Title: Message
> This is typically done in very security sensitive environments, however, is a pain if you
> need to grant access to a lot of users from the trusted forest.
 
That is what scripts and command line tools are for. :o)
 
I am 100% behind not nesting groups from other domains into domain local groups[1] if you have any thoughts whatsoever on being sure about membership and who has access to a resource. Once the owner of the resource (and generally owner of the group that secures the resource) nests in another group, unless they own that group, they have lost control of who has access to the resource.
 
 
[1]  Or even nesting globals into locals at all unless you are trying to build some form of role based security structure and even then I would be more apt to do domain local into domain local nesting. The single domain membership nature of global groups is annoying to me.
 
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Friday, November 25, 2005 1:19 PM
To: [email protected]
Subject: RE: [ActiveDir] Forest Trusts & Accessing Resources

there is no single correct way - creating an extra universal group doesn't make any sense in your situation, since you only have a single domain in your trusted forest.
 
However, you need to consider who manages the respective forests, what data you're granting access to in your resource forest and who is to control access to that data.  By nesting a group from the trusted forest to a local group in the resource forest (which you then use to grant the rights on the resource), you're basically granting the admins of the trusted forest to manage which users are granted access to the resource.  This is typically ok, but needs to be understood.
 
If you need to ensure that only specific users are granted access to the resource and this access must be controlled by the resource owners, then you'd want to add the users from the trusted forest directly to your local groups in the resource forest. This is typically done in very security sensitive environments, however, is a pain if you need to grant access to a lot of users from the trusted forest.
 
Both are valid options (other options are possible as well) - your requirements will depend what's the best option for you.
 
/Guido


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Freitag, 25. November 2005 11:42
To: [email protected]
Subject: [ActiveDir] Forest Trusts & Accessing Resources

Hi all...
 
Scenario:
We have 2 Windows 2003 forests (forest functional level set at Windows 2003) and each forest has a single domain.  There is a one-way trust between the two forests, Forest A trusts Forest B.
 
Question:
We need to grant users in Forest B access to resources in Forest A.  Having read Microsoft best practice KBs, they recommend creating a Global Group in Forest B and adding users to this.  This Global Group is then added to a newly created Universal group also in Forest B which in turn is then added to a Domain Local Group in Forest A which is assigned permissions to the resource...phew!...
 
What issues would there be by just adding the Global Group in Forest B directly to the resource in Forest A?
 
 

Regards

David

 


****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************

Reply via email to