?
Solved

question regarding adding users  to grup from a different forrest

Posted on 2007-07-27
3
Medium Priority
?
411 Views
Last Modified: 2008-05-31
Hi,
I´m trying to learn a bit about forest trust.

Got 2 forest( one domain in forest a and two domains in seperate trees in forest b), and made a foresttrust 2-way. validated the trusts and all seems ok.
When I try to add a user from the trusted forest (b)to a ad group in forrest a I can not see the other forest in the Location window, only :Entire directory, and the local domain.

But if I create a folder, and set premissions i can see the trusted forest and select a user fom it.

Did I miss something? am I not suposed to be able to add external users from trusted forest in ad groups?
0
Comment
Question by:kerfihbg
  • 2
3 Comments
 
LVL 13

Accepted Solution

by:
dhoffman_98 earned 150 total points
ID: 19581532
Let's make sure we are using the right terminology. You are not adding users from forests, you are adding users from DOMAINS. So lets say you have DOMA which is in ForestA and DOMB which is in ForestB. You want to include users in DOMB to get access to something in DOMA.

It depends on the kind of group you are trying to add that user to.

A DOMAIN LOCAL group can contain users from any domain which you trust, global groups from within your own domain, and universal groups.

A GLOBAL group can contain other global groups in your domain or users from within your own domain.

A UNIVERSAL group can contain global groups from any domain. And while a universal group can also contain users, it is not recommended because of increases in replication traffic.

To do what you are trying to do, you should create a GLOBAL group in DOMB and add the DOMB users to that group. Then you can add that global group to your a LOCAL group in DOMA, and assign that group with the proper resource permissions.

Actually, the way we do things here is that if we need cross domain group usage, we create Global groups in each domain for the user accounts, then in the domain where the resources are, we create a Universal group that contains only the Global groups. Then the Universal group goes into the Local group, and the Local group gets the resources.

Instructors that teach Microsoft official curriculum often refer to A-G-U-L-P, or A-GULP. This works out as follows:
Accounts
Global Groups
Universal Groups
domain Local Groups
Permissions.

Meaning that accounts go into the Globals, Globals go into Universals, Universals go into domain Locals and then the domain Locals are where you apply the resource permissions.

I hope that helps.
0
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 19582898
TO do what dhoffman_98 said you need to make sure your domain is in Native mode, which supports Universal Group and Group Nesting.
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 19779018
Gee, thanks for the B. I guess my answer wasn't complete enough?
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question