Solved

Problems delegating OU permissions on a child domain

Posted on 2008-10-08
4
922 Views
Last Modified: 2008-10-14
Hi there,

This one is driving me crazy. Hope someone can help me out.

I have a parent domain and a child domain. contoso.com and bubble.contoso.com

In the contoso.com domain I have created a Global Security Group (DelegateGroup) which contains users and other Global Groups.

In the child domain, bubble.contoso.com, I have created a Domain Local Security group (ResourceGroup)

I've given the ResourceGroup permissions on specific OU's and objects in the bubble.contoso.com domain.

I've put the DelegateGroup from the parent domain as a member of the ResourceGroup in the child domain.

Now, according to my understanding this should work. But it doesn't. At first I thought it was due to replication impatience and then due to un-updated security token.

The only way I can give a user from the parent domain permissions on OU objects in the child domain, is if I create a Universal Group, put the user into that group and give the Universal Group permissions directly on the OU.

This of course is not the way I want things to be.

Does anyone have any idea what might be going on here? Please note that I'm checking the permissions using Effective Permissions. Could it be that it's giving me the wrong information?
0
Comment
Question by:Skyggna
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:lscapa
ID: 22669297
You anwsered your own question:
Domain local groups
Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.
The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
Global groups
Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.
Universal groups
Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.
0
 

Author Comment

by:Skyggna
ID: 22669703
The best practice is said to assign the Domain Local Group permissions to the OU. However if I do that, the user only gets Read permissions, even though the local group he is a member of has Full Control.

The only way the user can get the actual Full Control is if he is a member of a Universal Group and the UG is given explicit permissions on the object. And I really don't want to do it like that.

The Domain Functional Level is Windows Server 2003 by the way.
0
 
LVL 4

Expert Comment

by:lscapa
ID: 22669723
The best practise was prob written by someone that couldn't understand the notes... If you are going BETWEEN domains it HAS to be a member of a UG.
0
 

Accepted Solution

by:
Skyggna earned 0 total points
ID: 22676670
The problem has been solved. Turns out I've been hammering on this due to my own lazyness. As soon as I stopped checking the permissions using Effective Permissions and tried logging the user on a domain computer, I discovered that the permissions were working just fine.

So the blame is on Effective Permissions which for some reason displays inaccurate permissions.

So I'm now using my original plan, that is Domain Local Group on the AD object, Global Group from the parent domain as a member of the Local Group. No need for any Universal Groups.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question