Problems delegating OU permissions on a child domain

Posted on 2008-10-08
Medium Priority
Last Modified: 2008-10-14
Hi there,

This one is driving me crazy. Hope someone can help me out.

I have a parent domain and a child domain. contoso.com and bubble.contoso.com

In the contoso.com domain I have created a Global Security Group (DelegateGroup) which contains users and other Global Groups.

In the child domain, bubble.contoso.com, I have created a Domain Local Security group (ResourceGroup)

I've given the ResourceGroup permissions on specific OU's and objects in the bubble.contoso.com domain.

I've put the DelegateGroup from the parent domain as a member of the ResourceGroup in the child domain.

Now, according to my understanding this should work. But it doesn't. At first I thought it was due to replication impatience and then due to un-updated security token.

The only way I can give a user from the parent domain permissions on OU objects in the child domain, is if I create a Universal Group, put the user into that group and give the Universal Group permissions directly on the OU.

This of course is not the way I want things to be.

Does anyone have any idea what might be going on here? Please note that I'm checking the permissions using Effective Permissions. Could it be that it's giving me the wrong information?
Question by:Skyggna
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 22669297
You anwsered your own question:
Domain local groups
Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.
The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
Global groups
Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.
Universal groups
Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.

Author Comment

ID: 22669703
The best practice is said to assign the Domain Local Group permissions to the OU. However if I do that, the user only gets Read permissions, even though the local group he is a member of has Full Control.

The only way the user can get the actual Full Control is if he is a member of a Universal Group and the UG is given explicit permissions on the object. And I really don't want to do it like that.

The Domain Functional Level is Windows Server 2003 by the way.

Expert Comment

ID: 22669723
The best practise was prob written by someone that couldn't understand the notes... If you are going BETWEEN domains it HAS to be a member of a UG.

Accepted Solution

Skyggna earned 0 total points
ID: 22676670
The problem has been solved. Turns out I've been hammering on this due to my own lazyness. As soon as I stopped checking the permissions using Effective Permissions and tried logging the user on a domain computer, I discovered that the permissions were working just fine.

So the blame is on Effective Permissions which for some reason displays inaccurate permissions.

So I'm now using my original plan, that is Domain Local Group on the AD object, Global Group from the parent domain as a member of the Local Group. No need for any Universal Groups.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month13 days, 14 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question