RE: [ActiveDir] Cross forest trust: universal groups

[Tony Murray]

That's great.  Thanks Steve. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, 23 August 2005 5:21 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cross forest trust: universal groups The documentation is wrong and I thought it had been cleaned up in all places but apparently not.  A good summary of group scope for cross forest trusts is:   Scenario: Forest A & B have a cross forest trust. Security Group usage: Only the following security principals from Forest A can be used in Forest B: 1. User Accounts 2. Global Groups 3. Universal Groups The above can be added to only the following in Forest B: 1. Domain Local group 2. BuiltIn group on a local computer 3. BuiltIn group on a Domain Controller 4. Directly in an ACL   Thanks,   -Steve   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 11:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cross forest trust: universal groups   Thanks Dean   That makes absolute sense....only it conflicts with what is says here:   http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx   "Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group. For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members. Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain."   Tony     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, 23 August 2005 1:46 p.m. To: Send - AD mailing list Subject: RE: [ActiveDir] Cross forest trust: universal groups A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 9:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cross forest trust: universal groups Hi all   I'm missing something here and I'm hoping you can give me a pointer.   Scenario: 2 single domain forests connected by a forest trust.   I want to add global groups from ForestB to a universal group in ForestA.  I go into ADUC in ForestA and click on the Members tab and select Add.  When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option.  Surely I should be able to add resources from ForestB to this universal group?  If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok.   Any thoughts?   Tony This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited