Group membership between Forests

S

Shambler

Supreme [H]ardness
Joined
Aug 17, 2005
Messages
6,419
The breakdown:

Forest A - Domain A - User A

Forest B - Domain B - Group B


Forest B trusts Forest A
Group B is a Universal Group (99% sure this needs to be changed to Domain Local)

In order to add User A to Group B need toI:
Open up AD in Domain A. Find User A and hit the membership tab. Browse to Domain B, select Group B, and Add.

Done and done. Right?

Currently, I'm only able to view the built in groups for Domain B. (I assume this is because the other groups in Domain B are all Global/Universal)

All of that sound about right? In terms of thought process and potential issue with Domain Local v Universal.
 
Wonder if this would work.

Take my current Universal Group in Domain B, and nest it within a Domain Local Group in Domain B.

That would work right? (Functional Level is 2008 for Forest B and at least 2003 for Forest A)
 
Well alright,

I am able to add User A to a Domain Local Group in Domain B.

However, it just shows a SID and not the actual user Name. I gave that Domain Local Group perms to a folder, and my User A creds were not recognized.
Booooooo!
 
you need a global group in both forests/domains.
Add global group from Forest B to global group in Forest A.

Domain Local and Universal is for use between domains that are in the same forest.

Global groups can contain Global groups from any trusting domain; but the only user members allowed are users from the same domain.

So, add user B to Global Group B. Add Global Group B to Global Group A.

http://support.microsoft.com/kb/884417
(yes, that KB article is about BizTalk 2004, but the info is still accurate)
 
Last edited:
You were very close to having the correct solution. Here's my take on it.

In domain A, put User A in a global group. In domain B, make sure Group B is a domain local group and add the global group from domain A. If you have multiple global groups in domain A that you'd like to add to Group B, first put all the domain A global groups into a Universal group in domain A, then add the universal group into Group B.

Group scope: http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
Accessing resources across forests: http://technet.microsoft.com/en-us/library/cc772808(v=ws.10).aspx
 
Sandrock said:
You were very close to having the correct solution. Here's my take on it.

In domain A, put User A in a global group. In domain B, make sure Group B is a domain local group and add the global group from domain A. If you have multiple global groups in domain A that you'd like to add to Group B, first put all the domain A global groups into a Universal group in domain A, then add the universal group into Group B.

Group scope: http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
Accessing resources across forests: http://technet.microsoft.com/en-us/library/cc772808(v=ws.10).aspx
Click to expand...

you're right.
Domain B's Group B would need to be domain local.

It's been forever since I messed around with this, and Microsoft tends to leave out "forest" when it should be there for clarification in their articles.
ie, "Global groups from any domain" whereas that probably should state "Any forest" or something similar.
 
You must log in or register to reply here.
Back
Top