Alan Bornat said:
I have two Windows 2000 domains linked in a WAN via a VPN through the
internet - can I assign user rights to users from the other domain?
Alan Bornat
Are you refering to a trust relationship through an encrypted VPN?
Rights and permissions are 2 distinct user/ resource management properties.
If domainA trusts domainB to authenticate users in DomainB in order to
access resources in DomainA, this does NOT provide direct administrative
control to DomainA over the rights given to the users or groups on DomainB.
DomainB remains the security provider for the accounts in DomainB.
DomainA does, however, manage its own entities.
Only global groups can cross a trust. Only global groups are exportable.
DomainA should assign rights to a local group. DomainB's global group should
be placed in the DomainA's local group. In this manner, DomainA does have
control over the rights of whatever is in one of its local group containers.
Moral of the story:
Users are placed in Global groups (to be exported)
Global groups go into Local groups (and inherit local rights + permissions)
Local groups are given rights + permissions to resources
acronym: UGLP
