Deman Posted January 30, 2008 Share Posted January 30, 2008 (edited) I'm trying to get head around groups and whether it's possible to have one that contains members from different domains.Background storyCurrently we have two domains (Admin and Student). Admin holds all the admin accounts I don't want the students to mess with and Student being what the students learn on. It's also what all the student workstations connect to.Normally the two work well together and I can logon to a student workstation using an account residing in the admin domain (trusts and all that) but with the rollout of Vista I noticed that my account didn't have administrative rights on a machine connected to the student domain. Consequently I got all sorts of UAC prompts and crazy things going on.I thought I could simply remedy this by adding my account to the "local admins" group (a Global Group residing on the student domain) but it wouldn't accept accounts from the admin domain, only the student one. Each time I change the specification to search admin, it wouldn't let me look for user accounts, only contacts.I can select users from a different domain when setting rights for shared folders and ntfs security etc, I just can't add users from a different domain into a group. Other of course than the security permissions for the domain controller.I managed to get my local administrative permissions in the end by adding Admin\Domain admins to Bultin\Administrators in group policy somewhere but I'd like to know why I couldn't just add my account to the group that was already in there, just seems tidier to me.Is this by design or do I have a misconfiguration somewhere?Any help appreciated, cheers Edit: I think I found why, looks like my "local admins" group needs to be a "domain local" and not a global. This is kinda making my head spin... Edited January 30, 2008 by Deman Link to comment Share on other sites More sharing options...
adamt Posted January 31, 2008 Share Posted January 31, 2008 I'd have thought the group needed to be a Universal Group if you want members from different domains.Your domains need to be at Win2000 native functional level for this to work, so you'll need to decomm any old NT4 domain controllers before you can use Universal Groups.See:http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true Link to comment Share on other sites More sharing options...
Deman Posted February 5, 2008 Author Share Posted February 5, 2008 Since all our servers are now 2003 I'll look into changing the domain.Cheers Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now