It's a documentation error. You have to use Domain
Local groups.
Tony
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece
Sent: Wednesday, 1 March 2006 1:23 p.m.
To: [email protected]
Subject: [ActiveDir] Forest trusts, cross forest group nesting
In the article http://technet2.microsoft.com/WindowsServer/en/Library/517b4fa4-5266-419c-9791-6fb56fabb85e1033.mspx
, Microsoft offers the following advice for using security groups across
forest trusts:
Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group.For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members.
Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain.
When I set up a forest trust between two Windows 2003 forests in
2003-native mode, I am unable to add any security principals from the trusted
forest to a universal group in the trusting forest. I can add trusted users or
groups to domain local groups, but that is it. Is this just a documentation
error or should the universal groups actually work? The ADUC object picker shows
the trusted forest root only when in a domain local group context.
