Groups

amart83

You have two domains in the same forest, Domain1.com and Domain2.com

In Domain1, there is a Security Global group called "Training" that is a member of a Domain Local group that has access to a shared folder.

You need to add the domain users from Domain2 to the "Training" Global group in Domain1.

Thoughts?

amart83

IMO:

1. In Domain2, create a Security Global Group named "<whatever>"
2. In Domain2, make "<whatever>" a member of the "Domain Users" Domain Local group of Domain2
3. In Domain1, add the "<whatever>" Global group to the members to the "Training" Global group.

aquageek

dsadd group "ou=AddToTraining,dc=domain1,dc=com" -d domain1.com -u username -p *

dsquery user "ou=everyone,dc=domain1,dc=com" | dsmod group "ou=AddToTraining,dc=domain1,dc=com" -addmbr

dsget group "ou=AddToTraining,dc=domain1,dc=com" -members -d domain1.com -u username -p * | dsmod group "ou=training,dc=domain2,dc=com" -addmbr -d domain2.com -u username -p *


?

aquageek

I would like to retract my previous answer and submit the following:

aquageek wrote: »

dsadd group "cn=AddToTraining,dc=domain1,dc=com" -d domain1.com -u username -p *

dsquery user "dc=domain1,dc=com" | dsmod group "cn=AddToTraining,dc=domain1,dc=com" -addmbr

dsget group "ou=AddToTraining,dc=domain1,dc=com" -members -d domain1.com -u username -p * | dsmod group "cn=training,dc=domain2,dc=com" -addmbr -d domain2.com -u username -p *

That's my final answer.

dynamik

amart83 wrote: »

IMO:

1. In Domain2, create a Security Global Group named "<whatever>"
2. In Domain2, make "<whatever>" a member of the "Domain Users" Domain Local group of Domain2
3. In Domain1, add the "<whatever>" Global group to the members to the "Training" Global group.

For step 2, you're going to want to make domain users a member of <whatever>.

The problem with scripting it is that you'll have to update it manually whenever users are added or removed. There's already a group that matches his criteria, so why make things more complicated than they need to be?

aquageek

dynamik wrote: »

The problem with scripting it is that you'll have to update it manually whenever users are added or removed. There's already a group that matches his criteria, so why make things more complicated than they need to be?

That's true, but the question doesn't explicitly require that all future domain2 users be added to the training group.

If you wanted to stop people automatically being added to the training group you'd have to manually remove them as a member each time.

Right? (I'm asking for my own edification)

dynamik

aquageek wrote: »

That's true, but the question doesn't explicitly require that all future domain2 users be added to the training group.

Are you an MS exam writer?

aquageek wrote: »

If you wanted to stop people automatically being added to the training group you'd have to manually remove them as a member each time.

In my scenario? That would require removing them from the domain users group, which is probably not what you'd want to do. If you needed more granular control over who was a member, you should probably do something like what you did.

aquageek

dynamik wrote: »

Are you an MS exam writer?

lol Not yet.

puertorico123

amart83 wrote: »

You have two domains in the same forest, Domain1.com and Domain2.com

In Domain1, there is a Security Global group called "Training" that is a member of a Domain Local group that has access to a shared folder.

You need to add the domain users from Domain2 to the "Training" Global group in Domain1.

Thoughts?

1. In Domain2, create a Security Universal Group named "<to be trainnng>"
2. In Domain1, upgrade "Training" group to Universal.
3. In Domain1, add the "<To be training>" universal group to the members to the "Training" universal group.

is good?

dynamik

Is the "domain users" group a domain local group in Server 2003 (I missed that part the first time around)? I only have 2008 available atm, and it shows it's a global group. If it is a domain local group that would be problematic since global groups can only contain accounts and other global groups.

Group scope: Active Directory

amart83

dynamik wrote: »

Is the "domain users" group a domain local group in Server 2003 (I missed that part the first time around)? I only have 2008 available atm, and it shows it's a global group. If it is a domain local group that would be problematic since global groups can only contain accounts and other global groups.

Group scope: Active Directory

In 2003, "Domain Users" is a Domain Local group.

dynamik wrote: »

For step 2, you're going to want to make domain users a member of <whatever>.

Yes, you're right. Thank you!

But I have the right idea?

dynamik

Well, if that's the case, you're going to have to do something like aquageek suggested since you can't have a domain local group from another domain nested in any other group. It shows up as a global group in 2003 R2 as well.

amart83

In my lab, I was successfuly able to make the "Domain Users" a member of "<whatever>" Global group.

But I don't have that 2nd Domain in my lab to verify if this is possible.

dynamik

You can't make domain local groups members of global or universal groups. They can only be members of other domain local groups in the same domain. Check that link I posted. Are you sure domain users isn't a global group?

amart83

dynamik wrote: »

You can't make domain local groups members of global or universal groups. They can only be members of other domain local groups in the same domain. Check that link I posted. Are you sure domain users isn't a global group?

Dude, you're right. Sorry. Could've sworn I saw Domain Local before...

dynamik

No worries. I wasn't trying to be picky or anything; it's just that it does make a significant difference in this situation.