Cross Forest Administration
Brad
I have three forests (all with one domain) that are managed by the same AD
administration team. Forest A is the main production forest with thousands of
users and trusts Forest C. Forest B holds resources used by internal and
external users, and trusts Forest A. Forest C holds some specific
infrastructure and trusts Forest A. To summarize:
Forest A <---> Forest C (Two way)
Forest B <--- Forest A (Forest B trusts Forest A but not vice versa).
All Forests are managed by the exact same IT staff, and Forest A has a very
highly configured delegation model in place. I want to extend the delegation
model to the other two forests. I can easily create permisisons (using Ative
Roles FWIW) on Forests B and C. What I wanted to also achive was getting
users that are members of Enterprise Admin and Domain Admins in Forest A to
be members of the same in Forests B and C. What is the easiet way of getting
Enterprise Admins and Domain Admins in Forests B and C to match that of
Forest A?
Brad
Herb Martin
"Brad" <B...@newsgroups.nospam> wrote in message
news:3B4DFCA4-644E-4356...@microsoft.com...
Add their accounts to the Enterprise Admins in the other forest?
Brad
forest to a Domain Local group, and it is not possible to add a Domain Local
Group to a Universal group. Enterprise Admins is a Universal group.
Herb Martin
"Brad" <B...@newsgroups.nospam> wrote in message
> That was my first hope. But it is only possible to add users from another
> forest to a Domain Local group, and it is not possible to add a Domain
> Local
> Group to a Universal group. Enterprise Admins is a Universal group.
Group containment operates in this direction:
Global --> Universal --> (Domain or computer) Local
The one to the right can contain the one(s) to the left.
For granting permission you usually do this on Local groups, so adding
UNIVERSAL (or Globals) from a Trusted Domain is the usual method.
As written above, you seem to have the strategy (but not the technical
rules) backwards.
Brad
don't see a resolution here. Given that EA is a Universal Group it can
contain either Global or Universal groups. Neither Global or Universal groups
can contain objects from another Forest. The only group type that can
contain objects from another forest is Domain Local. However Domain Local
can not be a member of a Universal group.
Any ideas?
Herb Martin
"Brad" <B...@newsgroups.nospam> wrote in message
> Thanks for the response, maybe I am missing something obvious, but I still
> don't see a resolution here. Given that EA is a Universal Group it can
> contain either Global or Universal groups. Neither Global or Universal
> groups
> can contain objects from another Forest.
> The only group type that can
> contain objects from another forest is Domain Local. However Domain Local
> can not be a member of a Universal group.
>
> Any ideas?
Build a Global or Universal in the trusted Domain, and add it to your
local groups. Assign permissions.
Brad
delegation is required, but wanted to ge EA from one forest into EA in
another, which, I am slowly realising is not possible.
Maldo
>
> - Show quoted text -
Brad:
Did you get an answer on this? I am trying to do exactly the same
thing.
Brad
It isn't possible to have users of EA in one forest be members of EA in
another forest with two "out of the box" Forests. You need to have something
between them glueing them together. I have done this yet, but suspect that
for a small shop a simple VBScript would get you most of the way, where as
IIFP could be used as well and is a more Enterprise type solution.