RE: restricted groups?

Hi,

Yes, I guess it would. I just remember posts that said they couldn't
actually "see" the Domain Groups from another Domain to add them. However,
"if" you can see then then it will work to put them in the Domain Local
Groups on the DC. Good Luck

Cheers,

Lara

"skip" wrote:

> the way mutiple domain and multiple tree's in a forest work is there is a
> transitive trust relationship between all domain in the forest, this enables
> users from domainB to access resources in domainA and vice versa, but because
> each domain in a forest is a separate security boundary, then domain admins
> from domainA (if they are not in the local admin group on a client machine in
> domainB) cant manage machines in a separate domain, because of the security
> boundary, but if you add the domai nadmins group from domainA to the local
> built in administrator group in domainB then this will solve the issue
>
> This would work I was under the
> > impression that you create a Universal Group and add the Domain Admins from
> > Domain A and then put that Group inside the Domain Local Administrators group
> > from Domain B.
> but doing it this way creates more steps
>
> "lforbes" wrote:
>
> > Hi,
> >
> > Actually yes, I am understanding. Now I haven't done this because I only
> > have one Domain (so someone correct if I am wrong) however, I was under the
> > impression that you create a Universal Group and add the Domain Admins from
> > Domain A and then put that Group inside the Domain Local Administrators group
> > from Domain B.
> >
> > Here is the Group Rules in Native Mode according to MS. As you can see a
> > Domain Group cannot contain a Domain group from another Domain. You have to
> > use Universal Groups to do that.
> >
> > ~From Microsofts website~
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/nesting_in_native_mode.asp
> >
> > A universal group can contain other universal groups, global groups and
> > accounts from any domain in any forest. A universal group cannot contain any
> > domain local groups.
> > A global group can contain other global groups and accounts from the same
> > domain that the group belongs to. A global group cannot contain any universal
> > groups, or any global group or account from another domain.
> > A domain local group can contain universal groups, global groups and
> > accounts from any domain or forest. A domain local group can also contain
> > other domain local groups from the same domain that the group belongs to. A
> > domain local group cannot contain other domain local groups from any other
> > domain or forest.
> >
> > Cheers,
> >
> > Lara
> >
> > "skip" wrote:
> >
> > > you are not understanding what i am trying to do. I want the domain admins
> > > group from domainA to be in the domain admins group in domainB
> > >
> > > "lforbes" wrote:
> > >
> > > > Hi,
> > > >
> > > > I only have a One Domain Forest/Tree. However, I think that you should
> > > > investigate Universal groups. They give you the option of "Cross domain
> > > > acess"
> > > >
> > > > Cheers,
> > > >
> > > > lara
> > > >
> > > >
> > > > "skip" wrote:
> > > >
> > > > > Hi all
> > > > >
> > > > > I have a forest root that contains a separate tree and domain. I would like
> > > > > to add the doma in admins group from the forest root domain to every machine
> > > > > that is in the separate domain. Can i use restricted groups to do this? i
> > > > > need to scan all machines on the network for missing patches but i cant scan
> > > > > the machines in the domainb.com domain because the domain admins group from
> > > > > domainA.com is not listed in the local admin group on the machines
> > > > >
> > > > > Example
> > > > >
> > > > > DomainA.com is the forest root, DomainB.com is a seprate tree in the forest
> > > > > root.
> > > > >
> > > > > Thanks
.

Relevant Pages

  • RE: restricted groups?
    ... transitive trust relationship between all domain in the forest, ... > impression that you create a Universal Group and add the Domain Admins from ... > A global group can contain other global groups and accounts from the same ... > other domain local groups from the same domain that the group belongs to. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Forest-Issues
    ... The following articles should have all of the relevant information for you. ... Global groups can only contain members of its own domain, but can be assigned anywhere in the forest. ... We are running into an issue that we can not add users/group from one forest into the security group of the second forest. ... HQ - Active Directory Users and Computers - Domain Admins - Add Members - I only see the HQ domain/forest, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remote Desktop Sub Domain Member Servers
    ... > Am I not able to add a Universal group to Domain Admins? ... Universal groups cannot be added into global groups, ... administrators group on all workstations and member servers using start-up ...
    (microsoft.public.windows.server.active_directory)
  • Re: Accessing Resouces in another forest
    ... I have a two way forest trust set up between two Windows 2003 ... > "Create a universal group in the resource forest, ... > Department global groups from ForestA as members. ... I have a transitive forest trust in place. ...
    (microsoft.public.windows.server.security)
  • Re: Accessing Resouces in another forest
    ... I also tried adding the group from the other forest in the ... >a universal group from the trusted forest to a domain local group on the ... >> members of the universal group. ... >> Department global groups from ForestA as members. ...
    (microsoft.public.windows.server.active_directory)