Hi,
New member here, with an issue L
We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way.
The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A
Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant "administrators" rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators – and thus defeats the objective of having the admins in a single forest.
(FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message "Foreign security principals cannot be members of universal groups")
Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account
Hope you can help.
______________________________________________________
Mike Guest | Capgemini | Sale
Server Support | Outsourcing UK
Office: + 44 (0)870 366 1814 | 700 1814 | [EMAIL PROTECTED]
77-79 Cross Street, Sale, Cheshire. M33 7HGJoin the Collaborative Business Experience
______________________________________________________
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Been a while since I looked at this and I've only got one forest in VM on my machine at the moment so I cant test it, but I believe that if you create a global group in ForestA you can add it to a Universal group in ForestB. You will not be able to add users from ForestA to the Domain Admins group in ForestB, but you can add them to the Administrators group (which you've already figured out).
The way I've always dealt with this was to have admin accounts in each forest, not as ideal as a unified admin account, but quite workable.
Phil
On 6/15/06, Guest, Mike <[EMAIL PROTECTED]
> wrote:
- [ActiveDir] Cross forest issue Guest, Mike
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue Tony Murray
- Re: [ActiveDir] Cross forest issue Phil Renouf
- RE: [ActiveDir] Cross forest issue joe
- RE: [ActiveDir] Cross forest issue Grillenmeier, Guido
- RE: [ActiveDir] Cross forest issue Guest, Mike
