Universal or domain local groups

hi

just started using 2 domains trust relationship between them

domaina
domainb

slightly confused on 2 groups

universal
domain local

if setup universal group @ domaina, dont seem able add user domainb

if setup 'domain local' group @ domaina, can add users domainb, can use group @ domaina (i guess local domain)

it looks can add universal group domain local group.

is right?

either way, if have cross domain permissions, looks each member of staff needs in 2 security groups

thanks

http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

a universal group can contain members domains in forest. however, assign permisisons, yiou should use domain local group (as change in universal group triggers gc replication).

i recommend making search role based administration best practice "agudlp"

accounts in global groups, in univerals groups in domain local groups assigned permissions

---

mcp/mcsa/mcts/mcitp

Windows Server  >  Windows Server General Forum