Re: Adding a User from One Domain to a Group in Another Domain

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Fri, 18 Aug 2006 11:48:46 -0700

One of the leading reasons for separate forests is to effect strong
administrative separation, the containment it CAN provide, etc..
It appears you do not actually want that. You probably should
examine your objectives for funtionalities, operational model,
risk containment, etc.

"Andrew Hayes" <AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23oQM%23DrwGHA.2120@xxxxxxxxxxxxxxxxxxxxxxx

Well, I had wanted an Enterprise Admin account on Domain A to also be
Enterprise Admin on Domain B, but I guess that's not normal. Probably I
should of added Domain B to the Domain A Forest, rather than making it
it's own Forest.

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eNT2%23gpwGHA.1888@xxxxxxxxxxxxxxxxxxxxxxx

Groups may be moved in or put of the Users container, so one cannot
guess (fully) what you are seeing there. However, it is a rule that you
may not add externals to domain globals. While natively there are some
domain locals in Users, Builtins holds domain locals, and Users does not
hold builtin groups.

"Andrew Hayes" <AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eT0S2ynwGHA.2208@xxxxxxxxxxxxxxxxxxxxxxx

I have 2 W2K3 domains with a two-way trust relationship between them, and
I would like to add a user from Domain A to one of the groups in Domain
B. Unfortunately, all I can seem to do is only add users from Domain A to
one of the Built-in groups of Domain B, not to any of the groups in the
Users container.

Is this at all possible?

Follow-Ups:
- Re: Adding a User from One Domain to a Group in Another Domain
  - From: Andrew Hayes

References:
- Adding a User from One Domain to a Group in Another Domain
  - From: Andrew Hayes
- Re: Adding a User from One Domain to a Group in Another Domain
  - From: Roger Abell [MVP]
- Re: Adding a User from One Domain to a Group in Another Domain
  - From: Andrew Hayes

Prev by Date: Re: enabling LDAP over SSL: Enterprise CA in separate AD tree
Next by Date: Re: Account Being Locked Somewhere
Previous by thread: Re: Adding a User from One Domain to a Group in Another Domain
Next by thread: Re: Adding a User from One Domain to a Group in Another Domain
Index(es):
- Date
- Thread

Relevant Pages

Re: Adding a User from One Domain to a Group in Another Domain
... I would of prefered to not have seperate forests, ... seperate forest and domain and then used trust relationships to allow access ... administrative separation, the containment it CAN provide, etc.. ... hold builtin groups. ...
(microsoft.public.windows.server.security)
Re: Problem on windows 2003 with trust.
... I don't know how indepth you 2 separate forests are separated, ... are all ports free for communication etc. ... If no firewalls are present between, maybe you could change the secondary ... forest zones properly, are all ports open from the PDC to PDC as an initial ...
(microsoft.public.windows.server.active_directory)
Re: AD design question....again
... security that requires separate forests. ... In the forest to gain control over the entire forest. ... Note that the problem isn't just with "the administrator" account. ... - empty domain model would not "secure" the enterprise admin ...
(microsoft.public.win2000.active_directory)
Re: AD design question....again
... You get separate forests when you can't ... trust the different sets of admins. ... Authenticated Users in the forest with the sensitive data. ... Set up a single domain forest if you have no real reasons to do otherwise ...
(microsoft.public.win2000.active_directory)
Re: Advantages of Child Domain
... the recommendation is to start your design with a single domain ... forest model and then take into consideration any factors that would warrant ... increasing number of domains or even create separate forests. ... Dedicated Root forest and one child domain spread across 5 locations ...
(microsoft.public.windows.server.active_directory)