RE: [ActiveDir] Cross forest trust: universal groups
Hi Tony: Try to use the NT version of group naming ie. ForestB\Group I have done this with users (also used the UPN for users and it works too) HTH, Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony
RE: [ActiveDir] Cross forest trust: universal groups
A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, August 22, 2005 9:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony
RE: [ActiveDir] Cross forest trust: universal groups
Thanks Dean That makes absolute senseonly it conflicts with what is says here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx "Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group. For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members. Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain." Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, 23 August 2005 1:46 p.m.To: Send - AD mailing listSubject: RE: [ActiveDir] Cross forest trust: universal groups A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, August 22, 2005 9:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] Cross forest trust: universal groups
The documentation is wrong and I thought it had been cleaned up in all places but apparently not. A good summary of group scope for cross forest trusts is: Scenario: Forest A B have a cross forest trust. Security Group usage: Only the following security principals from Forest A can be used in Forest B: 1. User Accounts 2. Global Groups 3. Universal Groups The above can be added to only the following in Forest B: 1. Domain Local group 2. BuiltIn group on a local computer 3. BuiltIn group on a Domain Controller 4. Directly in an ACL Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 11:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cross forest trust: universal groups Thanks Dean That makes absolute senseonly it conflicts with what is says here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group. For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members. Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, 23 August 2005 1:46 p.m. To: Send - AD mailing list Subject: RE: [ActiveDir] Cross forest trust: universal groups A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 9:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] Cross forest trust: universal groups
That's great. Thanks Steve. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Tuesday, 23 August 2005 5:21 p.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross forest trust: universal groups The documentation is wrong and I thought it had been cleaned up in all places but apparently not. A good summary of group scope for cross forest trusts is: Scenario: Forest A B have a cross forest trust. Security Group usage: Only the following security principals from Forest A can be used in Forest B: 1. User Accounts2. Global Groups 3. Universal Groups The above can be added to only the following in Forest B:1. Domain Local group 2. BuiltIn group on a local computer 3. BuiltIn group on a Domain Controller4. Directly in an ACL Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, August 22, 2005 11:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross forest trust: universal groups Thanks Dean That makes absolute senseonly it conflicts with what is says here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx "Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group. For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members. Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain." Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, 23 August 2005 1:46 p.m.To: Send - AD mailing listSubject: RE: [ActiveDir] Cross forest trust: universal groups A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Monday, August 22, 2005 9:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
