fedsig
asked on
Adding user from a trusted domain to a security group?
Gang,
Thanks for checking out my post. I have a question that I'm too lazy to look up, so I hope my EE friends can help me out. I have:
* Active Directory 2k3 - Running 2000 Native Mode
* All Win2k3 DCs (Win2k3 w/SP2).
* An external transitive trust with another Win2k3 domain (I believe it's running 2k3 native).
To set up the scenario:
* My domain is called MINE.local
* Their domain is called THERIS.local
I manage MINE.local, but would like to share resources in MINE.local with users in the THEIRS.local domain. The trust is cool, but I need a bit of advice on how to add users to groups.
I tested the 3 types of groups (Domain Global, Domain Universal, and Domain Local). If I attempt to add users to the Domain Local group, I can see THEIRS.local. If I attempt to add the users to Domain Global and Domain Universal groups, I can only see internal trusts (my prod. domain is in an empty forest root). My questions are:
* Why is that?
* If I convert either the Domain Global and/or Domain Univeral groups, what are the caveats, and what should I look for?
Thanks
-fedsig
Thanks for checking out my post. I have a question that I'm too lazy to look up, so I hope my EE friends can help me out. I have:
* Active Directory 2k3 - Running 2000 Native Mode
* All Win2k3 DCs (Win2k3 w/SP2).
* An external transitive trust with another Win2k3 domain (I believe it's running 2k3 native).
To set up the scenario:
* My domain is called MINE.local
* Their domain is called THERIS.local
I manage MINE.local, but would like to share resources in MINE.local with users in the THEIRS.local domain. The trust is cool, but I need a bit of advice on how to add users to groups.
I tested the 3 types of groups (Domain Global, Domain Universal, and Domain Local). If I attempt to add users to the Domain Local group, I can see THEIRS.local. If I attempt to add the users to Domain Global and Domain Universal groups, I can only see internal trusts (my prod. domain is in an empty forest root). My questions are:
* Why is that?
* If I convert either the Domain Global and/or Domain Univeral groups, what are the caveats, and what should I look for?
Thanks
-fedsig
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Sweet! Now, do you know of any caveats on switching back and fourth?
From what I read, domain local groups aren't to be used to assign permissions to objects within Active Directory, but work for external objects (coputers, printers, etc). The group I'm considering converting to a Domain Local group (from a Universal Group) is used only for folder-level permissions to a specific folder.
It makes sense that I can't add foreign users to a Universal group b/c my forest shares a GC, and external trusts do not share GCs. Universal Groups look like they're stored in the GC, but not DL groups.
Regards,
fedsig
From what I read, domain local groups aren't to be used to assign permissions to objects within Active Directory, but work for external objects (coputers, printers, etc). The group I'm considering converting to a Domain Local group (from a Universal Group) is used only for folder-level permissions to a specific folder.
It makes sense that I can't add foreign users to a Universal group b/c my forest shares a GC, and external trusts do not share GCs. Universal Groups look like they're stored in the GC, but not DL groups.
Regards,
fedsig
I would not switch the groups back, you should design the groups on each end so there will be no need to switch the group scopes. Mike Kline who is on EE has a good blog post about the setup of groups.
http://adisfun.blogspot.com/2009/04/ugly-aglp-what-are-they.html
http://adisfun.blogspot.com/2009/04/ugly-aglp-what-are-they.html
ASKER
Thanks
•Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
•Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.
•Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.
http://www.tech-faq.com/active-directory-groups.html
http://technet.microsoft.com/en-us/library/bb727067.aspx