Tags

Howto (51) Free Software (35) Powershell (33) Windows Server (23) AD (16) Hyper-V (16) Exchange (13) Office (13) Group Policy (10) Windows Server 2012 (9) Scripts (7) Symantec BE (5) Windows 8 (5) Cisco (4) TMG (4) Terminal Server (4) Cluster (3) HP (3) RDS (3) UAG (3) Citrix (2) DC (2) DNS (2) IE10 (2) OpenID (2) PKI (2) SCVMM (2) Windows Live (2) iLO (2) Backup (1) DPM (1) Fileserver (1) IE (1) SQL; DPM (1) Security (1) Sharepoint (1) Switch (1) VMWare (1) Veeam (1)

dinsdag 10 september 2013

Change groupscope van Global naar DomainLocal

Je kunt de GroupScope niet rechtstreeks wijzigen van Global naar DomainLocal, je zal daarom eerst de scope moeten omzetten naar Universal <2>.
 
<<<< VOOR DEGENE DIE ZICH AFVRAAGT WAAROM >>>>
The reasons are largely historical.  In NT 4.0 domains, you had global groups and local groups and could not convert between the two.  When Active Directory was introduced with Windows 2000, this mechanism was held since NT 4.0 BDCs (Backup Domain Controllers) could exist in an AD domain when the domain was in either Windows 2000 Mixed Mode and later Windows 2003 Interim Mode.  Universal groups could not exist when the AD domain was in either of these modes because NT 4.0 BDCs could not interpret them.  When moved to 2000 Native Mode or higher, Universal groups and Distribution groups could be used in the AD domain.  Because of the design of the AD Schema, it became possible to convert Global or Local groups to Universal groups, and the other way around (provided the pre-requisites are met).
 
If you examine the attributes of the different types of Security groups, some of the reasoning becomes a bit more clear:
Global
groupType = 0x80000002 (ACCOUNT_GROUP | SECURITY_ENABLED)
sAMAccountType = 268435456 (GROUP_OBJECT)
 
Local
groupType = 0x80000004 (RESOURCE_GROUP | SECURITY_ENABLED)
sAMAccountType = 536870912 (ALIAS_OBJECT)
 
Universal
groupType = 0x80000008 (UNIVERSAL_GROUP | SECURITY_ENABLED)
sAMAccountType = 268435456 (GROUP_OBJECT)
 
That said, Microsoft has long recommended using the ADGLP model for RBAC in AD environments.  E.g., you place users in Global Groups, place Global Groups in Domain Local Groups, and assign permissions on objects to those Domain Local groups.  This makes sense if you examine the above attributes (Global - ACCOUNT_GROUP and GROUP_OBJECT, Local - RESOURCE_GROUP and ALIAS_OBJECT).  Some feel this security model is aging and true RBAC methods should be adopted but we aren't quite there yet in my opinion (Server 2012 is a step closer).  Anyway, the point is that if you find yourself converting groups in Active Directory, you probably have a design flaw in your group architecture.  I personally do not recommend converting between group types unless absolutely necessary.  In general, you should implement the groups correctly, migrate users and resources to the new group design, and destroy the old groups.
<<<< EINDE WAAROM >>>>
 
Je kunt die actie natuurlijk via de GUI doen (één-voor-één) of je gebruikt powershell (gebruik filter,searchbase en where om de scope te bepalen):
 
De tussenstap - van Global naar Universal:
 
PS C:\> Get-ADGroup -Filter "name -like 'LG_M_*'" -SearchBase "OU=Groups,DC=DOMAIN,DC=LOCAL" | where {$_.GroupScope -like "Global"} | Set-ADGroup -GroupScope Universal
 
Van Universal naar DomainLocal:
 
PS C:\> Get-ADGroup -Filter "name -like 'LG_M_*'" -SearchBase "OU=Groups,DC=DOMAIN,DC=LOCAL" | where {$_.GroupScope -like "Universal"} | Set-ADGroup -GroupScope DomainLocal
 
 
Gepost door op
Labels: ,

Geen opmerkingen:

Een reactie posten

Abonneren op: Reacties posten (Atom)