Re: External trust & resources sharing

From: "ptwilliams" <ptw2001@xxxxxxxxxxx>
Date: Fri, 15 Apr 2005 09:21:18 +0100

> I have 2 domains in different forests - domainA (Windows 2003 native) and
> domainB (Windows 2000 native). I have made an external one-way trust (not
> transitive) from domainA to domainB.

It's not clear (to me) the direction of trust. I assume that you've
configured domainA with an outgoing trust? That is, domainA is trusted by
domainB (domainA is the trusting domain).

> I am trying to achieve, that users in domainB can access SQL analysys
> services in domainA. If I understood correctly, I can add users from the
> domainB only to the local domain group in domainA.

Yes, providing the direction of the trust is correct (is what I think it is
above), then you can add global and universal groups from domainB to domain
local groups in domainA.

Re-reading your sentence, perhaps your trust is the wrong way round.

> But if I am trying to search for this domain local group from SQL server
> (in domainA), I can not found it - only global groups are listed. What I
> am doing wrong?

Well, this sounds like you're not in native mode. You have to be in native
mode to use domain local groups on member servers. Verify that you are
indeed in native mode, and that this server is authenticating with the
domain, and *carefully* look through the object picker. The domain local
group (in this domain) should be there.

> And is it possible to add global group to the domain local group?

Yes, this is possible, and is in fact the recommended way of doing things.

-- Domain Local groups can only be used in their domain; they can contains
users and groups from their own and other domains.
-- Global groups can be used in any domain, but may only contain members
from within their own domain.
-- Universal can be used anywhere and have members from anywhere (providing
they're in native mode).

--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

.

Follow-Ups:
- Re: External trust & resources sharing
  - From: Rytis

References:
- External trust & resources sharing
  - From: Rytis

Prev by Date: External trust & resources sharing
Next by Date: RE: Replacing Server
Previous by thread: External trust & resources sharing
Next by thread: Re: External trust & resources sharing
Index(es):
- Date
- Thread

Relevant Pages

Re: Global Group
... global groups to local groups. ... > global groups from each domain to a universal group and assign the> permissions to the universal group. ... Microsoft seem to have changed their> mind about the A-G-DL-P permissions model and don't recommend you assign> permissions directly to a domain local group. ...
(microsoft.public.win2000.active_directory)
RE: ntfs permissions and AD restore password
... I seem to be stuck which way to play the changes to the permissions after I ... If I simply change the domain local group to become a universal groups then ... -add the User Accounts to Global Groups ...
(microsoft.public.windows.server.active_directory)
Re: Global Group or Universal Group???
... Create a trust, you could then have a domain local group and populate all ... users in the second domain to have access to a database in the first ...
(microsoft.public.windows.server.active_directory)
Group Accounts
... I've read in MS Press that user accounts be placed in global groups ... and then place the global group inside a domain local group. ... not be able to access resources outwith the domain, ...
(microsoft.public.windows.server.general)
Global Group Info in Domain Local Group AD Query Help
... I am enumerating a Domain Local Group. ... as Global Groups from other domains. ... When checking membership of the ... I need to get the remote domain name and group name. ...
(microsoft.public.dotnet.framework)