| Author | Messages | |
Brad_Smith
Posts:6
 | | 04/29/2008 4:55 AM |
| Quick summary.
Forest one has one Domain called Domain A
Forest two has one Domain called Domain B
Domain A is trusted by Domain B
Domain B is not trusted by Domain A
Maybe I am missing something obvious, but I still don't see an easy way
to get the members of Enterprise Admins in Domain A to be members of
Enterprise Admins in Domain B. Given that EA is a Universal Group it
can contain either Global or Universal groups. Neither Global or
Universal groups can contain objects from another Forest. The only
group type that can contain objects from another forest is Domain Local.
However Domain Local can not be a member of a Universal group. I am
curious how others normally ensure that Domain B's EA group is populated
by the same members of Domain A's.
TIA,
Brad
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at http://www.atkinsglobal.com/terms_and_conditions/index.aspx
Consider the environment. Please don't print this e-mail unless you really need to.
| | | |
| listmail
Posts:326
| | 04/29/2008 8:47 AM |
| You create accounts in the other forest.
Do not keep the passwords synced, that is a security issue. Also do not sync
admin account passwords with the admin's normal userid accounts.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Smith, Brad
Sent: Tuesday, April 29, 2008 4:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cross Forest Administration.
Quick summary.
Forest one has one Domain called Domain A
Forest two has one Domain called Domain B
Domain A is trusted by Domain B
Domain B is not trusted by Domain A
Maybe I am missing something obvious, but I still don't see an easy way to
get the members of Enterprise Admins in Domain A to be members of Enterprise
Admins in Domain B. Given that EA is a Universal Group it can contain
either Global or Universal groups. Neither Global or Universal groups can
contain objects from another Forest. The only group type that can contain
objects from another forest is Domain Local. However Domain Local can not
be a member of a Universal group. I am curious how others normally ensure
that Domain B's EA group is populated by the same members of Domain A's.
TIA,
Brad
This email and any attached files are confidential and copyright protected.
If you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed in writing, nothing
stated in this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered
in England No. 1885586. Registered Office Woodcote Grove, Ashley Road,
Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies
registered in the United Kingdom can be found at:
http://www.atkinsglobal.com/terms_and_conditions/index.aspx.
<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>
P Consider the environment. Please don't print this e-mail unless you really
need to.
| | | |
| Brad_Smith
Posts:6
| | 04/29/2008 10:23 AM |
| Thanks Joe, good points. I'd never sync passwords of admin accounts with
normal accounts, but would have allowed Enterprise Admins from Domain A
to be members of Domain B Enterprise Admins if it was technically
possible. Given that Domain B is managed by the same staff as Domain A,
and the number of admins is controlled very well, there is a reduced
benefit in having different accounts.
I see an IIFP design in the midst ;-)
Does anyone know if IIFP is called Active Directory MetaData Services
these days? I read http://blog.joeware.net/2006/02/18/244/ which refers
to it being in the roadmap years ago but a google for "Active Directory
MetaData Services" +download gives zero results, and it isn't on my MSDN
downloads section.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: 29 April 2008 13:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross Forest Administration.
You create accounts in the other forest.
Do not keep the passwords synced, that is a security issue. Also do not
sync admin account passwords with the admin's normal userid accounts.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Smith, Brad
Sent: Tuesday, April 29, 2008 4:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cross Forest Administration.
Quick summary.
Forest one has one Domain called Domain A
Forest two has one Domain called Domain B
Domain A is trusted by Domain B
Domain B is not trusted by Domain A
Maybe I am missing something obvious, but I still don't see an easy way
to get the members of Enterprise Admins in Domain A to be members of
Enterprise Admins in Domain B. Given that EA is a Universal Group it
can contain either Global or Universal groups. Neither Global or
Universal groups can contain objects from another Forest. The only
group type that can contain objects from another forest is Domain Local.
However Domain Local can not be a member of a Universal group. I am
curious how others normally ensure that Domain B's EA group is populated
by the same members of Domain A's.
TIA,
Brad
This email and any attached files are confidential and copyright
protected. If you are not the addressee, any dissemination of this
communication is strictly prohibited. Unless otherwise expressly agreed
in writing, nothing stated in this communication shall be legally
binding.
The ultimate parent company of the Atkins Group is WS Atkins plc.
Registered in England No. 1885586. Registered Office Woodcote Grove,
Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group
companies registered in the United Kingdom can be found at:
http://www.atkinsglobal.com/terms_and_conditions/index.aspx.
<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>
P Consider the environment. Please don't print this e-mail unless you
really need to.
This message has been scanned for viruses by MailControl
<http://bluepages.wsatkins.co.uk/?6875772>
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at http://www.atkinsglobal.com/terms_and_conditions/index.aspx
Consider the environment. Please don't print this e-mail unless you really need to.
| | | |
| bdesmond
Posts:291
| | 04/29/2008 10:38 AM |
| It's still called IIFP...
On Tue, Apr 29, 2008 at 10:20 AM, Smith, Brad <Brad.Smith@atkinsglobal.com>
wrote:
> Thanks Joe, good points. I'd never sync passwords of admin accounts with
> normal accounts, but would have allowed Enterprise Admins from Domain A to
> be members of Domain B Enterprise Admins if it was technically possible.
> Given that Domain B is managed by the same staff as Domain A, and the number
> of admins is controlled very well, there is a reduced benefit in having
> different accounts.
>
> I see an IIFP design in the midst ;-)
>
> Does anyone know if IIFP is called Active Directory MetaData Services
> these days? I read http://blog.joeware.net/2006/02/18/244/ which refers to
> it being in the roadmap years ago but a google for "Active Directory
> MetaData Services" +download gives zero results, and it isn't on my MSDN
> downloads section.
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *joe
> *Sent:* 29 April 2008 13:47
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Cross Forest Administration.
>
> You create accounts in the other forest.
>
> Do not keep the passwords synced, that is a security issue. Also do not
> sync admin account passwords with the admin's normal userid accounts.
>
> joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Smith, Brad
> *Sent:* Tuesday, April 29, 2008 4:53 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Cross Forest Administration.
>
> Quick summary.
>
> Forest one has one Domain called Domain A
> Forest two has one Domain called Domain B
> Domain A is trusted by Domain B
> Domain B is not trusted by Domain A
>
> Maybe I am missing something obvious, but I still don't see an easy way to
> get the members of Enterprise Admins in Domain A to be members of Enterprise
> Admins in Domain B. Given that EA is a Universal Group it can contain
> either Global or Universal groups. Neither Global or Universal groups can
> contain objects from another Forest. The only group type that can contain
> objects from another forest is Domain Local. However Domain Local can not
> be a member of a Universal group. I am curious how others normally ensure
> that Domain B's EA group is populated by the same members of Domain A's.
>
> TIA,
>
> Brad
>
>
> *This email and any attached files are confidential and copyright
> protected. If you are not the addressee, any dissemination of this
> communication is strictly prohibited. Unless otherwise expressly agreed in
> writing, nothing stated in this communication shall be legally binding.*
>
> The ultimate parent company of the Atkins Group is WS Atkins plc.
> Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley
> Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies
> registered in the United Kingdom can be found at:
> http://www.atkinsglobal.com/terms_and_conditions/index.aspx.<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>
>
> P *Consider the environment. Please don't print this e-mail unless you
> really need to.*
>
>
>
> This message has been scanned for viruses by MailControl<http://bluepages.wsatkins.co.uk/?6875772>
>
>
> *This email and any attached files are confidential and copyright
> protected. If you are not the addressee, any dissemination of this
> communication is strictly prohibited. Unless otherwise expressly agreed in
> writing, nothing stated in this communication shall be legally binding.*
>
> The ultimate parent company of the Atkins Group is WS Atkins plc.
> Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley
> Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies
> registered in the United Kingdom can be found at:
> http://www.atkinsglobal.com/terms_and_conditions/index.aspx.<http://www.atkinsglobal.com/terms_and_conditions/index.aspx>
>
> P *Consider the environment. Please don't print this e-mail unless you
> really need to.*
>
>
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
|
|