I have two Win2k8 forests which I do maintenance on. The two forests have full 2 way external, non transitive trust with each other.
I have a folder in forest X, domain countryX.mycompany.com accessible ONLY by the global security group named $group.
In forest Y, domain countryY.mycompany.com, countryY\user1, countryY\user2 etc needs to have access to the folder.
The natural instinct is to put user1, user2 etc into the $group. However, none of the methods for adding user to group works as it appears that the AD cannot find the groups in the other forest.
Question:
1.How to make forests see each other's security groups and be able to add?
2.In practice, what is the recommended way to achieve the user access to the folders/files in another forest?
Best Answer
Different group types have different "visibility" in multi-domain and multi-forest environments, as you've found (Microsoft can provide more detail). Global Groups, for example, are only "visible" within the domain in which they reside and can only contain users from that domain (because of how the security-identifiers of the member users are stored).
Microsoft's best-practice guidelines are as follows:
Create a global group in each domain to contain members from that domain corresponding to a job role
Create a domain local group in the domain with the resource to be controlled and grant the domain local group permissions to the resource
Nest the global groups from each domain into the domain local group
In some scenarios a universal group can come into play, too (when the resources to be managed are distributed throughout multiple domains, typically).
There some nice (albeit, w/ a funny aspect ratio) pictures in this Microsoft TechNet forum thread that can give you some background. I'd also advise looking at the Wikipedia article form some more background, as well.