For Windows 2000 native mode, the following nesting rules apply (nesting in
mixed mode is more limited):
Global group can only contain other global groups from the same domain and
users from the same domain.
Domain local groups can contain other domain local groups from the same
domain, universal groups from any domain, global groups from any domain and
users from any domain.
Universal groups can contain other universal groups from any domain, global
groups from any domain or users from any domain.
It is not recommended to directly include users into universal groups, or in
domain local groups in other domain.
You should use a domain local group instead. A good idea would be to create
a domain local group for a certain resource in some domain (most likely the
domain where this resource located), and global groups in every domain where
users need access to this resource. Then, you add users in every domain into
appropriate global group (in the same domain), and add all global groups
into the domain local group. Through group nesting, the users will be able
to get access they need, while management scheme will remain clear and
straightforward.
--
Dmitry Korolyov [
[email protected]]
MVP: Windows Server - Active Directory
Is it possible to add users from one domain to a global
security group in another domain? There is a two-way
trust relationship between the domains. If it's not
possible, is there an equivalent workaround?
Thanks
