RE: [ActiveDir] Cross forest issue

[Tony Murray]

You can only add members to Domain Local groups across the forest trust.  Behaviour by design.   Tony   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, 16 June 2006 7:56 a.m. To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cross forest issue   Been a while since I looked at this and I've only got one forest in VM on my machine at the moment so I cant test it, but I believe that if you create a global group in ForestA you can add it to a Universal group in ForestB. You will not be able to add users from ForestA to the Domain Admins group in ForestB, but you can add them to the Administrators group (which you've already figured out).   The way I've always dealt with this was to have admin accounts in each forest, not as ideal as a unified admin account, but quite workable.   Phil   On 6/15/06, Guest, Mike <[EMAIL PROTECTED] > wrote: Hi,   New member here, with an issue L   We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way.   The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A   Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant "administrators" rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators – and thus defeats the objective of having the admins in a single forest.   (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message "Foreign security principals cannot be members of universal groups")   Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account   Hope you can help.       ______________________________________________________ Mike Guest | Capgemini | Sale Server Support | Outsourcing UK Office: + 44 (0)870 366 1814 | 700 1814 | [EMAIL PROTECTED] 77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience ______________________________________________________   This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.   This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.