> This is typically done in very
security sensitive environments, however, is a pain if you
> need to grant access to a lot
of users from the trusted forest.
That is what scripts and command line tools are for.
:o)
I am 100% behind not nesting groups from other domains
into domain local groups[1] if you have any thoughts whatsoever on being
sure about membership and who has access to a resource. Once the owner of the
resource (and generally owner of the group that secures the resource) nests in
another group, unless they own that group, they have lost control of who has
access to the resource.
[1] Or even nesting globals into locals at all unless
you are trying to build some form of role based security structure and even then
I would be more apt to do domain local into domain local nesting. The single
domain membership nature of global groups is annoying to me.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Friday, November 25, 2005 1:19 PM
To: [email protected]
Subject: RE: [ActiveDir] Forest Trusts & Accessing Resources
there is no single correct way - creating an extra
universal group doesn't make any sense in your situation, since you only
have a single domain in your trusted forest.
However, you need to consider who manages the respective
forests, what data you're granting access to in your resource forest and
who is to control access to that data. By nesting a group from the trusted
forest to a local group in the resource forest (which you then use to grant the
rights on the resource), you're basically granting the admins of the trusted
forest to manage which users are granted access to the resource. This is
typically ok, but needs to be understood.
If you need to ensure that only specific users are granted
access to the resource and this access must be controlled by the resource
owners, then you'd want to add the users from the trusted forest directly to
your local groups in the resource forest. This is typically done in very
security sensitive environments, however, is a pain if you need to grant access
to a lot of users from the trusted forest.
Both are valid options (other options are possible as
well) - your requirements will depend what's the best option for
you.
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Freitag, 25. November 2005 11:42
To: [email protected]
Subject: [ActiveDir] Forest Trusts & Accessing Resources
Hi
all...
Scenario:
We have 2 Windows 2003 forests (forest functional
level set at Windows 2003) and each forest has a single domain. There is a
one-way trust between the two forests, Forest A trusts Forest B.
Question:
We need to grant users in Forest B access to
resources in Forest A. Having read Microsoft best practice KBs, they
recommend creating a Global Group in Forest B and adding users to this.
This Global Group is then added to
a newly created Universal
group also in Forest B which in turn
is then added to a Domain Local Group
in Forest A which is assigned permissions to the
resource...phew!...
What issues would there be by just adding the
Global Group in Forest B directly to the resource in Forest A?
Regards
David
****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************
