ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Which Active Directory Group Types to use to grant access to a network share?


Newbie

Posts: 3
Date: Jan 17, 2013
Which Active Directory Group Types to use to grant access to a network share?
Permalink  
 


Hello Forum,

I need some help determining which Active Directory group type to use to grant access to a network share, so that users from my domain (a root domain), from a child domain (we only have one child domain) and from a trusted forest can access this network share.

I know there are 4 types of Active Directory security groups I could potentially use - Built-in Groups, Domain Local Groups, Global Groups and Universal Groups, but I don't know which type to specify in the ACL of the network share, and how to use these groups to provision access for all the users in all the domains?

To summarize, here is my situation -

I have a network share I need to grant access to, in my domain

  • About 50 users from my domain need access to this share
  • About 150 users from a child domain need access to this share
  • About 20 users from a trusted forest need access to this share

How do I use the various group types to provision this access?

I would appreciate any guidance you can provide.

Sara. 



__________________
Ray


Member

Posts: 17
Date: May 30, 2013
Which Active Directory Group Types to use to grant access to a network share?
Permalink  
 


Hello Sara,

This is an issue many of us struggle with. I have been doing this for many years now, and based on my experience, I believe the following should work for you -

Step-by-step instructions:

1. Create a new Domain Local Group or use an existing Domain Local Group to provision access to this network share folder


2a. Create a new Global Group / use an existing Global Group to group all users from this domain that should have access to this folder, in it


2b. Make this Global Group a member of the Domain Local Group specified in Step 1


3a. In the child domain, create a new Global Group / use an existing Global Group to group all users from this domain that should have access to this folder, in it


3b. Make the Global Group created in Step 3a above a member of the Domain Local Group specified in Step 1


4a. Create a universal group / use an existing Universal Group in the trusted forest, to group all users from this forest that should have access to this folder, in it


4b. Make the Universal Group created in Step 4a above a member of the Domain Local Group specified in Step 1


5. Use the Domain Local Group specified in Step 1 above to provision access to the network share

 

Basis:

Steps 1 and 5 - A DLG can contain users from virtually anywhere and be used to provision access to resources in the domain to which it belongs

Steps 2a and 2b - This helps you neatly collect and provision access for all users from the same domain to this network resource

Steps 3a and 3b - This helps you neatly collect and provision access for all users from the child domain to this network resource

Steps 4a and 4b - This helps you neatly collect and provision access for all users from the trusted forest to this network resource

 

Once you are done, the requisite access needed should be in place.

 

Verification:

If you need to check/verify whether or not a specific user from your domain or the child domain has sufficient access to that network share, you can use a token viewer to view the member server specific contents of the user's access token. In case you don't know how to do this, you can use this tool to do so.

I hope this helps you. Good luck!

Ray



__________________
One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me