Re: Cross Forest Administration

Thanks for the response, maybe I am missing something obvious, but I still
don't see a resolution here. Given that EA is a Universal Group it can
contain either Global or Universal groups. Neither Global or Universal groups
can contain objects from another Forest. The only group type that can
contain objects from another forest is Domain Local. However Domain Local
can not be a member of a Universal group.

Any ideas?

"Herb Martin" wrote:


"Brad" <BDS@xxxxxxxxxxxxxxxxx> wrote in message
news:4F5DA8E2-F9C3-4943-95CB-B40756131E00@xxxxxxxxxxxxxxxx
That was my first hope. But it is only possible to add users from another
forest to a Domain Local group, and it is not possible to add a Domain
Local
Group to a Universal group. Enterprise Admins is a Universal group.

Group containment operates in this direction:

Global --> Universal --> (Domain or computer) Local

The one to the right can contain the one(s) to the left.

For granting permission you usually do this on Local groups, so adding
UNIVERSAL (or Globals) from a Trusted Domain is the usual method.

As written above, you seem to have the strategy (but not the technical
rules) backwards.

"Herb Martin" wrote:


"Brad" <BDS@xxxxxxxxxxxxxxxxx> wrote in message
news:3B4DFCA4-644E-4356-B369-BDD0533A379E@xxxxxxxxxxxxxxxx
Hey All,

I have three forests (all with one domain) that are managed by the same
AD
administration team. Forest A is the main production forest with
thousands
of
users and trusts Forest C. Forest B holds resources used by internal
and
external users, and trusts Forest A. Forest C holds some specific
infrastructure and trusts Forest A. To summarize:

Forest A <---> Forest C (Two way)
Forest B <--- Forest A (Forest B trusts Forest A but not vice versa).

All Forests are managed by the exact same IT staff, and Forest A has a
very
highly configured delegation model in place. I want to extend the
delegation
model to the other two forests. I can easily create permisisons (using
Ative
Roles FWIW) on Forests B and C. What I wanted to also achive was
getting
users that are members of Enterprise Admin and Domain Admins in Forest
A
to
be members of the same in Forests B and C. What is the easiet way of
getting
Enterprise Admins and Domain Admins in Forests B and C to match that of
Forest A?

Add their accounts to the Enterprise Admins in the other forest?






.

Relevant Pages

  • Re: Cross Forest Administration
    ... Given that EA is a Universal Group it can ... contain objects from another forest is Domain Local. ... Enterprise Admins is a Universal group. ... UNIVERSAL (or Globals) from a Trusted Domain is the usual method. ...
    (microsoft.public.windows.server.active_directory)
  • RE: restricted groups?
    ... transitive trust relationship between all domain in the forest, ... > impression that you create a Universal Group and add the Domain Admins from ... > A global group can contain other global groups and accounts from the same ... > other domain local groups from the same domain that the group belongs to. ...
    (microsoft.public.windows.server.active_directory)
  • RE: restricted groups?
    ... > transitive trust relationship between all domain in the forest, ... >> impression that you create a Universal Group and add the Domain Admins from ... >> A global group can contain other global groups and accounts from the same ...
    (microsoft.public.windows.server.active_directory)
  • Re: Can I permission a GPO to an univesal group ?
    ... same forest), you can add Users from different child domains to the Universal ... In the security filter of the GPO, check to make sure the READ and APPLY ... GROUP POLICY are set to 'Allow' for your Universal group, ... > an OU where I have a terminal server. ...
    (microsoft.public.windows.terminal_services)
  • Re: W2K3 cross domain trust
    ... > 2-way external non-transitive trust was formed between the domains. ... >> forest in which you reside. ... >>>> The group in abc.com is a universal group. ... >>> fuctional level of your domain higher than W2K Native mode. ...
    (microsoft.public.windows.server.active_directory)