Using Windows Server 2003 active directory with multiple domains in separate forests (using two-way trusts) is there any way I can create a group on one domain that includes users from another domain?
For example:
CENTRAL domain users:
CENTRAL\Alice
CENTRAL\Bob
BRANCH Domain Users:
BRANCH\Carol
BRANCH\Dave
There is a two-way trust between BRANCH and CENTRAL, but they are not in the same forest.
Is there any way to make a group in the CENTRAL domain that includes all four users? When I tried this I found that the membership properties of the group only let me search for users in the CENTRAL domain.
Best Answer
If you use a DOMAIN LOCAL group, you'll be able to add the users from both domains to the one group.
Better still, add a Global/Universal group from the BRANCH domain (and the same from the CENTRAL domain) to the Domain Local group:
CENTRAL DOMAIN
SPECIAL GROUP
CENTRAL\Alice
CENTRAL\Bob
BRANCH DOMAIN
SPECIAL GROUP
BRANCH\Carol
BRANCH\dave
CENTRAL DOMAIN
JOINT DOMAIN LOCAL GROUP
CENTRAL\Special Group
BRANCH\Special Group
That way, adding new members to the JOINT group just means adding them to the global group within their domain.