Ok, I am running a W2K3 domain (W2K3 functional level) and I’ve read a lot regarding best practices, etc., with using different types of groups.
However, I have not read anything that answers this scenario:
I have a global group called “marketing”. I put all the users in the marketing department in there.
I need about 25% of the people on the marketing group to have read-only to this particular file share. I also need select members from other departments to have modify rights to this file share. The file share sits on a domain controller.
I then created two domain local groups called “X.share.read-only” and “X.share.modify”.
According to Microsoft’s best practice, I am to add users to global groups then put global groups into local groups.
If I do this, then I will have to create two global groups for the sole purpose of grouping the users who will have read-only and modify permissions respectively to this particular file share.
Well, I already created the two domain local groups that do just that. It would seem silly to add users to a global group which essentially becomes a resource group, then add that group to a domain local group which serves the same purpose.
Now, what is the problem in adding the users directly to the domain local groups?
Am I missing something here???