Jump to content

Groups containing members from different domains?


Deman
 Share

Recommended Posts

I'm trying to get head around groups and whether it's possible to have one that contains members from different domains.

Background story

Currently we have two domains (Admin and Student). Admin holds all the admin accounts I don't want the students to mess with and Student being what the students learn on. It's also what all the student workstations connect to.

Normally the two work well together and I can logon to a student workstation using an account residing in the admin domain (trusts and all that) but with the rollout of Vista I noticed that my account didn't have administrative rights on a machine connected to the student domain. Consequently I got all sorts of UAC prompts and crazy things going on.

I thought I could simply remedy this by adding my account to the "local admins" group (a Global Group residing on the student domain) but it wouldn't accept accounts from the admin domain, only the student one.

Each time I change the specification to search admin, it wouldn't let me look for user accounts, only contacts.

I can select users from a different domain when setting rights for shared folders and ntfs security etc, I just can't add users from a different domain into a group. Other of course than the security permissions for the domain controller.

I managed to get my local administrative permissions in the end by adding Admin\Domain admins to Bultin\Administrators in group policy somewhere but I'd like to know why I couldn't just add my account to the group that was already in there, just seems tidier to me.

Is this by design or do I have a misconfiguration somewhere?

Any help appreciated, cheers :)

Edit: I think I found why, looks like my "local admins" group needs to be a "domain local" and not a global. This is kinda making my head spin...

Edited by Deman
Link to comment
Share on other sites


I'd have thought the group needed to be a Universal Group if you want members from different domains.

Your domains need to be at Win2000 native functional level for this to work, so you'll need to decomm any old NT4 domain controllers before you can use Universal Groups.

See:

http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...