Group Members - Enterprise OU structure mapping

-

i don't understand default group members , permissions. tested ad creating dummy group (dummygrp)and account(dummy1) experiment gpos. don't know why it's not allowing me add "nt authentication" (the security principal) or “users” group via “members”/ “member of” tab in dummygrp. allow me add “domain users” builtin group. system added builtin “users” group default builtin “domain users” group. “users” group has absolutely no members within - totally empty.

this i'm lost. don't understand why it's prudent add groups others, scheme /rationale behind proper group inclusion. according experts, adding wrong group(s) object can ruin network's resources. in case, i'm trying organize small company 7 departments. ideally want each department in respective group delegate permissions/gpos. groups must add in order work normally?

i want implement features gpo security filtering. documentation on ms website defines security principals, descriptors, aces, etc. checked the default “domain users” group. has “administrator” , “krbtgt(with down arrow).” checked technet , few other websites. take @ links below:

https://technet.microsoft.com/en-us/library/cc785098%28v=ws.10%29.aspx

http://ss64.com/nt/syntax-security_groups.html

you can @ diagram on ss64.com. on machine (winserver2012) “administrators” group in users folder holds following: administrators, domain admins, domain users, enterprise admins, group policy creator owners, , schema admins. looks weird disaster waiting happen. must add function real corporate enterprise environment?


>i don't know why it's not allowing me add nt authority (the security
>principal) or “users” group via “members”/ “member of” pane in dummygrp
 
nt authority refers windows operating system itself, not user or group. users builtin group, default, builtin groups cannot added other groups.
 
>i'm trying organize small company 7 departments. ideally want each department in respective group
>to delegate permissions/gpos. groups must add in order work normally?
 
can create separate groups each departments, , delegate permissions them or use them in gpo security filtering.
 
i'm not sure whether have cleared away doubts, take @ technet article better understanding of groups in active directory:
 
https://technet.microsoft.com/en-us/library/dd861330.aspx
 
let me know if have further questions.
 

regards,

ethan hua

please remember mark replies answers if help, , unmark answers if provide no help. if have feedback technet support, contact tnmff@microsoft.com



Windows Server  >  Windows Server 2012 General



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more