Problems delegating OU permissions on a child domain

Posted on 2008-10-08
Last Modified: 2008-10-14
Hi there,

This one is driving me crazy. Hope someone can help me out.

I have a parent domain and a child domain. and

In the domain I have created a Global Security Group (DelegateGroup) which contains users and other Global Groups.

In the child domain,, I have created a Domain Local Security group (ResourceGroup)

I've given the ResourceGroup permissions on specific OU's and objects in the domain.

I've put the DelegateGroup from the parent domain as a member of the ResourceGroup in the child domain.

Now, according to my understanding this should work. But it doesn't. At first I thought it was due to replication impatience and then due to un-updated security token.

The only way I can give a user from the parent domain permissions on OU objects in the child domain, is if I create a Universal Group, put the user into that group and give the Universal Group permissions directly on the OU.

This of course is not the way I want things to be.

Does anyone have any idea what might be going on here? Please note that I'm checking the permissions using Effective Permissions. Could it be that it's giving me the wrong information?
Question by:Skyggna
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 22669297
You anwsered your own question:
Domain local groups
Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.
The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
Global groups
Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.
Universal groups
Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.

Author Comment

ID: 22669703
The best practice is said to assign the Domain Local Group permissions to the OU. However if I do that, the user only gets Read permissions, even though the local group he is a member of has Full Control.

The only way the user can get the actual Full Control is if he is a member of a Universal Group and the UG is given explicit permissions on the object. And I really don't want to do it like that.

The Domain Functional Level is Windows Server 2003 by the way.

Expert Comment

ID: 22669723
The best practise was prob written by someone that couldn't understand the notes... If you are going BETWEEN domains it HAS to be a member of a UG.

Accepted Solution

Skyggna earned 0 total points
ID: 22676670
The problem has been solved. Turns out I've been hammering on this due to my own lazyness. As soon as I stopped checking the permissions using Effective Permissions and tried logging the user on a domain computer, I discovered that the permissions were working just fine.

So the blame is on Effective Permissions which for some reason displays inaccurate permissions.

So I'm now using my original plan, that is Domain Local Group on the AD object, Global Group from the parent domain as a member of the Local Group. No need for any Universal Groups.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question