Re: Pass-through Authentication Between Trusted Domains Not Working

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/11/04 

Date: Mon, 11 Oct 2004 21:49:18 GMT

You have a couple of options. If you are using native mode you can create
universal groups and add global groups from any trusted domain to the
universal group and then add universal groups to domain local groups or
local groups on the domain computers. Domain local groups will only work on
domain computers if the domain is in native mode. Global groups can not
contain other global groups unless in native mode and then they can contain
global groups only from the same domain. If you want to add a group from the
trusted domain to the local administrators group on the domain computers in
the trusting domain and are not using native mode you can use Group Policy
"restricted groups" to add the domain admins group from both domains to the
local administrators groups on domain computers under the scope of influence
of the policy. Note that restricted groups will remove current members of
the restricted group if the are not defined as groups/user to be included.
Another way would be to use Group Policy startup script to add the domain
admins group from the trusted domain to the local administrators group with
the net localgroup command. As far as adding permissions to shares, you
should be able to directly add global groups from the trusted domain to
shares in the trusting domain.

Except for trusts between domains in a Windows 2000 or 2003 forest which are
created automatically and are two way and transitive, you have to establish
trusts for both directions if you want two domains to share resources with
each other domain's users. The support tool dcdiag can be run on the pdc
fsmo in each domain to see if there is a problem with the trusts. Often dns
problems can arise an it will help to make sure each domain can resolve dns
names in the other domain assuming these are W2K/W2003 domains. In Windows
2000, you can make your domain controllers have secondary dns zones of the
other trusted domain. The same will work in Windows 2003, though you can
also use stub zone or conditional forwarding to locate the dns servers for
the other domain. --- Steve

"SteveO" <stevem123@cox.net> wrote in message
news:53b82af3.0410111027.591c4f52@posting.google.com...
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:<4OE9d.226064$3l3.178364@attbi_s03>...
>> Try adding the administrator account you are using from each domain, or
>> the
>> domain admins global group, to the built in administrators group of the
>> other domain in Active Directory Users and Computers to see if that
>> elps. --- Steve
>
> I'm sorry Steven. I didnt properly read your posting (as short and to
> the point as it was) about adding users to the "BuiltIn"
> Administrators Group.
>
> This does seem to work to provide access to the machine to which I
> have altered the Built-In group.
>
> Now if I want to access shares on other machines that are part of the
> domain (there are 8 others), I would have to add the trusted domain's
> "Domain Admin" group to the built-in Administrators group on each of
> those machines as well.
>
> I can certainly do that...just seems like a pain to manage going
> forward.
>
> In terms of accessing disk resources, doesn't seem like the domains
> truely trust eachother.
>
> Is there anyway to add trusted domain users/groups to the GLOBAL
> groups on the trusting server which is what I thought you were telling
> me originally and would be best for management. I can only ad the
> trusted domain users to Domain Local groups which you cant add to a
> global group or to the disk rights.
>
> STEVE

Relevant Pages

  • Re: Native mode... what now.
    ... If you want to nest groups of the same type (e.g., global groups into other ... global groups or domain local groups into other domain local groups), ... Are you saying that I must use native mode in order to nest groups? ...
    (microsoft.public.windows.server.active_directory)
  • Re: cant see domain local groups
    ... As Domain Local groups cannot be members of workstation Local Groups ... I am wondering why MS added the functionality in Native Mode and what ... >> only see the listing of global groups and users, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Why A-G-DL-P?
    ... security principals from the external domain ... principals can become members of domain local groups in the internal domain. ... different global groups that need access to this share. ... permissions) to this share you can create one Domain Local group named "DL ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Groups Question
    ... Domain local groups can contain members of any domain, but only be assigned permission in the domain in which it belongs. ... Consider a scenario where you assign all of our file permissions with Global groups and then suddenly you require a child domain or a forest trust to another entity. ... group of these three servers, if so, why not just add the G Group ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Groups Question
    ... Global groups can only contain members of the domain in which the group ... Consider a scenario where you assign all of our file permissions with Global ... and Global Groups into Domain Local Groups and assign permissions ... workers access to a print server and access to an application server ...
    (microsoft.public.windows.server.active_directory)