Security Groups & Domain Trusts

Hello,

I have two Windows 2003 domains that trust each other. I want to include
members (groups/users/etc) from domain A in security groups of domain B. So
for example the group DomainB\Managers will have members:
DomainB\manager1, DomainB\manager2 and also DomainA\manager1.

However when trying to edit the group members using AD Users & Computer
console, I am only given the option to add user/groups from the same domain.

is this by design? am i doing something wrong? Is there a way to "bypass"
this problem?

thanks
christos

What type of group are you using? You can create a global domain group from
each forest and users from that forest to the group. Do the same in the
other forest. Then place these global groups into a universal group and
provide the permissions to the universal group. For additional details
review the following link.

http://technet.microsoft.com/en-us/l.../cc772808.aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Christos Kritikos" <ChristosKritikos@discussions.microsoft.com> wrote in
message news:9914145A-2A65-43F6-93A6-F4D6B1BE02AE@microsoft.com...
> Hello,
>
> I have two Windows 2003 domains that trust each other. I want to include
> members (groups/users/etc) from domain A in security groups of domain B.
> So
> for example the group DomainB\Managers will have members:
> DomainB\manager1, DomainB\manager2 and also DomainA\manager1.
>
> However when trying to edit the group members using AD Users & Computer
> console, I am only given the option to add user/groups from the same
> domain.
>
> is this by design? am i doing something wrong? Is there a way to "bypass"
> this problem?
>
> thanks
> christos
>

this url was golden, many thanks! our groups were global, it turns out only
local ones can include members from other domain forests. I will adjust the
design accordingly.

thanks
christos

"Paul Bergson [MVP-DS]" wrote:

> What type of group are you using? You can create a global domain group from
> each forest and users from that forest to the group. Do the same in the
> other forest. Then place these global groups into a universal group and
> provide the permissions to the universal group. For additional details
> review the following link.
>
> http://technet.microsoft.com/en-us/l.../cc772808.aspx
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Christos Kritikos" <ChristosKritikos@discussions.microsoft.com> wrote in
> message news:9914145A-2A65-43F6-93A6-F4D6B1BE02AE@microsoft.com...
> > Hello,
> >
> > I have two Windows 2003 domains that trust each other. I want to include
> > members (groups/users/etc) from domain A in security groups of domain B.
> > So
> > for example the group DomainB\Managers will have members:
> > DomainB\manager1, DomainB\manager2 and also DomainA\manager1.
> >
> > However when trying to edit the group members using AD Users & Computer
> > console, I am only given the option to add user/groups from the same
> > domain.
> >
> > is this by design? am i doing something wrong? Is there a way to "bypass"
> > this problem?
> >
> > thanks
> > christos
> >
>
>
>

Yeah that is a typical gotcha. Happens a lot, it can be real confusing

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Christos Kritikos" <ChristosKritikos@discussions.microsoft.com> wrote in
message news:1A599B10-DF3A-4A04-B12B-9672197B4915@microsoft.com...
>
> this url was golden, many thanks! our groups were global, it turns out
> only
> local ones can include members from other domain forests. I will adjust
> the
> design accordingly.
>
> thanks
> christos
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> What type of group are you using? You can create a global domain group
>> from
>> each forest and users from that forest to the group. Do the same in the
>> other forest. Then place these global groups into a universal group and
>> provide the permissions to the universal group. For additional details
>> review the following link.
>>
>> http://technet.microsoft.com/en-us/l.../cc772808.aspx
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Christos Kritikos" <ChristosKritikos@discussions.microsoft.com> wrote in
>> message news:9914145A-2A65-43F6-93A6-F4D6B1BE02AE@microsoft.com...
>> > Hello,
>> >
>> > I have two Windows 2003 domains that trust each other. I want to
>> > include
>> > members (groups/users/etc) from domain A in security groups of domain
>> > B.
>> > So
>> > for example the group DomainB\Managers will have members:
>> > DomainB\manager1, DomainB\manager2 and also DomainA\manager1.
>> >
>> > However when trying to edit the group members using AD Users & Computer
>> > console, I am only given the option to add user/groups from the same
>> > domain.
>> >
>> > is this by design? am i doing something wrong? Is there a way to
>> > "bypass"
>> > this problem?
>> >
>> > thanks
>> > christos
>> >
>>
>>
>>