question regarding adding users to grup from a different forrest

Hi,
I´m trying to learn a bit about forest trust.

Got 2 forest( one domain in forest a and two domains in seperate trees in forest b), and made a foresttrust 2-way. validated the trusts and all seems ok.
When I try to add a user from the trusted forest (b)to a ad group in forrest a I can not see the other forest in the Location window, only :Entire directory, and the local domain.

But if I create a folder, and set premissions i can see the trusted forest and select a user fom it.

Did I miss something? am I not suposed to be able to add external users from trusted forest in ad groups?
kerfihbgAsked:
Who is Participating?
 
dhoffman_98Commented:
Let's make sure we are using the right terminology. You are not adding users from forests, you are adding users from DOMAINS. So lets say you have DOMA which is in ForestA and DOMB which is in ForestB. You want to include users in DOMB to get access to something in DOMA.

It depends on the kind of group you are trying to add that user to.

A DOMAIN LOCAL group can contain users from any domain which you trust, global groups from within your own domain, and universal groups.

A GLOBAL group can contain other global groups in your domain or users from within your own domain.

A UNIVERSAL group can contain global groups from any domain. And while a universal group can also contain users, it is not recommended because of increases in replication traffic.

To do what you are trying to do, you should create a GLOBAL group in DOMB and add the DOMB users to that group. Then you can add that global group to your a LOCAL group in DOMA, and assign that group with the proper resource permissions.

Actually, the way we do things here is that if we need cross domain group usage, we create Global groups in each domain for the user accounts, then in the domain where the resources are, we create a Universal group that contains only the Global groups. Then the Universal group goes into the Local group, and the Local group gets the resources.

Instructors that teach Microsoft official curriculum often refer to A-G-U-L-P, or A-GULP. This works out as follows:
Accounts
Global Groups
Universal Groups
domain Local Groups
Permissions.

Meaning that accounts go into the Globals, Globals go into Universals, Universals go into domain Locals and then the domain Locals are where you apply the resource permissions.

I hope that helps.
0
 
ormerodrutterCommented:
TO do what dhoffman_98 said you need to make sure your domain is in Native mode, which supports Universal Group and Group Nesting.
0
 
dhoffman_98Commented:
Gee, thanks for the B. I guess my answer wasn't complete enough?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.