RE: [ActiveDir] Cross forest issue

[Grillenmeier, Guido]

Mike, as others have mentioned, users and groups from externally trusted domains can only be added to domain local groups (DLG) in another forest. This is by design for any type of trust that you establish.   If all you're trying to do is to manage the member servers in your DMZ with the same admin accounts that you have in your production forest, you could still leverage a GPO in your DMZ forest/domain that either adds a DLG to the adminsitrators group of all your DMZ servers using the restrictive groups feature. If you combine this approach with enabling Selective Authentication for the trust between the two forests and use this feature to restrict authentication to the servers to members of the same group, you'll have a reasonable integration of the two forests to allow managment of the DMZ servers using your production admin accounts.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guest, Mike Sent: Donnerstag, 15. Juni 2006 19:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cross forest issue Hi,   New member here, with an issue L   We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way.   The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A   Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant “administrators” rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators – and thus defeats the objective of having the admins in a single forest.   (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message “Foreign security principals cannot be members of universal groups”)   Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account   Hope you can help.       ______________________________________________________ Mike Guest | Capgemini | Sale Server Support | Outsourcing UK Office: + 44 (0)870 366 1814 | 700 1814 | [EMAIL PROTECTED] 77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience ______________________________________________________   This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.