Announcement

Collapse
No announcement yet.

Access to resources in the Forest root domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access to resources in the Forest root domain

    Hi,

    I am having problems providing users access to resources in my forest root domain.

    The domain configuration is

    Forest Root domain
    1 x Child Domain

    I have been asked to provide desktop engineers with permissions to manage printers on a specific print server which resides in our Forest Root domain.

    The desktops engineers users accounts are in the child domain.

    Now, correct me if I am wrong, but this is what I did or have at least tried.

    1st scenario. I created a Universal Security Group in the child domain and applied and added the child domain user accounts to the security group.

    I then added this universal group to the local Print Operators group on the server.

    The engineers get access denied when trying to cancel print jobs submitted by other users.

    2. In following with MS best practices for security etc etc, I did want the users to have access to log on locally to the server and shut it down/restart etc etc, as this is what permissions the print operator group provides.

    I also thought that I may need to create a Domain Local on the forest root domain then create either a Global Group or Universal Group in the cild domain and add the child domain user accounts to this group then add this group to the domain local group.

    Can anyone clarify the procedure for doing this please.

    Thanks in advanced

  • #2
    Re: Access to resources in the Forest root domain

    Well, providing your domains and forest are at the top functional levels, I'd avoid the use of Universal groups unless absolutely necessary. Try to use global and domain local groups instead.

    Conceptually, however, using the Universal groups it sounds like you did things right. The one thing I would question is weather the desktop engineers logged off and logged back on to update their security token with their new group membership which is granting them print operator rights on the print server? The other variable here is to ensure the necessary replication has occurred if multiple domain controllers (and especially multiple sites) are involved. You can use the replmon.exe or repadmin.exe tools for this.
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
    boche.net - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.

    Comment


    • #3
      Re: Access to resources in the Forest root domain

      Jason,

      Thanks for the reply.

      Yep, I ensured that they logged off and back, but no good.

      I will check the replication between the DC's and provide an update.

      Thanks

      Comment


      • #4
        Re: Access to resources in the Forest root domain

        Enable auditing and check the security log on the print server also and let's look at the failure events that should be showing up on there.

        Jas
        VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
        boche.net - VMware Virtualization Evangelist
        My advice has no warranties. Follow at your own risk.

        Comment


        • #5
          Re: Access to resources in the Forest root domain

          Jason,

          I have generated a staus report in replmon and there are no replication issues.

          I am rather puzzled by this.

          Any other ideas?

          Thanks

          Comment


          • #6
            Re: Access to resources in the Forest root domain

            Well that is good news. Replication failures are not pleasant to troubleshoot.

            Can you enable auditing and then look in the security event log for the specific failure messages that are getting kicked out when the desktop engineer sees access denied? Could be a logon type issue or the log may steer us in the right direction.

            Jas
            VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
            boche.net - VMware Virtualization Evangelist
            My advice has no warranties. Follow at your own risk.

            Comment


            • #7
              Re: Access to resources in the Forest root domain

              Jason,

              No problem. I will enable auditing on the print server.

              Will provide an update shortly.

              Cheers

              Comment

              Working...
              X