Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 210
  • Last Modified:

In W2K Server, what is the best practice for assigning user rights to resources from one domain to another in same forest?

In W2K Server, what is the best practice for assigning user rights to resources from one domain to another in same forest?

What kind of group(s) should I use? etc.

thanks for any inputs in advance.
0
losgadas
Asked:
losgadas
  • 3
1 Solution
 
chefboy4Commented:
You can do things to ways.  If your network is in Native mode you can create a Universal group and stick anyone from any domain into it, including groups.  Give the permissions to the resource to this Universal group.  If your domains are not in native mode then you will have to create an account for each person you want to access the other domain on that domain.  Then put them in a group on that domain and give permissions to that group for that resource.  When the person goes to access that resouce they will be prompted for their username and password and domain.  This will be the user account you setup on the other domain.  Hope this wasn't overly confusing.  Any questions to this and I will gladly explain my rambling.
0
 
chefboy4Commented:
You can do things to ways.  If your network is in Native mode you can create a Universal group and stick anyone from any domain into it, including groups.  Give the permissions to the resource to this Universal group.  If your domains are not in native mode then you will have to create an account for each person you want to access the other domain on that domain.  Then put them in a group on that domain and give permissions to that group for that resource.  When the person goes to access that resouce they will be prompted for their username and password and domain.  This will be the user account you setup on the other domain.  Hope this wasn't overly confusing.  Any questions to this and I will gladly explain my rambling.
0
 
BaDaBooMCommented:
You can use the Universal groups as chefboy4 suggested, however if you are going to have a lot of these groups I wouldn't recommend it.  It directly affects the size of the global catalog and can therefore slow down GC replication if there are a lot of them.

However, with all due respect to chefboy4, you do NOT have to make user accounts on every domain you wish to use global/local groups (instead of universal).  You can add the user accounts from the other domain to the domain with the global/local group you want them added to.  This is because all domains within a forest automatically have trusts with eachother.  You were even able to do this in NT 4.0 as long as the trusts were there.  It is true that you cannot add a group (other than universal) in one domain to another group (other than universal) in a different domain.  So, to sum up... User Accounts and Universal groups can traverse domains within a forest but NOT global or local groups.  (Universal Groups only available in native mode)
0
 
chefboy4Commented:
Sorry BaDaBoom... I forgot that the domains where in the same forest.  I have a situation going on at work where they are not in the same forest.  So that was on my mind.  You are correct you can just add the user from the other domain to that group.  You are correct sir!..:)
0
 
losgadasAuthor Commented:
Thanks, this works.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now