Solved

Problems delegating OU permissions on a child domain

Posted on 2008-10-08
4
914 Views
Last Modified: 2008-10-14
Hi there,

This one is driving me crazy. Hope someone can help me out.

I have a parent domain and a child domain. contoso.com and bubble.contoso.com

In the contoso.com domain I have created a Global Security Group (DelegateGroup) which contains users and other Global Groups.

In the child domain, bubble.contoso.com, I have created a Domain Local Security group (ResourceGroup)

I've given the ResourceGroup permissions on specific OU's and objects in the bubble.contoso.com domain.

I've put the DelegateGroup from the parent domain as a member of the ResourceGroup in the child domain.

Now, according to my understanding this should work. But it doesn't. At first I thought it was due to replication impatience and then due to un-updated security token.

The only way I can give a user from the parent domain permissions on OU objects in the child domain, is if I create a Universal Group, put the user into that group and give the Universal Group permissions directly on the OU.

This of course is not the way I want things to be.

Does anyone have any idea what might be going on here? Please note that I'm checking the permissions using Effective Permissions. Could it be that it's giving me the wrong information?
0
Comment
Question by:Skyggna
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
You anwsered your own question:
Domain local groups
Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.
The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
Global groups
Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.
Universal groups
Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.
0
 

Author Comment

by:Skyggna
Comment Utility
The best practice is said to assign the Domain Local Group permissions to the OU. However if I do that, the user only gets Read permissions, even though the local group he is a member of has Full Control.

The only way the user can get the actual Full Control is if he is a member of a Universal Group and the UG is given explicit permissions on the object. And I really don't want to do it like that.

The Domain Functional Level is Windows Server 2003 by the way.
0
 
LVL 4

Expert Comment

by:lscapa
Comment Utility
The best practise was prob written by someone that couldn't understand the notes... If you are going BETWEEN domains it HAS to be a member of a UG.
0
 

Accepted Solution

by:
Skyggna earned 0 total points
Comment Utility
The problem has been solved. Turns out I've been hammering on this due to my own lazyness. As soon as I stopped checking the permissions using Effective Permissions and tried logging the user on a domain computer, I discovered that the permissions were working just fine.

So the blame is on Effective Permissions which for some reason displays inaccurate permissions.

So I'm now using my original plan, that is Domain Local Group on the AD object, Global Group from the parent domain as a member of the Local Group. No need for any Universal Groups.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
LDAP and ADFS 1 20
active directory 1 39
SBS 2008 DC DIAG Missing AAAA record at DNS server : 5 18
active directory 17 34
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now