RE: issue with Child and Parent Domains

> Is this because only Enterprise Admins accounts are capable of this?

No, this is by design. Anyone can logon to the parent domain if they have a
valid account in that domain. You cannot logon to a domain in which you
don't have an account. You can access resources if you have permissions, but
you must have an account in that domain to logon to it.


> Also, Does AD replication occur between PD and CD. If so, under AD user and computer I am not receiving updated objects from PD. Although PD does appear under AD Users and Computers, I am unable to create a group on the CD and add user accts from PD, although some not all accounts are seen. The PD admin insures me that he has delegated control of the OU. What exact permissions should be used. It is obvious that The CD Admin has read rights to the OU objects.

Replication of Schema and Configurations naming contexts replicates between
DCs in different domains in the SAME forest. The domain partition (users,
computers, etc.) is specific to DCs in THAT domain and is not replicated
elsewhere -except in the case of the GC which is a read only replica with a
partial attribute set.


> Moreover, Is the CD capable of authenticating users that are part of the PD?

No, see my first comments. You have misunderstood the concept of trusts,
and what you can and cannot logon to.


> Or does a Domain local group need to be created on the CD, with the user accounts of PD added?

In order for a user object in the child to access resources in the parent
(or vice-versa) permissions need to be assigned to that resource. This is
done through a domain local group on the object itself (permissions applied
to this group) and then users and/ or global groups from the other domain
being members of the other domains domain local group.

--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

.

Relevant Pages

  • Re: AD - change user logon name in active directory
    ... the DC in site X in the user properties under account (user logon name ... for replication problems. ... when checking if the changes were replicated look for the user properties ... Account tab. ...
    (microsoft.public.windows.server.active_directory)
  • [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l
    ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ...
    (Bugtraq)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ...
    (microsoft.public.windows.server.sbs)
  • Re: Is it really true that NTFS is secure?
    ... > and failure auditing starting with "Audit Account Management," and also try ... > The account Group got put back in the Administrator group again. ... > The logon to account: ...
    (microsoft.public.security)
  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here ... admin account to be able to Login so I can control it from the DC. ... A domain user can by default logon to any domain computer, except Domain controllers. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)