Avatar of Olleco
OllecoFlag for United Kingdom of Great Britain and Northern Ireland asked on

Trust relationship - adding users from DomainA to groups on DomainB

Please help, little confused...

I have created a two way trust between domainA and DomainB
- Both 2016 level
- Validated/tested

I can create a "domain local" type group on domainA and add users from DomainB = Test1

I can't:
- Add user from DomainB to any other type groups on DomainA
- Add "Test1" group to any other group on DomainA

Am I missing something blindingly obvious??

Kind regards,
Steven
* Trust RelationshipsActive Directory* domain controller

Avatar of undefined
Last Comment
Mahesh

8/22/2022 - Mon
Alex

What's the error you're getting?
ASKER
Olleco

No error - I cannot see DomainB in the list when I try to add the users to a non "domain local" group

And the "domain local" group I have created on dominaA with users from DomainB doesn't show up when I try to add to another group.

Thanks,
Steven
Mahesh

By design:

You cannot add user from one domain to global group in another domain, global groups can accept users and groups from same domain

With domain local group you already tested the functionality, domain local groups cannot be added to any groups in other domain, as the name says, they are local groups for domain

what about universal groups, have you tested ?
With universal groups, they can accept users, global groups and universal groups from own domain and other domain?

Let us know results of above
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
Olleco

YEs tested universal - does not show the DomainB when I go to add the users like it does for Domain.local

I remember this being a lot easier (it has been a few years since I have done this).

Thanks,
Steven
Mahesh

what is your trust authentication level?

I believe you have selected selective authentication, change it to domain wide authentication from trust properties and issue should get resolved
ASKER
Olleco

Sorry, just checked (from both sides/both servers) and both are domain wide authentication.

Thanks,
Steven
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Mahesh

How you are trying to users to groups ?

Don't do it from user properties
Navigate to universal group properties on one domain and check if you are able to locate users, global groups and universal groups from other domain?
Note that distribution group type may not be listed
ASKER
Olleco

I have created three test groups:
- Test_Domain local
- Test_Global
- Test_universal

I go into each group and try to add users, the only one I can see the DomainB from is the Test_Localdomain group.

Same on both sides (both domains).

Steven
Ibrahim Benna

What type of group is Test1? based on your statement
- Add "Test1" group to any other group on DomainA
, i assume test1 is a global group and if so, then yes you cannot add it to any group on DomainA except if it is a domain local group.

Universal groups can contain global groups from any domain in the same forest.

Keep in mind the good old A.G.DL.P (Accounts into global groups into domain local groups which are given permissions) or A.G.U.DL.P (Accounts into global groups into universal groups into domain local groups which are given permissions - this is generally used for cross-forest/trust setups - https://www.oreilly.com/library/view/windows-server-2016/9781788626569/f608f4ef-6b0f-4c56-8b4e-5f813f60fd65.xhtml)

(for your reference - https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups)
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
Olleco

Hi Ibrahim,

I recreated the groups for testing. "Test1" is the "Test_DomainLocal" which is a domain local group.  This will allow me to add users from DomainB but I cannot add this group to another existing group.

Sorry forgot to mention - both domains are not in the same forest - completely separate.

I just don't get how I am support to reuse any of my old groups.  Do I have to create a separate structure of groups that cannot be part of the old structure (all new domain local groups).  Doesn't feel right.

Thanks,
Steven
Ibrahim Benna

I recreated the groups for testing. "Test1" is the "Test_DomainLocal" which is a domain local group.  This will allow me to add users from DomainB but I cannot add this group to another existing group.
What type of group is this other "existing group"? Remember that domain local groups can only be members of other domain local groups in the same domain, not forest.

Maybe lets take a step back and see exactly what it is you are trying to accomplish with this nesting conundrum :). What is your goal? is there a resource that you are trying to assign users permission to?
Mahesh

If you could explain what type of groups you already have, we can sort it out..
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Olleco

We are rebuilding our domain (from scratch) as n years ago our company name changed, we have also now purchased datacentre licenses for 2016 so want to rebuild our estate up from 2012.  We have so far created the first new domain controller "DomainB" and we want to slowly rebuild our estate into DomainB.  We will be adding all new users to DomainB and migrating old (over months) from DomainA.  This means that we need to allow users into resources on DomainA e.g. remote desktop farm/file server/printing etc.

In its simplest form I would like to add users from DomainB to existing security groups on DomainA (and the other way as the migration completes).

Hope this manes sense.

Steven
SOLUTION
Ibrahim Benna

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.