Right so there's no replication involved in group membership really. You are correct that global groups ONLY can have members from the domain they live in.
Technically speaking, global groups exist in the GC too, it's just the membership that isn't replicated across GCs. You can't even create universal groups in NT Mixed Mode if my memory serves me correctly. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: [email protected] [mailto:[email protected]] Sent: Saturday, March 28, 2009 11:17 PM To: NT System Admin Issues Subject: RE: Universal security group question Actually in a multi INTRA domain model, global groups do not replicate membership information outside of their own domain only that group itself. Universal Groups DO contain membership data of groups across all GC's in a forest. Assuming you have forest ...test.com and you have two child domains, sales1.test.com and sales2.test.com If a USG exists in sales1 that USG will be replicated to all GC's in the forest. If in native mode it will also replicate the group membership. The only caveat is to make sure that all of the domains are in Native Mode otherwise the USG do not populate membership info only that the group itself exists. Guido, I think you are referring to Trusts between Domains in different Forests.. Chris is dealing with child domains within the same forrest so this would be an Intra domain model not an Inter domain model by your terminology. Of course its late and the baby has been crying for an hour so my neurons could be polarized... From: Brian Desmond [mailto:[email protected]] Sent: Saturday, March 28, 2009 4:29 PM To: NT System Admin Issues Subject: RE: Universal security group question Huh? Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: HELP_PC [mailto:[email protected]] Sent: Saturday, March 28, 2009 3:10 AM To: NT System Admin Issues Subject: R: Universal security group question Universal is not security for inter-domain . You should use global instead GuidoElia HELPPC ________________________________ Da: Christopher Bodnar [mailto:[email protected]] Inviato: venerdì 27 marzo 2009 20.58 A: NT System Admin Issues Oggetto: RE: Universal security group question I don't think the GC port has anything to do with it. I added the registry key mentioned in KB833883, and it displayed the non-local Universal memberships correctly. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ From: [email protected] [mailto:[email protected]] Sent: Friday, March 27, 2009 3:40 PM To: NT System Admin Issues Subject: RE: Universal security group question ADUC doesn't connect on the global catalog port. What you're seeing is expected behavior more or less. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian From: Christopher Bodnar [mailto:[email protected]] Sent: Friday, March 27, 2009 2:11 PM To: NT System Admin Issues Subject: Universal security group question Domain and forest are both 2003 functional level: Got a user in a child domain (child1.contoso.com). User needs access to resource in a parent domain (contoso.com). There is a universal security group setup for the resource in the parent domain. The user's account (from the child domain) has been added to it. When I look at the Group in AD I see the user, but when I look at the user's group membership in the child domain, it doesn't show her as belonging to that security group. I have seen this, which describes the symptoms exactly: http://support.microsoft.com/kb/833883 Except I am connecting to a GC, not just a DC. I've used ReplMon, but so far I don't see any lag or issues with replication. Anyone run into this before? Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
