Active Directory - Group Membership; 2 Domains
Hi All,
There may be a simple answer for this, or something may be wrong, but here goes..
We recently created a trust between 2 domains (A and B) and everything appears to be working fine. While looking at Security Groups in AD, I tried to add a user account from Domain B into a group managed within Domain A - But it doesn't let me, the domain isn't listed in 'Locations'. I can see the domain location in the 'Member Of' tab, just not in the members. Is this normal? Shouldn't I be able to add someone from Domain B to a group membership on Domain A?
Many Thanks,
Pete
There may be a simple answer for this, or something may be wrong, but here goes..
We recently created a trust between 2 domains (A and B) and everything appears to be working fine. While looking at Security Groups in AD, I tried to add a user account from Domain B into a group managed within Domain A - But it doesn't let me, the domain isn't listed in 'Locations'. I can see the domain location in the 'Member Of' tab, just not in the members. Is this normal? Shouldn't I be able to add someone from Domain B to a group membership on Domain A?
Many Thanks,
Pete
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi tigermatt - Sorry for the delay in getting back to you.
We have both domains running in Windows 2000 native mode. I have created a Universal Security Group on domain A, but when I try to add a global group from domain B, I cannot see Domain B in the 'Locations' window via the members tab.
Any Ideas?
*Point Increased to 300*
We have both domains running in Windows 2000 native mode. I have created a Universal Security Group on domain A, but when I try to add a global group from domain B, I cannot see Domain B in the 'Locations' window via the members tab.
Any Ideas?
*Point Increased to 300*
Have you tried just setting the location to the Entire Directory, which will search both domains?
ASKER
Only Domain A is listed - even against the 'Entire Directory'.
I have created a 'Domain Local' security group, and I can add users / groups from domain B into it - but when I change it to a 'Universal Group' I get the error - "The following Active Directory error occurred: Foreign security principals cannot be members of universal groups"
Is a Domain Local group the way forward? I did ideally want to add an 'All Domain B staff' into a group 'All Domain A staff,' because all our folder share permissions are set against 'All Domain A staff'
I have created a 'Domain Local' security group, and I can add users / groups from domain B into it - but when I change it to a 'Universal Group' I get the error - "The following Active Directory error occurred: Foreign security principals cannot be members of universal groups"
Is a Domain Local group the way forward? I did ideally want to add an 'All Domain B staff' into a group 'All Domain A staff,' because all our folder share permissions are set against 'All Domain A staff'
Try changing both groups to Universal groups, and then see what happens. Technically, it shouldn't be required, but I've a slight feeling that could be a potential issue.
ASKER
OK - With the 'Domain B All Users' group set as Universal:
Domain A Test Group as:
Domain A Test Group as:
- Domain Local - Works (but the group I want to add it to cannot be set to Domain Local)
- Global - Error: "The following Active Directory error occoured: A global group cannot have a cross-domain member"
- Universal - Error: "The following Active Directory error occoured: Foreign security principals cannot be members of Universal gorups"
I've no idea what could be causing this then. I did ask Jay_Jay70 (a Zone Advisor) to take a look at this, but he hasn't popped his head around the corner yet!
ASKER
Thanks tigermatt - I really appreciate it.
I had to implement a change this morning because we (IT) were getting a lot of pressure from above to get file-sharing enabled across the 2 domains. I will explain how it's currently working. It may be wrong, but it's working so far - though granted, it looks to be a quick and dirty solution as everywhere I've read and looking at your comments - everything should be a Universal group...
We have a security group called 'Domain A Staff'. Within that, it has all the staff as members. We then have around 20 groups that are a member of this 'top' group. To get the file-sharing to work, I had to change all the 20 groups to Domain Local. Once complete, I changed the top group 'Domain A Staff' also to Domain Local.
Within 'Domain B Staff' (member of tab) which is a Universal group, I was able to add 'Domain A\Domain A Staff' successfully.
NB. I changed 'Domain A Staff' to a Universal group first, but Domain B couldn't resolve it, so had to resort to the above.
Because 'Domain B Staff' is now a member of 'Domain A Staff', all the read-only permissions assigned to the 'Domain A Staff' file shares apply to the B Domain.
The joys of groups and permissions! Any thoughts on the above are greatly welcomed!
Pete
* Points now 400 *
I had to implement a change this morning because we (IT) were getting a lot of pressure from above to get file-sharing enabled across the 2 domains. I will explain how it's currently working. It may be wrong, but it's working so far - though granted, it looks to be a quick and dirty solution as everywhere I've read and looking at your comments - everything should be a Universal group...
We have a security group called 'Domain A Staff'. Within that, it has all the staff as members. We then have around 20 groups that are a member of this 'top' group. To get the file-sharing to work, I had to change all the 20 groups to Domain Local. Once complete, I changed the top group 'Domain A Staff' also to Domain Local.
Within 'Domain B Staff' (member of tab) which is a Universal group, I was able to add 'Domain A\Domain A Staff' successfully.
NB. I changed 'Domain A Staff' to a Universal group first, but Domain B couldn't resolve it, so had to resort to the above.
Because 'Domain B Staff' is now a member of 'Domain A Staff', all the read-only permissions assigned to the 'Domain A Staff' file shares apply to the B Domain.
The joys of groups and permissions! Any thoughts on the above are greatly welcomed!
Pete
* Points now 400 *
If that combination has got it working then I wouldn't try to change it to make it any "better". It would probably be best at this stage to leave it like that!
The reason the Domain Local groups work in this case is because of the following:
- Domain Local groups can contain other Global and Universal groups, and Domain Local groups from the same domain
- You can assign permissions using the Domain Local group to any resources in the same domain as the group
Goodness knows why the Universal groups weren't happy - I suspect it was just one of those Microsoft things which isn't documented properly.
-tigermatt
The reason the Domain Local groups work in this case is because of the following:
- Domain Local groups can contain other Global and Universal groups, and Domain Local groups from the same domain
- You can assign permissions using the Domain Local group to any resources in the same domain as the group
Goodness knows why the Universal groups weren't happy - I suspect it was just one of those Microsoft things which isn't documented properly.
-tigermatt
Windows Server 2003
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
To add users from multiple domains, you need to use Security Groups with Universal scope. These allow members from any domain, and similarly they can be used to assign permissions on resources, in any domain.
-tigermatt