Universal groups scope with trusted domains.

Hi,

In a few months, we have to merge three domains:

Domain A - Windows 2000 doamin in native mode
Domain B - Windows 2003 doamin in native mode
Domain C - Windows 2003 doamin in native mode

The three of them are bidirectionaly trusted and each of them belong to
different forests. Right now, I'm trying to create universal groups in
Domain A and add members from the other to domains, but it's impposible
beacuse I only can see Domain A in the scope.

Is it posible add members to a universal group from other domains in
different forests?.

Thanks in advance.

Richard
Sun May 04 13:00:56 PDT 2008


"fedayn" <fedayn1@gmail.com> wrote in message
news:eGuCBegrIHA.5580@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> In a few months, we have to merge three domains:
>
> Domain A - Windows 2000 doamin in native mode
> Domain B - Windows 2003 doamin in native mode
> Domain C - Windows 2003 doamin in native mode
>
> The three of them are bidirectionaly trusted and each of them belong to
> different forests. Right now, I'm trying to create universal groups in
> Domain A and add members from the other to domains, but it's impposible
> beacuse I only can see Domain A in the scope.
>
> Is it posible add members to a universal group from other domains in
> different forests?.
>
> Thanks in advance.

It sounds like you expect the three domains to be in separate trees. In
order to share resources they need to be in the same forest. Universal
groups can have members from any domain in the forest. The members can even
be from domains in other trees of the forest.

For example, domains CompanyA.com, CompanyB.com, and CompanyC.com can be in
separate trees in the same forest.

If the domains are in different forests, they are isolated.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Marcin
Sun May 04 13:20:44 PDT 2008

Universal group membership is limited to accounts from the same forest - use
domain local group instead...

hth
Marcin

fedayn
Sun May 04 14:48:04 PDT 2008

Marcin escribió:
> Universal group membership is limited to accounts from the same forest -
> use domain local group instead...
>
> hth
> Marcin
Thanks everyone.

A last question,

Domain A Forest A
Domain B Forest B.

groupA from Domain A is member of a groupB of Domain B.

If groupA is moved throughout DomainA or groupAis renamed, May I re-add
groupA to groupB?.

Thanks.

Marcin
Sun May 04 16:21:24 PDT 2008

Moving or renaming Group A would not affect its group membership in Group
B...

hth
Marcin

"fedayn" <fedayn1@gmail.com> wrote in message
news:OaziICjrIHA.4136@TK2MSFTNGP02.phx.gbl...
> Marcin escribió:
>> Universal group membership is limited to accounts from the same forest -
>> use domain local group instead...
>>
>> hth
>> Marcin
> Thanks everyone.
>
> A last question,
>
> Domain A Forest A
> Domain B Forest B.
>
> groupA from Domain A is member of a groupB of Domain B.
>
> If groupA is moved throughout DomainA or groupAis renamed, May I re-add
> groupA to groupB?.
>
> Thanks.

Herb
Tue May 06 02:39:23 PDT 2008


"Marcin" <marcin@community.nospam> wrote in message
news:47057D5C-6371-4A38-A635-923C824490E8@microsoft.com...
> Moving or renaming Group A would not affect its group membership in Group
> B...

Moving won't affect anything -- I don't know how to rename a "Group"
(with any standard tool) but if you could it probably wouldn't affect
anything important either (just as renaming a user doesn't) since the SID
is what is really a "member" of some other group.


> hth
> Marcin
>
> "fedayn" <fedayn1@gmail.com> wrote in message
> news:OaziICjrIHA.4136@TK2MSFTNGP02.phx.gbl...
>> Marcin escribió:
>>> Universal group membership is limited to accounts from the same forest -
>>> use domain local group instead...
>>>
>>> hth
>>> Marcin
>> Thanks everyone.
>>
>> A last question,
>>
>> Domain A Forest A
>> Domain B Forest B.
>>
>> groupA from Domain A is member of a groupB of Domain B.
>>
>> If groupA is moved throughout DomainA or groupAis renamed, May I re-add
>> groupA to groupB?.
>>
>> Thanks.
>