"But why, even when making the user a member of the global group, the global group a member of the domain local group, and the ACL the GPO to the domain local group will it not work?"
Nesting isn't going to work as I recall. Your testing seems to bear this out.
A suggestion would be to find a NT4 specific setting and apply it to the NT4 resource domain in the NT4 resource domain vs. wanting the 2003 forest to carry over. You'll likely get much more consistent results over time and since you're moving away from the NT4 resource domain anyway, it would be the best use of your time. Staying in an in-between formation often leads to pain in my experience and that often leads to eventual "hurry up and migrate" orders :)
On 10/2/06, Mike Baudino <[EMAIL PROTECTED]> wrote:
All,Here's the situation:User exists in a Server 2003 domain running in 2003 forest and domain modeGPO with user configuration including logon script is linked to OU where user exists and ACLd to a domain local groupUser is member of domain local groupServer that user is trying to log onto is Server 2003 StandardServer exists in an NT4.0 domain that trusts the AD domain -- one-way trust as the NT4.0 domain is a resource domainWhen user logs onto a server in the AD domain GPO applies properly.When user logs onto the server in the NT4.0 domain no GPO applies.-------------------------------------------------------------------------Create domain global groupMake AD domain global group a member of the domain local groupAdd user to AD domain global group and remove user from domain local groupWhen user logs onto the server in the NT4.0 domain no GPO applies.------------------------------------------------------------------------Change ACL on GPO to by adding global group in AD and remove the domain local group from the ACLChange user group membership to remove the domain local group, keeping the domain global group membershipWhen user logs onto the server in the NT4.0 domain and GPO applies properly.The issue is that we're limited in what we can do because of an outsourced arrangement with outsourcer requirements. How can I get the users in the AD domain to be able to log onto the Server 2003 boxes in the NT4.0 domain without major group membership and ACL change and without migrating the servers to AD? Ultimately, we intend to migrate the servers, but can't quickly enough to respond to this issue. We could create AD global groups to mirror the AD domain local groups, dump the users from the domain locals and add to the globals and ACL the GPOs to the global groups. That would take a bit of time but it's doable.But why, even when making the user a member of the global group, the global group a member of the domain local group, and the ACL the GPO to the domain local group will it not work?Is it just that the NT4.0 domain, despite the fact that the target server is 2003, doesn't understand the concept of an AD domain local group?Apologies for the long-winded and possibly convoluted email. It's getting late...Thanks,Mike
