit of a head scratcher.....
Methinks it might be a known problem....
Thanks,
Greg
MickC said:
Anyone?
How many BDCs in the resource domain? The only reason I can think of is that the LGs on the resource domain are not replicating properly.
BTW, better get that NT4 upgraded ASAP cause it's end of life 01/01/2005.
>> Edited by MickC on Friday 16th July 22:39
Mick,
4 BDCs in resource domain and a PDC of course.
I'm well aware that NT4 goes EOL Jan 2005, so is the customer. This is stage 1, a massive NT4 domain consolidation, next stage is Win2k03
GregE240 said:
Mick,
4 BDCs in resource domain and a PDC of course.
OK so check secure channel between the member server and resource DC with NLTEST, then assuming it's not going direct to the res PDC check the replication status of the res BDC and fix if broken.
If using the global directly in permissions works, then the secure channel between res BDC and acc BDC is OK.
Might be other reasons for the problem, but I can't think of any. How big is the SAM (both res and acc)?
MickC said:Certainly applying the global group from the accounts works. Its applying the resource locals onto the file permissions that is failing currently.
OK so check secure channel between the member server and resource DC with NLTEST, then assuming it's not going direct to the res PDC check the replication status of the res BDC and fix if broken.
If using the global directly in permissions works, then the secure channel between res BDC and acc BDC is OK.
Might be other reasons for the problem, but I can't think of any. How big is the SAM (both res and acc)?
If it was going to the PDC then it shouldn't have any problems as the resource domain PDC is on the same subnet? This is what I can't work out....
Thanks for your wisdom on this so far Mick...much appreciated.
Greg
**UPDATE** I've fixed it.
The member server's user rights policy entry "Access the computer from the network" was set to the (default?) Administrators, Power Users and Everyone. I removed Everyone and replaced it with "Users", of which the global group "Domain Users" is a member of.
I've only done a small amount of testing but it looks like its working now....
Thanks to all who replied and offered ideas and help.
Cheers,
Greg
The member server's user rights policy entry "Access the computer from the network" was set to the (default?) Administrators, Power Users and Everyone. I removed Everyone and replaced it with "Users", of which the global group "Domain Users" is a member of.
I've only done a small amount of testing but it looks like its working now....
Thanks to all who replied and offered ideas and help.
Cheers,
Greg
GregE240 said:
**UPDATE** I've fixed it.
The member server's user rights policy entry "Access the computer from the network" was set to the (default?) Administrators, Power Users and Everyone. I removed Everyone and replaced it with "Users", of which the global group "Domain Users" is a member of.
I've only done a small amount of testing but it looks like its working now....
Thanks to all who replied and offered ideas and help.
Cheers,
Greg
That sounds really odd - Everyone includes users from other domains, but users does not have to contain users from other trusted domains....
Change it back and see if it breaks again...
[boringfartmode] BTW just because the PDC is on the same subnet the secure channel from the member does not necessarily go there. If the sec channel is lost (eg PDC rebooted) the member will make a sec channel to any other BDC it finds and will not change it back to a local unless it looses it (BDC rebooted or reset with nltest /sc_reset etc). This is a common one on rigs and small sites with lots of server reboots (due to powerdowns etc) since you have to ensure your on site aBDC is brought up before the rBDC before the members. Otherwise authentication goes offsite anyway and your local BDCs are a waste of time. Sheduled nltest /sc_resets also helps. W2Ks 'site' concept is much better than NT4 in this respect thank god. [/boringfartmode]
I suppose if it's working that's all that matters - until next time....
One for Monday morning, I thought...!Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff