All,
Here's the situation:
User exists in a Server 2003 domain running in 2003 forest and domain mode
GPO with user configuration including logon script is linked to OU where user exists and ACLd to a domain local group
User is member of domain local group
Server that user is trying to log onto is Server 2003 Standard
Server exists in an NT4.0 domain that trusts the AD domain -- one-way trust as the NT4.0 domain is a resource domain
When user logs onto a server in the AD domain GPO applies properly.
When user logs onto the server in the NT4.0 domain no GPO applies.
-------------------------------------------------------------------------
Create domain global group
Make AD domain global group a member of the domain local group
Add user to AD domain global group and remove user from domain local group
When user logs onto the server in the NT4.0 domain no GPO applies.
------------------------------------------------------------------------
Change ACL on GPO to by adding global group in AD and remove the domain local group from the ACL
Change user group membership to remove the domain local group, keeping the domain global group membership
When user logs onto the server in the NT4.0 domain and GPO applies properly.
The issue is that we're limited in what we can do because of an outsourced arrangement with outsourcer requirements. How can I get the users in the AD domain to be able to log onto the Server 2003 boxes in the NT4.0
domain without major group membership and ACL change and without migrating the servers to AD? Ultimately, we intend to migrate the servers, but can't quickly enough to respond to this issue. We could create AD global groups to mirror the AD domain local groups, dump the users from the domain locals and add to the globals and ACL the GPOs to the global groups. That would take a bit of time but it's doable.
But why, even when making the user a member of the global group, the global group a member of the domain local group, and the ACL the GPO to the domain local group will it not work?
Is it just that the NT4.0 domain, despite the fact that the target server is 2003, doesn't understand the concept of an AD domain local group?
Apologies for the long-winded and possibly convoluted email. It's getting late...
Thanks,
Mike
