AD user object across different forest

  • 64 Views
  • Last Post 27 June 2017
yogeshcittu posted this 24 June 2017

HI All,
We have Forest A and Forest B
Forest A is the root forest
My requirement:
Need to add a user object from Forest A into AD group(Universal) in Forest B
In Forest B from ADUC console I'm not able to find AD objects resources in Forest A.
Is there any permission kind(Domain admins, Enterprise admins).Please guide me on how to achieve this
Regards,Yogesh

Order By: Standard | Newest | Votes
ken posted this 24 June 2017

What is a “root forest”?

Do you have a Forest Trust? Is the trust one-way, or two-way?

Are you able to see objects from Forest B in Forest A?

 

show

yogeshcittu posted this 24 June 2017

we have two seperate forest with one way trust.Not able to view the resources from forest B in forest A.
On 24-Jun-2017 4:48 pm, "Ken Schaefer" <ken@xxxxxxxxxxxxxxxx> wrote:
















What is a “root forest”?

Do you have a Forest Trust? Is the trust one-way, or two-way?

Are you able to see objects from Forest B in Forest A?

 

show

ken posted this 26 June 2017

OK – just to confirm – you have two Forests (A & B) with a single domain in each.

There is a one-way trust (which Forest trusts the other?)

 

You are not able to see Forest A objects in Forest B, and you’re also not able to see Forest B objects in Forest A

 

Does the trust actually work? Aka is there a more fundamental issue here (DNS, firewalls or similar), or is it just an object picker problem.

 

 

 

show

bshwjt posted this 26 June 2017

Try with domain local group.
Biswajit
On 24-Jun-2017 4:30 PM, "Yogesh cittu" <yogeshcittu@xxxxxxxxxxxxxxxx> wrote:
HI All,
We have Forest A and Forest B
Forest A is the root forest
My requirement:
Need to add a user object from Forest A into AD group(Universal) in Forest B
In Forest B from ADUC console I'm not able to find AD objects resources in Forest A.
Is there any permission kind(Domain admins, Enterprise admins).Please guide me on how to achieve this
Regards,Yogesh

ZJORZ posted this 26 June 2017

A universal group can only contain member objects from the same AD forest as the universal group itself You could convert the group to a domain local group. All the existing members of the universal group can also be a member of the domain local group. However a universal group can be used anywhere the in the forest to secure something, where a domain local group can only secure resources in its own domain Met vriendelijke groeten / Kind regards, Jorge de Almeida PintoMVP Enterprise Mobility And Security | MCP/MCSE/MCITPMVP Profile | Blog | Facebook | Twitter Description: Description: Description: Description: Think Green 

show

santhosh posted this 27 June 2017

As others mentioned here, you can’t use Universal group in this scenario.  “group scope” is well documented here -

https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

 

Santhosh

 

show

Close