Problems delegating OU permissions on a child domain

Hi there,

This one is driving me crazy. Hope someone can help me out.

I have a parent domain and a child domain. contoso.com and bubble.contoso.com

In the contoso.com domain I have created a Global Security Group (DelegateGroup) which contains users and other Global Groups.

In the child domain, bubble.contoso.com, I have created a Domain Local Security group (ResourceGroup)

I've given the ResourceGroup permissions on specific OU's and objects in the bubble.contoso.com domain.

I've put the DelegateGroup from the parent domain as a member of the ResourceGroup in the child domain.

Now, according to my understanding this should work. But it doesn't. At first I thought it was due to replication impatience and then due to un-updated security token.

The only way I can give a user from the parent domain permissions on OU objects in the child domain, is if I create a Universal Group, put the user into that group and give the Universal Group permissions directly on the OU.

This of course is not the way I want things to be.

Does anyone have any idea what might be going on here? Please note that I'm checking the permissions using Effective Permissions. Could it be that it's giving me the wrong information?
SkyggnaAsked:
Who is Participating?
 
SkyggnaAuthor Commented:
The problem has been solved. Turns out I've been hammering on this due to my own lazyness. As soon as I stopped checking the permissions using Effective Permissions and tried logging the user on a domain computer, I discovered that the permissions were working just fine.

So the blame is on Effective Permissions which for some reason displays inaccurate permissions.

So I'm now using my original plan, that is Domain Local Group on the AD object, Global Group from the parent domain as a member of the Local Group. No need for any Universal Groups.
0
 
lscapaCommented:
You anwsered your own question:
Domain local groups
Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.
The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
Global groups
Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.
Universal groups
Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.
0
 
SkyggnaAuthor Commented:
The best practice is said to assign the Domain Local Group permissions to the OU. However if I do that, the user only gets Read permissions, even though the local group he is a member of has Full Control.

The only way the user can get the actual Full Control is if he is a member of a Universal Group and the UG is given explicit permissions on the object. And I really don't want to do it like that.

The Domain Functional Level is Windows Server 2003 by the way.
0
 
lscapaCommented:
The best practise was prob written by someone that couldn't understand the notes... If you are going BETWEEN domains it HAS to be a member of a UG.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.