Solved

Adding user from a trusted domain to a security group?

Posted on 2010-11-09
5
5,692 Views
Last Modified: 2012-05-10
Gang,

     Thanks for checking out my post.  I have a question that I'm too lazy to look up, so I hope my EE friends can help me out.  I have:

* Active Directory 2k3 - Running 2000 Native Mode
* All Win2k3 DCs (Win2k3 w/SP2).  
* An external transitive trust with another Win2k3 domain (I believe it's running 2k3 native).

To set up the scenario:

* My domain is called MINE.local
* Their domain is called THERIS.local

     I manage MINE.local, but would like to share resources in MINE.local with users in the THEIRS.local domain.  The trust is cool, but I need a bit of advice on how to add users to groups.

I tested the 3 types of groups (Domain Global, Domain Universal, and Domain Local).  If I attempt to add users to the Domain Local group, I can see THEIRS.local.  If I attempt to add the users to Domain Global and Domain Universal groups, I can only see internal trusts (my prod. domain is in an empty forest root).  My questions are:

* Why is that?
* If I convert either the Domain Global and/or Domain Univeral groups, what are the caveats, and what should I look for?

Thanks

-fedsig

     
0
Comment
Question by:fedsig
  • 3
  • 2
5 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34098281
Take a look at these links, they explain the different types of groups in AD>

•Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
•Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.
•Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.


http://www.tech-faq.com/active-directory-groups.html
http://technet.microsoft.com/en-us/library/bb727067.aspx
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 34098307
0
 

Author Comment

by:fedsig
ID: 34098473
Sweet!  Now, do you know of any caveats on switching back and fourth?  

From what I read, domain local groups aren't to be used to assign permissions to objects within Active Directory, but work for external objects (coputers, printers, etc).  The group I'm considering converting to a Domain Local group (from a Universal Group) is used only for folder-level permissions to a specific folder.  

It makes sense that I can't add foreign users to a Universal group b/c my forest shares a GC, and external trusts do not share GCs.  Universal Groups look like they're stored in the GC, but not DL groups.

Regards,

fedsig
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34098534
I would not switch the groups back, you should design the groups on each end so there will be no need to switch the group scopes. Mike Kline who is on EE has a good blog post about the setup of groups.


http://adisfun.blogspot.com/2009/04/ugly-aglp-what-are-they.html
0
 

Author Closing Comment

by:fedsig
ID: 34098720
Thanks
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now