like global groups can only contain members from the same domain, universal groups can only contain members from the same forest. It is not possible to add objects (users/groups) in forest A to a universal group in forest B (as members) Cheers, Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Mr Oteece Sent: Wed 2006-03-01 01:22 To: [email protected] Subject: [ActiveDir] Forest trusts, cross forest group nesting In the article http://technet2.microsoft.com/WindowsServer/en/Library/517b4fa4-5266-419c-9791-6fb56fabb85e1033.mspx , Microsoft offers the following advice for using security groups across forest trusts: Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group. For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members. Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain. When I set up a forest trust between two Windows 2003 forests in 2003-native mode, I am unable to add any security principals from the trusted forest to a universal group in the trusting forest. I can add trusted users or groups to domain local groups, but that is it. Is this just a documentation error or should the universal groups actually work? The ADUC object picker shows the trusted forest root only when in a domain local group context. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>
