dspent
asked on
Forest/Domain Trusts
Is there anyway to accomplish the following:
Users in Forest A-Domain 1 need access to resources in Forest B Domain 1...
There is a one way trust between these domains....
ForestB Domain 1 - Trusts ForestA Domain 1
What I wanted to be able to do was add users in Forest A Domain 1 to a global group that exists in Forest B Domain 1... However, I can't see resources in Forest A Domain 1. I can add them by creating a Domain local group in Forest B Domain 1, but I cannot then add that Domain Local Group to the Global Group.
What I have come up with is creating the Domain Local Group in Forest B Domain 1, adding members to it from Forest A Domain 1 and then adding that domain local group to the local administrator group of the 5 servers that they need access to.
Is this the only way this will work or is there some other way.
Take into account that for legal reason there cannot be a two way trust established AND we can't establish a Forest Trust because ForestA is a Windows 2000 domain/Forest and Forest B is Native Windows 2003.
Users in Forest A-Domain 1 need access to resources in Forest B Domain 1...
There is a one way trust between these domains....
ForestB Domain 1 - Trusts ForestA Domain 1
What I wanted to be able to do was add users in Forest A Domain 1 to a global group that exists in Forest B Domain 1... However, I can't see resources in Forest A Domain 1. I can add them by creating a Domain local group in Forest B Domain 1, but I cannot then add that Domain Local Group to the Global Group.
What I have come up with is creating the Domain Local Group in Forest B Domain 1, adding members to it from Forest A Domain 1 and then adding that domain local group to the local administrator group of the 5 servers that they need access to.
Is this the only way this will work or is there some other way.
Take into account that for legal reason there cannot be a two way trust established AND we can't establish a Forest Trust because ForestA is a Windows 2000 domain/Forest and Forest B is Native Windows 2003.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Errr...what Dean said. :-)
ASKER
Thanks.. I figured I was on the right track. Just needed someone else to say it. Since I have no access to Forest 1's environment. I'll have to do it the way I stated.
Thanks.
Thanks.
In a multi-forest environment, the most scalable way to assign permissions is:
Account in Domain A goes into Global Group in Domain A.
Account in Domain B goes into Global Group in Domain B.
Global Group in Domain A goes into Universal Group in Domain A.
Global Group in Domain B goes into Universal Group in Domain B.
Universal Group in Domain A goes into Domain Local Group in Domain B.
Universal Group in Domain B goes into Domain Local Group in Domain B.
Domain Local Group in Domain B receives permissions to resource in Domain B.
By nesting your groups in this manner, when you add new users to DomainA or DomainB, you only need to add them to the appropriate Global Group in their respecitve domains.