|
Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such
that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to
manage both forests, and that accounts in forest B cannot be authenticated in
forest A Whilst I can add the admins from forest A into a domain local
group in forest B, allowing me to grant “administrators” rights, I
cannot add any security principal from forest A to a universal (or global) group
in forest B. This precludes me from granting domain, enterprise or schema admin
rights to the forest A administrators – and thus defeats the objective of
having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to
change that group to a universal group gives the message “Foreign security
principals cannot be members of universal groups”) Forest B is in a DMZ, and is solely being used to give the
benefits of centralised management to the servers in the DMZ. Consequently, we
want to avoid having many user accounts in that forest. Company policy states
that every admin must log on using their own account Hope you can help. ______________________________________________________ Join the Collaborative Business Experience
|
- [ActiveDir] Cross forest issue Guest, Mike
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue Tony Murray
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue joe
- RE: [ActiveDir] Cross forest issue Grillenmeier, Guido
- RE: [ActiveDir] Cross forest issue Guest, Mike
