adding user in one domain to a group in a different domain in AD
We have two domains that were previously two different companies. I have been told by level 3 engineering that "a sufficient trust has been built". I was asked to put a user in what I will call domain ABC.COM into a group in domain XYZ.COM. I am logged into my workstation into domain XYZ.COM and have ADUC up. I can connect to domain ABC.COM and XYZ.COM, but when I call up a group I need in ABC.COM I cannot see the user I need in XYZ.COM. It is like I need to be at the FORREST level not the DOMAIN level. I know I am an ENTERPRISE and DOMAIN ADMIN. How can I verify if the proper trust is really built and how can I get up one level higher so I can add users in one domain to a group in the other? We are on FORREST LEVEL 2003
If domain A trusts domain B, then you are able to add users from domain B to domain A local groups.
As to how to verify the trust :
netdom trustTrustingDomainName/d:
netdom trustTrustingDomainName/d:
If they were previously entirely separate then surely they are two entirely separate forests?
And if that is the case, the only type of group you can add users in the remote domain to is (Domain) Local.
Chris
Yup, when trying to make sense of the naming of "scopes" with regards to their nesting restrictions,,,take the scope as in where it can be ACL'd on a resource...the acceptance of different objects from trusted domain is different I try explaining somewhat in my blog.
Domain Local - Can accept trusted users but can only be ACL'd on a local resource.
Global Group - Can be ACL'd on a trusted resource but can't accept users from the trusted domain.
Domain Local - Can accept trusted users but can only be ACL'd on a local resource.
Global Group - Can be ACL'd on a trusted resource but can't accept users from the trusted domain.
ASKER
Yes I verified they are two forests so I guess I am going to be limited to Domain locals.
Couldnt i build a doman local on domain abc then then add the Global groups in need ABC to that local group. Then make the user in XYZ a member of the domain local in ABC?
Couldnt i build a doman local on domain abc then then add the Global groups in need ABC to that local group. Then make the user in XYZ a member of the domain local in ABC?
I am sorry I didn't understand "Couldnt i build a doman local on domain abc then then add the Global groups in need ABC to that local group. Then make the user in XYZ a member of the domain local in ABC?"
What is your end goal ?
What is your end goal ?
ASKER
Ok, as of now and all I have learned since this started. We have two domains ABC and XYZ. They were previous companies that merged. I did verify they are two different Forests that are trusted. I was told to pull user "smith" from doman XYZ and set her up in ABC. I first considered the migration tool, but was told the users in XYZ have so much bogus info in them I should start fresh. So I created "smith" in ABC. I now want to add ABC/smith to 3 global groups in XYZ. Then I will log her in and start configuring her applications and make adjustments as needed. So...will it be possible to create a Domain local group "trustgroup" in XYZ, add the 3 global groups in XYZ to it. Then add ABC/smith to "trustgroup" domain local that is in XYZ?...thanks for your patience
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for all of your help everyone, I will probably go with ADMT.
http://www.shariqsheikh.com/blog/index.php/200909/group-nesting-reference-chart/