Re: Child Domain access
- From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
- Date: Tue, 26 Jul 2005 06:49:28 +0100
This is down to the scope of the different groups.
Group Scope
-- Domain Local groups can contain members from ANY domain but can only be
used (configured on object ACLs, etc) in their OWN domain (this is in native
mode; in mixed they can only be used on DCs).
-- Global groups can only contain members from their OWN domain but can be
used to (configured on object ACLs, etc) in
ANY domain.
-- Universal groups can contain members from ANY domain and can be used in
ANY domain [1].
Group Nesting
-- A domain local group can contain users, a universal group, a global group
or another domain local group [2].
-- A global group can contain users and global groups from the same domain
and can be added to domain local or universal group in any domain; a global
group can be added to another global group in its own domain.
-- A universal group can contain users, universal and global groups from any
domain and can be a member of domain local or universal groups in any
domain.
---
[1] Universal groups require native mode; they can not be used in domains
that are running in mixed mode.
[2] Domain local groups from the same domain only.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- References:
- Child Domain access
- From: Pscyime via WinServerKB.com
- Re: Child Domain access
- From: Mike Brannigan [MSFT]
- Re: Child Domain access
- From: Pscyime via WinServerKB.com
- Re: Child Domain access
- From: Mike Brannigan [MSFT]
- Re: Child Domain access
- From: SIME U via WinServerKB.com
- Child Domain access
- Prev by Date: Re: Seize Schema Master fails via GUI and CMD
- Next by Date: Re: Reset user passwords permission
- Previous by thread: Re: Child Domain access
- Next by thread: Is there any reader out there for Questions posted on this web.
- Index(es):
