Issue with Universal Security groups

I have 2 domains that are in 2 separate forests. Both forests are Windows Server 2003 Functional Level. I have a two-way forest trust with Forest-Wide Authenticated enabled for both forests.

I create a Universal Group and a Domain Local group on the same domain.

1. I go into Universal Group, click on members tab, and go to add an object. It will only show my current domain when I click on Locations (Universal groups are supposed to allow objects from any domain).

2. I go into Domain Local Group, click on members tab, and go to add an object. It will show both my current domain, and the trusted domain when I click on Locations (Domain Local groups are supposed to allow objects from any domain just like the Universal Group).

So my question is, why isn't the Universal Group showing the other domain when I click on Locations like the Domain Local Group is?

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

royal

Nevermind, I figured this out. I looked up the MSPress 290 book which states that Universal can add users from any domain and same for Domain Local. This is wrong. I looked in help & support and universal can indeed add objects from any domain as long as it's in the same forest. It also stated that Domain Local can actually add any object from any domain in any forest.

eurotrash

Anyhow you should add the users to a global group and then add the GG to the universal group, as otherwise every member added or removed to-from the universal group will cause replication to every GC.

royal

_omni_ wrote:

Anyhow you should add the users to a global group and then add the GG to the universal group, as otherwise every member added or removed to-from the universal group will cause replication to every GC.

Yep. I was only testing cause I thought you could add a user from any forest to a Universal Group just like you could with Domain Local groups.

And to give more insight on why you would want to do what you suggested (just for the other folks who are reading this thread) is because the Universal Group membership is stored in the Global Catalog. If you add a Global Group to the Universal Group, then the Global Group is replicated across Global Catalog servers, but the membership of the Global Group is not. So lets say you have 100 users you want to add to a Universal Group. If you add them all to the Universal Group, the Global Catalog has to replicate 100 objects. If you add them to a Global Group then add that Global Group to the Global Catalog server, the Global Catalog will only be replicating 1 object instead of 100.

Also, if you're using a 2000 Domain Controller as a Global Catalog, any change made to the Universal Group will cause a full replication of all the objects in the Universal Group. If you're using 2003 to 2003, it'll only replicate the specific changes.