Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.
Course Of The Month
10 days, 11 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
adding user in one domain to a group in a different domain in AD
Posted on 2011-02-17
We have two domains that were previously two different companies. I have been told by level 3 engineering that "a sufficient trust has been built". I was asked to put a user in what I will call domain ABC.COM into a group in domain XYZ.COM. I am logged into my workstation into domain XYZ.COM and have ADUC up. I can connect to domain ABC.COM and XYZ.COM, but when I call up a group I need in ABC.COM I cannot see the user I need in XYZ.COM. It is like I need to be at the FORREST level not the DOMAIN level. I know I am an ENTERPRISE and DOMAIN ADMIN. How can I verify if the proper trust is really built and how can I get up one level higher so I can add users in one domain to a group in the other? We are on FORREST LEVEL 2003
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
3
2- +1
10 Comments
Are you trying the add an XYZ user to a group in ABC domain ? What is the group type ?
http://www.shariqsheikh.com/blog/index.php/200909/group-nesting-reference-chart/
http://www.shariqsheikh.com/blog/index.php/200909/group-nesting-reference-chart/
Active 7 days ago
If they were previously entirely separate then surely they are two entirely separate forests?
And if that is the case, the only type of group you can add users in the remote domain to is (Domain) Local.
Chris
Yup, when trying to make sense of the naming of "scopes" with regards to their nesting restrictions,,,take the scope as in where it can be ACL'd on a resource...the acceptance of different objects from trusted domain is different I try explaining somewhat in my blog.
Domain Local - Can accept trusted users but can only be ACL'd on a local resource.
Global Group - Can be ACL'd on a trusted resource but can't accept users from the trusted domain.
Domain Local - Can accept trusted users but can only be ACL'd on a local resource.
Global Group - Can be ACL'd on a trusted resource but can't accept users from the trusted domain.
Active today
Yes I verified they are two forests so I guess I am going to be limited to Domain locals.
Couldnt i build a doman local on domain abc then then add the Global groups in need ABC to that local group. Then make the user in XYZ a member of the domain local in ABC?
Couldnt i build a doman local on domain abc then then add the Global groups in need ABC to that local group. Then make the user in XYZ a member of the domain local in ABC?
I am sorry I didn't understand "Couldnt i build a doman local on domain abc then then add the Global groups in need ABC to that local group. Then make the user in XYZ a member of the domain local in ABC?"
What is your end goal ?
What is your end goal ?
Active today
Ok, as of now and all I have learned since this started. We have two domains ABC and XYZ. They were previous companies that merged. I did verify they are two different Forests that are trusted. I was told to pull user "smith" from doman XYZ and set her up in ABC. I first considered the migration tool, but was told the users in XYZ have so much bogus info in them I should start fresh. So I created "smith" in ABC. I now want to add ABC/smith to 3 global groups in XYZ. Then I will log her in and start configuring her applications and make adjustments as needed. So...will it be possible to create a Domain local group "trustgroup" in XYZ, add the 3 global groups in XYZ to it. Then add ABC/smith to "trustgroup" domain local that is in XYZ?...thanks for your patience
Active 7 days ago
No, sorry. Global groups can belong to Local Groups, but not vice-versa.
You'd have to use a Local group to secure whatever resource, then add either Global groups or foreign security principals (aka ABC users) to that.
I wouldn't turn away from ADMT despite what they've said, it would have made this task a lot easier, even for one user at a time. This is because it can be told to write the SID for the user from XYZ into the SID History in ABC (as part of the migration). Then you can continue to control access using the account XYZ (courtesy of the matching SID / SID History) until you're ready to ditch XYZ entirely (and provided you disable SID filtering on the trust).
It makes the user-end of a migration a truck-load easier as well, ADMT can rewrite the user profile when you migrate a computer.
Chris
You'd have to use a Local group to secure whatever resource, then add either Global groups or foreign security principals (aka ABC users) to that.
I wouldn't turn away from ADMT despite what they've said, it would have made this task a lot easier, even for one user at a time. This is because it can be told to write the SID for the user from XYZ into the SID History in ABC (as part of the migration). Then you can continue to control access using the account XYZ (courtesy of the matching SID / SID History) until you're ready to ditch XYZ entirely (and provided you disable SID filtering on the trust).
It makes the user-end of a migration a truck-load easier as well, ADMT can rewrite the user profile when you migrate a computer.
Chris
Featured Post
To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory.
If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP, Windows Server…
- Ransomware
- Experts Exchange
- Windows XP
- Windows OS
- Windows Server 2008
- Windows Server 2003, Security
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller.
Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease.
The following video show how to bind OSX Mavericks to …
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month10 days, 11 hours left to enroll
Earn Certification
MCSA Configuring Windows 7 Exam 70-680
$49.00$44.10
628 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.