Hi,
My server is Windows Server 2008 R2 Enterprise. It is not a domain controller. The only roles currently configured are File Services and Remote Desktop Services.
I'm trying to setup access controls (ACLs) to particular directories, and have run into the problem that I can't nest local groups within local groups.
My life would be a lot easier if I could nest these local groups. I'd like to apply two groups to a "locked down" folder, for example "Prod Write Access" and "Prod Read Access", with of course the appropriate permissions for Write and Read given to these groups. Then, I would like to add groups to each group based on functional areas, i.e. "Developers" to "Prod Write Access" and "Marketing", "Sales", and "HR" to "Prod Read Access". (These are not the real examples; they're just to illustrate the concepts).
Background: I'm an "IT type" but in the business, not IT. I have admin rights on the server, but don't maintain it; others in IT do that. I don't currently have update access to our domain controller/active directory, but have used and configured AD in the past, although it's been a while and things have probably changed. But, how hard can it be to create groups and add users to them? All I need is an AD client and the proper access. My IT department is too slow to react to urgent business requirements; if I go the Active Directory route (see below), a few colleagues and myself would need the ability to add/delete groups and group membership.
Soooo, my questions:
1) Can update access to Active Directory be limited to a particular branch? IOW, my IT department creates a tiny branch of AD that I could update, where I could create/delete groups, and add both domain and local (i.e. myserver\someuser) users to those groups. I would not be able to create users, just groups and group membership, and only in this branch.
My IT department will probably freak with this request, but I'd like to at least submit a researched, intelligent request for them to refuse.
2) Is it possible to promote my server or add an additional role to host an active directory instance (perhaps AD LDS???), where the vast bulk of of the AD functionality is delegated to our current AD instance? AFAIK this would be analogous to DNS, where local DNS configuration is maintained, but external DNS lookups are delegated to other servers. I would then use this local AD instance to add nested groups and local and domain accounts to control directory and file access.
3) Short of that, any other suggestions where I can support nested groups on my local server? Or am I stuck with adding/deleting users in multiple local groups?
And Microsoft, if you're lurking, how about adding nested groups support to local groups? Is this really that hard to implement?