Announcement

Collapse
No announcement yet.

Active Directyory security groups

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directyory security groups

    I have two forests, one domain in each forest, domain A and domain B. One way trust relationship is established.
    Users are in domain A, resources are in domain B. The established trust relationship will allow users in domain A to access resources in domain B. To allow users to access resources, I need to setup domain local group in domain B, global security group in domain A. Add global group as a member of domain local.
    Our process doesnt allow us to create security groups(global security groups) in domain A. How should I setup my AD security groups to allow users to access resources in domain B?

  • #2
    Re: Active Directyory security groups

    What test is this coming from?
    If we answer the question, how will you learn the material?
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Active Directyory security groups

      And on the off chance it isn't a test question, what is the business justification for no global groups in the user domain, especially as the preferred strategy is still AGULP
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Active Directyory security groups

        Originally posted by JeremyW View Post
        What test is this coming from?
        If we answer the question, how will you learn the material?

        hm.....test? This is my customer's environment and I am looking for a solution to it.

        Comment


        • #5
          Re: Active Directyory security groups

          Originally posted by Ossian View Post
          And on the off chance it isn't a test question, what is the business justification for no global groups in the user domain, especially as the preferred strategy is still AGULP
          The problem is the other domain is managed by an outsourced company. We do not have access to the domain hence we cannot automate group provisioning(everything needs to be automated in the environment).
          I can add users to domain local group without setting up security groups in domain A but I don't know if that's the best practice for an enterprise environment.....

          Comment


          • #6
            Re: Active Directyory security groups

            OK, the original question read as if it was straight from a certification exam, so we were wary of answering.

            The normal strategy across domains/forests is AGULP

            Accounts go into Global Groups (in domain A), go into Universal Groups (either domain), go into Domain Local groups (domain B) which have permissions given to them.
            (See http://www.windowsecurity.com/articl...rmissions.html for more info)
            In your case, G is out, but you could use AULP - as far as I know, Universal Groups can contain accounts as well as groups

            Would automating user provisioning extend to the outsourced company adding new users to global groups on their side - if so, AGULP is back.
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Active Directyory security groups

              Originally posted by Ossian View Post
              OK, the original question read as if it was straight from a certification exam, so we were wary of answering.

              The normal strategy across domains/forests is AGULP

              Accounts go into Global Groups (in domain A), go into Universal Groups (either domain), go into Domain Local groups (domain B) which have permissions given to them.

              In your case, G is out, but you could use AULP - as far as I know, Universal Groups can contain accounts as well as groups

              Would automating user provisioning extend to the outsourced company adding new users to global groups on their side - if so, AGULP is back.

              Hi, Thanks for your reply.
              I am afraid AULP wouldnt work. I have tried creating a Universal Group in Domain B and it does not allow me to add Domain A users to this Universal Group (Domain A is not listed when I try add Domain A user to the group ) So I assume I can only either add domain A users to domain local group(domain B) or setup Universal group in domain A and add Universal group to domain local group.
              It is an Enterprise environment. What's the best way of setting up cross domain access in this case?

              Comment


              • #8
                Yes, I apologize. It sounded very much like a test question to me.

                So in your case, everything needs to be done in the Domain A, where the accounts reside, and then you can add either a global or universal group from Domain A to the domain local group in Domain B.

                Here's the group scope reference: https://technet.microsoft.com/en-us/.../cc755692.aspx
                Notice that universal groups are limited to member groups and accounts from it's parent forest whereas domain local groups can have members from any domain.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment

                Working...
                X