JurgenR
Guest
|
 Posted:
Thu Nov 10, 2005 5:51 pm Post subject:
One-way trusts across forests and security best practices |
|
|
Hi,
Microsoft recommends security across forests according to:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx
And specifically: Best practices for using security groups across forests
To summarise:
1. Users or computers go into Global groups in local domain
2. Global groups from local domain go into Universal Groups in resource domain
3. Universal Groups in resource domain go into Domain Local Group in
resource domain
4. Domain Local group in resource domain are applied to actual resource.
Theory makes sense and might work with full [2-way] trusts, but we have a
one-way trust...
Domain [and forest] B trusts Domain [and forest] A, but A does not trust B.
User accounts are in A and want access to B; you only seem to add Universal,
Groups and Global Groups from domain A to Domain Local Groups in B. This is
contrary to best practice - if you create a Universal Group in domain B, you
cannot add any groups [mmbers] from a foreign trusted domain - you cannot
select trusted domain.
Any ideas on recommended method? I know we can do it, but we would prefer to
do it according to recommended best practices.
Any help much appreciated... |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in