MSPress book 290 Nesting groups

MikdillyMikdilly Member Posts: 309
On page 4-13 the exercise for nesting groups, No. 2 says to create 3 global groups in the Users OU, the only Users i have is a container. Is that a misprint or are you supposed to go ahead and create the global groups here?
After creating the users in the Users Container and assigning them to group 1 and then making group 1 a member of group 2, I am able to convert each group to universal. The book claims you will be able to convert only 2 of the 3 groups without error.

Comments

  • SieSie Member Posts: 1,195
    I dont have the book infront of me but the exercise should work from OU or Container.

    I believe what they get you to do is create a Global Group and then add another Global Group as a member.

    This then would mean you cannot convert one to a Universal Group as it is a member of another global group.

    Thats the principle they are trying to show you.

    Let me find you the MS KB Doc on Group Scopes.....

    http://technet2.microsoft.com/windowsserver/en/library/9538f672-6264-4eb2-9978-87b1d055ab841033.mspx?mfr=true

    There you are! Hope this helps.
    Foolproof systems don't take into account the ingenuity of fools
  • MikdillyMikdilly Member Posts: 309
    Thanks for the reply, if it should work from either container or ou then I don't understand why it's letting me converrt each group to universal, i double checked the setup, seems I should only be able to convert group 2 and 3.
  • SieSie Member Posts: 1,195
    Are you sure you have set them all up as Global Groups and are you sure you have added the Users and Groups as advised?

    I will try and remember to dig out the book later and post later on/tomorrow.

    If someone has this to hand and can check in the meantime?

    I just noticed I gave you the wrong link earlier, this is a better one:

    http://technet2.microsoft.com/WindowsServer/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx

    Note this section:
    • Global to universal. This conversion is allowed only if the group that you want to change is not a member of another global scope group.

    • Domain local to universal. This conversion is allowed only if the group that you want to change does not have another domain local group as a member.

    • Universal to global. This conversion is allowed only if the group that you want to change does not have another universal group as a member.

    • Universal to domain local. There are no restrictions for this operation.
    Foolproof systems don't take into account the ingenuity of fools
  • MikdillyMikdilly Member Posts: 309
    In double checking them last night each one was a global group and were security groups. I checked the 'member of' tab for group 1 and it definitely is a member of group 2. I'll have to doublecheck it again. Thanks again for looking into it and for the link.
  • SieSie Member Posts: 1,195
    Good Morning,

    I have to admit I didnt get time to look for the Question in the MS Book last night work/home was far to busy.

    Did you manage to get things sorted?
    Foolproof systems don't take into account the ingenuity of fools
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    From what you describe (all are global groups and group 1 is a member of group 2) you should not be able to make group 1 a universal group. If you can you need to recheck everything - something is not right.
  • MikdillyMikdilly Member Posts: 309
    When I originally did the exercise and it allowed me to change group 1 to universal I created the users in another ou i had thinking they had a misprint and the rules didn't apply to groups in a container, it did the same thing there - allowed me to change group 1 to universal there as well. That's when I wrote up the post, yesterday I moved the users and groups back to the Users container and what do you know it stopped me from changing group 1 to universal. I may go back tonight and remove everything and start over from scratch just to make sure i wasn't imagining the whole thing. But that has to be a misprint in the book, they shouldn't be calling Users an OU, it's confusing.
  • SieSie Member Posts: 1,195
    What OU did you create the users in?

    Did you make a new one?

    Only reason im asking is that it shouldnt matter if you have users in one OU / Container and the Groups in another OU / Container.

    Do you have the default AD install & structure and only one domain?
    Foolproof systems don't take into account the ingenuity of fools
  • MikdillyMikdilly Member Posts: 309
    I believe it was in an existing one called Employees.

    It is the default AD install, only one domain, contoso.
  • SieSie Member Posts: 1,195
    It may be something but I think you may have done something wrong the first time.

    Im not saying it was but it should work as per the example and as you found out the second time.

    You'll need to know Group Nesting and when you can and when you cant convert the Group Scopes, the link above was a big help to me when I was looking at this.
    Foolproof systems don't take into account the ingenuity of fools
  • MikdillyMikdilly Member Posts: 309
    I think I know what happened, group 2 was changed to universal which would then allow me to change group 1 to universal. I could have sworn it was letting me change group 1 to universal when all 3 were global groups but I may be(probably)wrong.
  • SieSie Member Posts: 1,195
    Dont worry about it, making mistakes is what makes us learn!

    Just think you now have a better understanding of the concept than you would have just reading about it!
    Foolproof systems don't take into account the ingenuity of fools
Sign In or Register to comment.