Nested Domain Local Groups not Working
Windows 2003 Enterprise
Active Directory 2000 Native Mode
Teamsite 6.1
I am trying to get Teamsite working using Nested Domain Local Groups, and I am having a problem.
I created Domain Global Groups that contain the users, and then I created the Domain Local Groups that contain the Domain Global Groups, I then use these Domain Local Groups for Group Sharing in Teamsite.
I use a test author that has the Read Group Membership set in AD, and this user still cannot edit or create files in the workarea.
I have read all the white papers, posts and KB articles with regards to this subject, and they all say the same thing. And I have tried it. So what else could it be? Windows 2003 security difference?
Any help will be great.
Thanks
Jim
Active Directory 2000 Native Mode
Teamsite 6.1
I am trying to get Teamsite working using Nested Domain Local Groups, and I am having a problem.
I created Domain Global Groups that contain the users, and then I created the Domain Local Groups that contain the Domain Global Groups, I then use these Domain Local Groups for Group Sharing in Teamsite.
I use a test author that has the Read Group Membership set in AD, and this user still cannot edit or create files in the workarea.
I have read all the white papers, posts and KB articles with regards to this subject, and they all say the same thing. And I have tried it. So what else could it be? Windows 2003 security difference?
Any help will be great.
Thanks
Jim
0
Comments
-
I have not tried this on W-2003. But you can try the following in iw.cfg that might get you some more information:
[iwserver]
# The following 3 lines is for more verbose logging iw-trace.log. Warning: verbose = very verbose.
#show_user_list=true
#show_user_list_verbose=true
#debug_operations=true
After uncommenting above, iwreset, try to login, edit a file. And see iwtrace.log.
Post your iwtrace.log and iw.cfg.0 -
This happens for all users ? All roles ?
If you have a user as a memeber of your Domain Local Group (which is used as group for sharing), can that user edit/create files in workarea ? (without AD group nesting)
I would recommend opening a case with support.Edited by iwovGraduate on 07/16/04 10:02 AM (server time).
0 -
One thing regarding nested groups that we have learned: nesting global groups won't always work. We've had to flatten our domain local group membership to include each global group, directly. (Which is a bummer in a large enterprise.) For example, both News Staff and Press Release global groups are a members of the Communications global group. The Local group that we use as the TeamSite group for sharing must have News Staff and Press Release as direct members, rather than the Communications group.
If this is not applicable in your case, perhaps it will prove helpful to others researching nested group issues.0 -
Hello,
Thanks for the response. We already added the Verbose option, but the trace didn't give us any additional information. We tested setting up a local group on the machine, and adding the Global Group to that. This worked fine. The issue we are having is when we try to use the Domain Local Group stored in AD, it won't work. We even added the Domain Global Group for Sharing, and that is working fine. So Teamsite is talking with AD in that sense, but can't read the nested groups. We also changed the Read Group Permissions on the user, and that didn't help.
Masters are able to edit fine, but Authors and Editors are not able to edit/create files in the workareas.0 -
Hi Julia,
Thanks for the response. We are actually nesting Global Domain Groups within Local Domain Groups, which from what I read is the only way that Teamsite will support it?
IE
GlobalGroup-GG
user1
user2
LocalGroup-LG
GlobalGroup-GG
Teamsite uses LocalGroup-LG as the group for Sharing0 -
We had a similar problem. One of the solutions we found to read "Nested Domain Local Groups" is to start TeamSite as one of the Active Directory userid's. The userid used to start TeamSite should be a member of Domain Groups and should have ability to read groups for sharing. Once we started TeamSite as domain userid, we were able to share workarea's to Domain local groups and users in the domain local groups can edit and create files. There is a good document on how to change the userid used to start Teamsite from SYSTEM. Let me know if you need that document.
Thanks.0 -
It can be made to work as we use that structure (domain local groups used in TeamSite, containing domain global groups which contain users). Further nesting is not supported, as already noted.
We had to add this to iw.cfg in the [iwserver] section:
domain_local_groups=yes
And had to ensure TeamSite had permission to "read group membership" in Active Directory. That took a while to sort out but there are KB articles on it ... it was our Active Directory administrators who sorted it out, sorry I can't be more detailed about how it was resolved.0 -
there are a number of documents available, hopefully one of these is the one referenced above. This one is available on DevNet:
https://support.interwoven.com/kb/kb_show_article2.asp?ArticleID=49849
Regards,
lissa0 -
hmmm dug up an old email and found these references too
https://support.interwoven.com/kb/kb_show_article2.asp?ArticleID=49852
Seems to be a lot of different articles on this one issue?0
Categories
- All Categories
- 123 Developer Announcements
- 54 Articles
- 151 General Questions
- 148 Thrust Services
- 57 OpenText Hackathon
- 37 Developer Tools
- 20.6K Analytics
- 4.2K AppWorks
- 9K Extended ECM
- 918 Core Messaging
- 84 Digital Asset Management
- 9.4K Documentum
- 32 eDOCS
- 186 Exstream
- 39.8K TeamSite
- 1.7K Web Experience Management
- 8 XM Fax
- Follow Categories
TeamSite Developer Resources
If you are interested in gaining full access to the content, you can register for a My Support account here.
- Docker Automation
- LiveSite Content Services (LSCS) REST API
- Single Page Application (SPA) Modules
- TeamSite Add-ons
If you are interested in gaining full access to the content, you can register for a My Support account here.