Hello,
We have a new requirement to grant limited permissions within SEC to some users. I have therefore been reading about roles and subestates and have been trying things, but I have come across an odd limitation.
For example, I create a sub-estate called "Treetops" and I grant access to the sub estate to AD group "SEC_Treetops". I then create a child group called "Tech_Treetops" and put the user in this group, so in order
Sub-estate permission in SEC
Sec_Treetops
Tech_Treetops
User
If I run "user and group view", "SEC_Treetops" has access as expected, but "Tech_Treetops" and the user do not.
This feels like windows 2000 architecture (can't do groups as members of groups) which is somewhat archaic.... Can anyone confirm whether this is true or not?
Best practice guidelines for AD design especially in a multi-forest environment like ours specify using multiple hierarchical group levels before applying a permission (see AGUDLP)...
Thanks!
Rob
This thread was automatically locked due to age.
