Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Adding user from a trusted domain to a security group?

Posted on 2010-11-09
5
Medium Priority
?
6,141 Views
Last Modified: 2012-05-10
Gang,

     Thanks for checking out my post.  I have a question that I'm too lazy to look up, so I hope my EE friends can help me out.  I have:

* Active Directory 2k3 - Running 2000 Native Mode
* All Win2k3 DCs (Win2k3 w/SP2).  
* An external transitive trust with another Win2k3 domain (I believe it's running 2k3 native).

To set up the scenario:

* My domain is called MINE.local
* Their domain is called THERIS.local

     I manage MINE.local, but would like to share resources in MINE.local with users in the THEIRS.local domain.  The trust is cool, but I need a bit of advice on how to add users to groups.

I tested the 3 types of groups (Domain Global, Domain Universal, and Domain Local).  If I attempt to add users to the Domain Local group, I can see THEIRS.local.  If I attempt to add the users to Domain Global and Domain Universal groups, I can only see internal trusts (my prod. domain is in an empty forest root).  My questions are:

* Why is that?
* If I convert either the Domain Global and/or Domain Univeral groups, what are the caveats, and what should I look for?

Thanks

-fedsig

     
0
Comment
Question by:fedsig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34098281
Take a look at these links, they explain the different types of groups in AD>

•Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
•Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.
•Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.


http://www.tech-faq.com/active-directory-groups.html
http://technet.microsoft.com/en-us/library/bb727067.aspx
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 2000 total points
ID: 34098307
0
 

Author Comment

by:fedsig
ID: 34098473
Sweet!  Now, do you know of any caveats on switching back and fourth?  

From what I read, domain local groups aren't to be used to assign permissions to objects within Active Directory, but work for external objects (coputers, printers, etc).  The group I'm considering converting to a Domain Local group (from a Universal Group) is used only for folder-level permissions to a specific folder.  

It makes sense that I can't add foreign users to a Universal group b/c my forest shares a GC, and external trusts do not share GCs.  Universal Groups look like they're stored in the GC, but not DL groups.

Regards,

fedsig
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34098534
I would not switch the groups back, you should design the groups on each end so there will be no need to switch the group scopes. Mike Kline who is on EE has a good blog post about the setup of groups.


http://adisfun.blogspot.com/2009/04/ugly-aglp-what-are-they.html
0
 

Author Closing Comment

by:fedsig
ID: 34098720
Thanks
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question