Global Group Question

[amyl]

Can global groups in one domain be used in another domain that is in a
seperate forrest for security permissions? Both domains have trusts
back and forth.

We tried it and had no sucess - however if we switched the group to
univeral it worked fine. The forrest where the global group resides is
a full windows 2003 domain (native mode) and the domain where the
global group is trying to be added is a windows 2000 mixed mode
forrest.

Thanks for any insight
Amy.

 

[Herb Martin]

Can global groups in one domain be used in another domain that is in a
seperate forrest for security permissions? Both domains have trusts
back and forth.

Yes. A global group from a "trusted" domain can be seen and used
in a "trusting" domain.

We tried it and had no sucess - however if we switched the group to
univeral it worked fine. The forrest where the global group resides is
a full windows 2003 domain (native mode) and the domain where the
global group is trying to be added is a windows 2000 mixed mode
forrest.

Global groups are NOT a 'forest' object but a PER domain issue.

Trusts are generally PER domain (pair) and are not forest wide except
in the specific case of the new Win2003 Forest trusts which require
that both domains be in "Win2003 Forest Functional Level".

That is, a specific trust must exist between the two individual domains
in all but the "Forest Trust" case.

Also, trusts external to the forest are dependent on NetBIOS, and therefore
perhaps on WINS server and proper WINS client settings for all machine.