Re: Changing Global Group to Domain Local Group.

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/07/05


Date: Fri, 7 Jan 2005 11:02:01 -0600

Did you try the recommendation in KB281271?? It basically uses delegation,
and dsacls to give parent domain CA permissions in the child domain? --
Steve

"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:eTTibvM9EHA.3320@TK2MSFTNGP10.phx.gbl...
> Sorry for the lack of detail. Unable to change to any group type. All
> options are greyed.
>
>
> "Shiny Bob" <parris@newsguy.com> wrote in message
> news:crlrpm02f4s@news3.newsguy.com...
>> he cannot change it from global to local - no mention of universal .
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
>>> Except that he indicated he can not change it from global group. ---
>>> Steve
>>>
>>>
>>> "<Shiny Bob>" <parris@newsguy,com> wrote in message
>>> news:crkl8102dfm@news3.newsguy.com...
>>>> change it to universal come out of group
>>>> go back into group and change it to a DL Group.
>>>>
>>>> Mark
>>>>
>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>> news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
>>>>>I have never had to deal with that but see if the info in the link
>>>>>below is helpful. --- Steve
>>>>>
>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
>>>>>
>>>>> "Rob McShinsky" <List@mcshinsky.com> wrote in message
>>>>> news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
>>>>>> In my Windows 2000 domain (native mode), that is almost completly
>>>>>> upgraded to Windows 2003 I want to change my Cert Publishers group
>>>>>> from a Global Group to a Domain Local Group. If you install 2003
>>>>>> from scratch and make it a domain controller this group is a Domain
>>>>>> Local Group even if you are in Windows 2000 native mode. Currently
>>>>>> the ability to switch this group is greyed out.
>>>>>>
>>>>>> The reasoning behind this is we are building a 2-tiered Certificate
>>>>>> Authority structure with the Issuing Certificate Authority in the
>>>>>> Root domain. All users and computer objects are in the child domain.
>>>>>> So unless I can put the CA computer object that is in the root domain
>>>>>> in the Child domain Cert Publishers group, the certificates issued to
>>>>>> users in the child domain do not work. If the Cert publishers group
>>>>>> is a Domain Local group I can easily see the CA server in the Root
>>>>>> Domain and can add it correctly.
>>>>>>
>>>>>> Does anyone have any experience with 2-tiered CA's within a 2-tiered
>>>>>> forest?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Rob McShinsky
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>