there is no single correct way - creating an extra
universal group doesn't make any sense in your situation, since you only
have a single domain in your trusted forest.
However, you need to consider who manages the respective
forests, what data you're granting access to in your resource forest and
who is to control access to that data. By nesting a group from the trusted
forest to a local group in the resource forest (which you then use to grant the
rights on the resource), you're basically granting the admins of the trusted
forest to manage which users are granted access to the resource. This is
typically ok, but needs to be understood.
If you need to ensure that only specific users are granted
access to the resource and this access must be controlled by the resource
owners, then you'd want to add the users from the trusted forest directly to
your local groups in the resource forest. This is typically done in very
security sensitive environments, however, is a pain if you need to grant access
to a lot of users from the trusted forest.
Both are valid options (other options are possible as
well) - your requirements will depend what's the best option for
you.
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Freitag, 25. November 2005 11:42
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Forest Trusts & Accessing Resources
Hi
all...
Scenario:
We have 2 Windows 2003 forests (forest functional
level set at Windows 2003) and each forest has a single domain. There is a
one-way trust between the two forests, Forest A trusts Forest B.
Question:
We need to grant users in Forest B access to
resources in Forest A. Having read Microsoft best practice KBs, they
recommend creating a Global Group in Forest B and adding users to this.
This Global Group is then added to
a newly created Universal
group also in Forest B which in turn
is then added to a Domain Local Group
in Forest A which is assigned permissions to the
resource...phew!...
What issues would there be by just adding the
Global Group in Forest B directly to the resource in Forest A?
Regards
David
****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************