What do each of the default groups in Active Directory do ?
See the following information from Microsoft :
http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
or
https://customer.lenovosoftware.com/support/techdocs/kb/d2041/msdefaultgroups.pdf
Enterprise Admins group is a universal group that appears only in the forest root domain and members of this group have full administrative control on all domains that are in your forest. Users of any domain can be a member.
Domain Admins group is a global group that is present in each domain. Members of this group have a full administrative control on the domain but can only have members from their own domain only.
Domain Admin can do anything when its single Forest/Domain means they can make themselves a member of enterprise admin/schema admin groups w/o being part of Administrators group & scope of domain admin is limited to their domain. Domain admin is a global group.
Enterprise admin groups are beneficial when you are dealing with Parent-Child domain or multiple domain forest. Enterprise admin is a universal group means permission can be defined in any domain & user can be from any domain.
When you have a parent child domain forest, you will not find enterprise admin group in child domain, its only present in root/parent domain.
Information on Group Scope, :
http://technet.microsoft.com/en-us/library/cc755692%28WS.10%29.aspx
or
https://customer.lenovosoftware.com/support/techdocs/kb/d2041/groupscope.pdf
What does this mean to webNetwork if you are not going to use Enterprise Admin groups ? It means that you have to create a domain local/Universal group in the child domain and add members from the parent as well as child domain and make Domain local or universal group member of domain admin group in the child domain. According to Microsoft the preferred way is AGDULP (Accounts, Global, Universal, Domain Local, Permissions) AGDLP, which stands for Accounts, Global groups, Domain Local groups and Permissions, refers to the practice you use to properly assign permissions to your network resources and utilize groups in such a way that managing those permissions and group memberships is simplified and configured to allow for multiple domain resource access.
More information on this can be found :
http://en.wikipedia.org/wiki/AGDLP
AGDLP as "a best practice guide for effectively managing inter-domain resource access in a Windows Server domain network environment. AGDLP is applied when planning and implementing the construction of users and groups as well as the setting of NTFS permissions on the resources concerned."
Using AGDLP allows admins to set up their Windows environments so they can greatly reduce problems related to user account management and permissions management headaches. Yet even those who have gone through MCSE training still fail to use this simple strategy when setting up their strategy for groups and permission assignments.
There have been many times I've had to correct my customers' groups/permissions-related issues because they chose to only use individual accounts, or just Domain Local groups or just Global Groups, when assigning permissions to their resources. Then they add a new domain, create a new resource, add a new user or when someone leaves an organization and is replaced, it becomes a serious nightmare when trying to get the permissions setup properly after those changes have been made.
Using AGDLP gives you the following benefits:
•You can assign local resource access to users in other domains
•A user's access to a resource can be removed, simply by removing their account from the appropriate group.
•If you set up your permissions properly, when a new user is created, you only need to add them to the appropriate group and their permissions will setup little to no additional work.
In following an AGDLP strategy, you would:
1.A: Create a user Account(s)
2.G: Create a global group and add the user account(s) you created in step as members
3.DL: Create a Domain Local group in the domain that contains the resource you wish to give access to and then add the global group from step 2 as a member of this Domain Local group
4.P: Assign permissions on the resource using the domain local group created in step 3
Sometimes it's easier to review this when applying it to a scenario. Say you have a network resource (in this case we'll use a shared folder called General Ledger), which resides in sub.MyDomain.com domain. You want to give permissions to that folder to a user or set of users in the parent domain called MyDomain.com.
1.First, take your user(s) in the MyDomain.com domain and add them into a global group called Accountants. Why a global group? Because if the resource exists in a different domain than the user accounts, you will only be able to assign permissions to that resource using a global group.
2.Create a Domain Local group in the sub.MyDomain.com domain called Accounting. Add the Accountants global group as a member. A Domain Local groups allow you to add global groups from other domains, besides other local global groups and user accounts, thus giving non-local accounts access to local resources.
3.Finally, set up the General Ledger folder so that its permissions allow the Accounting DL group access to the resource.
More on groups
Domain Local Groups. Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group. The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
Global Group. Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.
Can't find the KB
Unable to find the KB to address your issue ?
Recent Articles
Lenovo Unified Workspace End-of-Life Questions and Answers
Will the shutdown of LUW servers and access to downloads affect my server licensing? No, the shutdown of the customer servers and access to the product and licensing downloads will not affect your server licensing. This license is downloaded and ...
How do I determine my Unified Workspace license expiration date?
The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...
Lenovo Unified Workspace 7.0.2.13 Released
Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...
LanSchool Documentation Guides
LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...
Lenovo Unified Workspace 7.0.1.41 Released
Highlights of Unified Workspace 7.0.1.41 Before you install: Please view the installation notes here. 7.0.1.41 requires a 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.1.41 Updated Log4j Updated Java Updated ...
Related Articles
Microsoft command line tools for Active Directory
How to Manage Users Creating a New User Account 1. Click Start, and then click Run. 2. In the Open box, type cmd. 3. At the command prompt, type the following command: dsadd user userdn -samid sam_name The following values are used in this command: • ...
How to create a limited Active Directory service account
Problem: For webNetwork installation, you will need a Schema Admin and Domain Admin account. For daily operation, you will need a service account to connect to Active Directory, but you may not want to run it with this same high-level account. ...
Which Active Directory attributes should be added as search index?
Problem: Active Directory slowness issues in various parts of the webNetwork product - login, webStorage, webAdmin, etc... Cause: Different Active Directory environments may require indexing of attributes to improve performance. For example, ...
UW Active Directory Modifications
Issue: How does Lenovo Unified Workspace affect Active Directory and specifically the Schema? Solution: Why does UW need to extend the Schema of AD? Please see the following KB article for a full explanation: ...
Verify Active Directory SSL
How can I check if my Microsoft Active Directory Domain controller / LDAP Server has SSL ? The following URL has a nice write up about the Microsoft Tool called LDP.exe http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm You can download ...