| Author | Messages | |
TonyTest
Posts:0
 | | 08/23/2005 1:39 AM |
| Hi
all
I'm missing
something here and I'm hoping you can give me a
pointer.
Scenario:
2 single domain
forests connected by a forest trust.
I want to add global
groups from ForestB to a universal group in ForestA. I go into ADUC in
ForestA and click on the Members tab and select Add. When I go to the
Locations tab to select the domain from ForestB I only see ForestA as an
available option. Surely I should be able to add resources from ForestB to
this universal group? If I try to do the same thing with a domain local
group in ForestA, I see the the domain in ForestB as an available option, so it
looks like the trust is ok.
Any
thoughts?
Tony | | | |
| dwells
Posts:39
| | 08/23/2005 1:46 AM |
| A
user's Universal group membership must be able to be fully enumerated against a
forest-local GC, thus you cannot add users to a Universal beyond their own
forest.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony
MurraySent: Monday, August 22, 2005 9:38 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Cross forest trust:
universal groups
Hi
all
I'm missing
something here and I'm hoping you can give me a
pointer.
Scenario:
2 single domain
forests connected by a forest trust.
I want to add global
groups from ForestB to a universal group in ForestA. I go into ADUC in
ForestA and click on the Members tab and select Add. When I go to the
Locations tab to select the domain from ForestB I only see ForestA as an
available option. Surely I should be able to add resources from ForestB to
this universal group? If I try to do the same thing with a domain local
group in ForestA, I see the the domain in ForestB as an available option, so it
looks like the trust is ok.
Any
thoughts?
Tony | | | |
| TonyTest
Posts:0
| | 08/23/2005 4:11 AM |
| Thanks Dean
That makes absolute sense....only it conflicts with what is
says here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx
"Create a universal group in the
resource forest, and then add all global groups from the other forest (or
forests) that need similar access as members of the universal
group.
For example, both the employees in
the Sales Department and Accounting Department global groups located in ForestA
use similar print resources located in ForestB. Create a universal group called
Print Users in Other Forests in ForestB, and add both the Sales Department and
Accounting Department global groups from ForestA as members.
Universal groups are
used primarily to group together two or more global groups (possibly from other
forests) into one group for the resource domain."
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dean
WellsSent: Tuesday, 23 August 2005 1:46 p.m.To: Send - AD
mailing listSubject: RE: [ActiveDir] Cross forest trust: universal
groups
A
user's Universal group membership must be able to be fully enumerated against a
forest-local GC, thus you cannot add users to a Universal beyond their own
forest.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony
MurraySent: Monday, August 22, 2005 9:38 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Cross forest trust:
universal groups
Hi
all
I'm missing
something here and I'm hoping you can give me a
pointer.
Scenario:
2 single domain
forests connected by a forest trust.
I want to add global
groups from ForestB to a universal group in ForestA. I go into ADUC in
ForestA and click on the Members tab and select Add. When I go to the
Locations tab to select the domain from ForestB I only see ForestA as an
available option. Surely I should be able to add resources from ForestB to
this universal group? If I try to do the same thing with a domain local
group in ForestA, I see the the domain in ForestB as an available option, so it
looks like the trust is ok.
Any
thoughts?
Tony
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited | | | |
| slinehan
Posts:18
| | 08/23/2005 5:22 AM |
| The documentation is wrong and I thought
it had been cleaned up in all places but apparently not. A good summary of
group scope for cross forest trusts is:
Scenario: Forest
A & B have a cross forest trust.
Security Group usage:
Only the following security principals from Forest
A can be used in Forest B:
1. User Accounts
2. Global Groups
3. Universal Groups
The above can be added to only the following in Forest B:
1. Domain Local group
2. BuiltIn group on a local computer
3. BuiltIn group on a Domain Controller
4. Directly in an ACL
Thanks,
-Steve
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Monday, August 22, 2005
11:11 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Cross
forest trust: universal groups
Thanks Dean
That makes absolute sense....only it
conflicts with what is says here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx
"Create a universal group in the resource forest, and
then add all global groups from the other forest (or forests) that need similar
access as members of the universal group.
For example, both the employees in the Sales
Department and Accounting Department global groups located in ForestA use
similar print resources located in ForestB. Create a universal group called
Print Users in Other Forests in ForestB, and add both the Sales Department and
Accounting Department global groups from ForestA as members.
Universal groups are used primarily to group
together two or more global groups (possibly from other forests) into one group
for the resource domain."
Tony
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dean Wells
Sent: Tuesday, 23 August 2005 1:46
p.m.
To: Send - AD mailing list
Subject: RE: [ActiveDir] Cross
forest trust: universal groups
A user's Universal group membership must
be able to be fully enumerated against a forest-local GC, thus you cannot add
users to a Universal beyond their own forest.
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Monday, August 22, 2005 9:38
PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Cross forest
trust: universal groups
Hi all
I'm missing something here and I'm hoping you can give
me a pointer.
Scenario:
2 single domain forests connected by a forest trust.
I want to add global groups from ForestB to a universal
group in ForestA. I go into ADUC in ForestA and click on the Members tab
and select Add. When I go to the Locations tab to select the domain from
ForestB I only see ForestA as an available option. Surely I should be
able to add resources from ForestB to this universal group? If I try to
do the same thing with a domain local group in ForestA, I see the the domain in
ForestB as an available option, so it looks like the trust is ok.
Any thoughts?
Tony
This e-mail message has been scanned for Viruses and Content and
cleared by NetIQ MailMarshal at Gen-i Limited | | | |
| TonyTest
Posts:0
| | 08/23/2005 5:28 AM |
| That's great. Thanks Steve.
:-)
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Steve
LinehanSent: Tuesday, 23 August 2005 5:21 p.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Cross forest
trust: universal groups
The documentation is
wrong and I thought it had been cleaned up in all places but apparently not.
A good summary of group scope for cross forest trusts
is:
Scenario: Forest A & B have a cross forest trust.
Security Group usage: Only the following security principals from
Forest A can be used in Forest B: 1. User
Accounts2. Global Groups 3. Universal Groups The above can be
added to only the following in Forest B:1. Domain Local group 2. BuiltIn
group on a local computer 3. BuiltIn group on a Domain Controller4.
Directly in an ACL
Thanks,
-Steve
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tony
MurraySent: Monday, August 22,
2005 11:11 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Cross forest
trust: universal groups
Thanks
Dean
That makes absolute
sense....only it conflicts with what is says here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx
"Create a
universal group in the resource forest, and then add all global groups from the
other forest (or forests) that need similar access as members of the universal
group.
For example, both the
employees in the Sales Department and Accounting Department global groups
located in ForestA use similar print resources located in ForestB. Create a
universal group called Print Users in Other Forests in ForestB, and add both the
Sales Department and Accounting Department global groups from ForestA as
members.
Universal groups are
used primarily to group together two or more global groups (possibly from other
forests) into one group for the resource domain."
Tony
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Dean
WellsSent: Tuesday, 23 August
2005 1:46 p.m.To: Send - AD
mailing listSubject: RE:
[ActiveDir] Cross forest trust: universal groups
A user's Universal
group membership must be able to be fully enumerated against a forest-local GC,
thus you cannot add users to a Universal beyond their own
forest.
--Dean
WellsMSEtechnology* Email: dwells@xxxxxxxxxxxxxxxxxhttp://msetechnology.com
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tony
MurraySent: Monday, August 22,
2005 9:38 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Cross forest trust:
universal groups
Hi
all
I'm missing something here and I'm
hoping you can give me a pointer.
Scenario:
2 single domain forests connected by
a forest trust.
I want to add global groups from
ForestB to a universal group in ForestA. I go into ADUC in ForestA and
click on the Members tab and select Add. When I go to the Locations tab to
select the domain from ForestB I only see ForestA as an available option.
Surely I should be able to add resources from ForestB to this universal
group? If I try to do the same thing with a domain local group in ForestA,
I see the the domain in ForestB as an available option, so it looks like the
trust is ok.
Any
thoughts?
Tony
This e-mail message has been scanned for Viruses and
Content and cleared by NetIQ MailMarshal
at Gen-i
Limited
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited | | | |
| RDale@xxxx.yyy
| | 08/23/2005 12:34 PM |
| Hi Tony:
Try to use the NT version of group naming¦
ie. ForestB\Group
I have done this with users (also used the
UPN for users and it works too)
HTH,
Rick
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Monday, August 22, 2005 8:38
PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Cross forest
trust: universal groups
Hi all
I'm missing something here and I'm hoping you can give
me a pointer.
Scenario:
2 single domain forests connected by a forest trust.
I want to add global groups from ForestB to a universal
group in ForestA. I go into ADUC in ForestA and click on the Members tab
and select Add. When I go to the Locations tab to select the domain from
ForestB I only see ForestA as an available option. Surely I should be
able to add resources from ForestB to this universal group? If I try to
do the same thing with a domain local group in ForestA, I see the the domain in
ForestB as an available option, so it looks like the trust is ok.
Any thoughts?
Tony | | | |
|
|