You can only add members to Domain Local groups across the forest
trust. Behaviour by design. Tony From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Been a while since I looked at this and I've only got one
forest in VM on my machine at the moment so I cant test it, but I believe that
if you create a global group in ForestA you can add it to a Universal group in
ForestB. You will not be able to add users from ForestA to the Domain Admins
group in ForestB, but you can add them to the Administrators group (which
you've already figured out). The way I've always dealt with this was to have admin
accounts in each forest, not as ideal as a unified admin account, but quite
workable. Phil On 6/15/06, Guest, Mike <[EMAIL PROTECTED]
> wrote: Hi, New
member here, with an issue L We
have implemented 2 forests with a cross forest trust such that forest B trusts
forest A one-way. The
intention is that all admins in forest A will be able to manage both forests,
and that accounts in forest B cannot be authenticated in forest A Whilst
I can add the admins from forest A into a domain local group in forest B,
allowing me to grant "administrators" rights, I cannot add any
security principal from forest A to a universal (or global) group in forest B.
This precludes me from granting domain, enterprise or schema admin rights to
the forest A administrators – and thus defeats the objective of having the
admins in a single forest. (FYI,
creating a DL, adding a remote user, then trying to change that group to a
universal group gives the message "Foreign security principals cannot be
members of universal groups") Forest
B is in a DMZ, and is solely being used to give the benefits of centralised
management to the servers in the DMZ. Consequently, we want to avoid having
many user accounts in that forest. Company policy states that every admin must
log on using their own account Hope
you can help. ______________________________________________________ Join
the Collaborative Business Experience
This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. |
- [ActiveDir] Cross forest issue Guest, Mike
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue Tony Murray
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue joe
- RE: [ActiveDir] Cross forest issue Grillenmeier, Guido
- RE: [ActiveDir] Cross forest issue Guest, Mike