| Author |
Message |
Andy
Guest
|
 Posted:
Wed Jan 12, 2005 5:11 pm Post subject:
Any way of making mutually exclusive security groups?? |
|
|
Hi,
I have created a couple of security groups in AD, I want to make them
mutually exclusive, so if a user is a member of one, they cannot be a member
of the other and visa versa. Is there any way of doing this?
Many Thanks
Andy |
|
| Back to top |
|
 |
GMartin
Guest
|
| Posted:
Wed Jan 12, 2005 11:34 pm Post subject:
Re: Any way of making mutually exclusive security groups?? |
|
|
Andy wrote:
| Quote: | Hi,
I have created a couple of security groups in AD, I want to make them
mutually exclusive, so if a user is a member of one, they cannot be a member
of the other and visa versa. Is there any way of doing this?
Many Thanks
Andy
I don't think you could do this in AD, but how about this: |
Say you have two file shares \\FS1 & \\FS2 and two group SG1 & SG2.
You want folks from SG1 to access FS1 & vice versa. in a straigt
forward way, you could modify the FS1 ACL so that only SG1 members have
access. If you need to be more certain, you could add an explicit Deny
to members of SG2 to the FS1 CLS.
Does that work?
\\Greg |
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Wed Jan 12, 2005 11:48 pm Post subject:
Re: Any way of making mutually exclusive security groups?? |
|
|
Not natively but I have seen people script this in the past. The question is, if
someone gets added to a group, which group do they get booted out of? My
response to that is to boot them out of both.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Andy wrote:
| Quote: | Hi,
I have created a couple of security groups in AD, I want to make them
mutually exclusive, so if a user is a member of one, they cannot be a member
of the other and visa versa. Is there any way of doing this?
Many Thanks
Andy
|
|
|
| Back to top |
|
|
Jerold Schulman
Guest
|
| Posted:
Wed Jan 12, 2005 11:51 pm Post subject:
Re: Any way of making mutually exclusive security groups?? |
|
|
On Wed, 12 Jan 2005 03:11:02 -0800, "Andy" <Andy@discussions.microsoft.com> wrote:
| Quote: | Hi,
I have created a couple of security groups in AD, I want to make them
mutually exclusive, so if a user is a member of one, they cannot be a member
of the other and visa versa. Is there any way of doing this?
Many Thanks
Andy
|
You could use a script to add group membership and enforce your restriction in the script.
@echo off
setlocal
if {%3}=={} goto :ERR
if /i "%3" EQU "D" goto del
if /i "%3" EQU "A" goto add
:ERR
@echo DomGroup "Group" "User" A^|D
endlocal
goto :EOF
:del
@echo net group %1 %2 /DELETE /DOMAIN
net group %1 %2 /DELETE /DOMAIN
endlocal
goto :EOF
:add
set grp=%1
set usr=%2
set grp=%grp:"%
set usr=%usr:"%
if /i "%grp%" EQU "SpclGrp1" goto chk2
if /i "%grp%" EQU "SpclGrp2" goto chk1
:addusr
@echo net group "%grp%" "%usr%" /ADD /DOMAIN
net group "%grp%" "%usr%" /ADD /DOMAIN
endlocal
goto :EOF
:chk1
set chkgrp=SpclGrp1
call :chkgroup
if "%OK%" EQU "Y" goto addusr
:errx
@echo Domgroup "%grp%" "%usr%" - Not excluse.
endlocal
goto :EOF
:chk2
set chkgrp=SpclGrp2
call :chkgroup
if "%OK%" EQU "Y" goto addusr
goto errx
:chkgroup
set OK=Y
for /f "Skip=4 Tokens=*" %%a in ('net group "%chkgrp%" /domain^|FINDSTR /V "Members --- successfully."') do (
if /i "%usr%" EQU "%%a" set OK=N
)
endlocal
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in