Cross forest trust: universal groups

  • 12K Views
  • Last Post 23 August 2005
TonyTest posted this 23 August 2005

Hi
all
 
I'm missing
something here and I'm hoping you can give me a
pointer.
 
Scenario:
2 single domain
forests connected by a forest trust.
 
I want to add global
groups from ForestB to a universal group in ForestA.  I go into ADUC in
ForestA and click on the Members tab and select Add.  When I go to the
Locations tab to select the domain from ForestB I only see ForestA as an
available option.  Surely I should be able to add resources from ForestB to
this universal group?  If I try to do the same thing with a domain local
group in ForestA, I see the the domain in ForestB as an available option, so it
looks like the trust is ok.
 
Any
thoughts?
 
Tony

Order By: Standard | Newest | Votes
dwells posted this 23 August 2005

A
user's Universal group membership must be able to be fully enumerated against a
forest-local GC, thus you cannot add users to a Universal beyond their own
forest.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com

show

TonyTest posted this 23 August 2005

Thanks Dean
 
That makes absolute sense....only it conflicts with what is
says here:
 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx
 

"Create a universal group in the
resource forest, and then add all global groups from the other forest (or
forests) that need similar access as members of the universal
group.
For example, both the employees in
the Sales Department and Accounting Department global groups located in ForestA
use similar print resources located in ForestB. Create a universal group called
Print Users in Other Forests in ForestB, and add both the Sales Department and
Accounting Department global groups from ForestA as members.
Universal groups are
used primarily to group together two or more global groups (possibly from other
forests) into one group for the resource domain."
 
Tony

show

slinehan posted this 23 August 2005

The documentation is wrong and I thought
it had been cleaned up in all places but apparently not.  A good summary of
group scope for cross forest trusts is:

 

Scenario: Forest
A & B have a cross forest trust.

Security Group usage:
Only the following security principals from Forest
A can be used in Forest B:
1. User Accounts
2. Global Groups
3. Universal Groups

The above can be added to only the following in Forest B:
1. Domain Local group
2. BuiltIn group on a local computer
3. BuiltIn group on a Domain Controller
4. Directly in an ACL

 

Thanks,

 

-Steve

show

TonyTest posted this 23 August 2005

That's great.  Thanks Steve.
:-)

show

RDale1 posted this 23 August 2005

Hi Tony:

 

Try to use the NT version of group naming¦
ie. ForestB\Group

 

I have done this with users (also used the
UPN for users and it works too)

 

HTH,

 

Rick

show

Close