ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Domain Trust Group Permissions

    IT Discussion
    2
    4
    116
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      flaxking
      last edited by

      Just sharing my new realization in regards with dealing with domain trusts.

      In my head I was kind of doing a short circuit where a local group is basically a local resource. Probably because we have treated them that way. i.e. creating a Domain Local Group is created to become a member of a Local Group on certain computer/s.

      So I was confused when I was doing some external trust labbing and while I could add a Domain Local group which contained a Global group from the trusted domain to folder permissions, I could not add that same group to the local Remote Desktop Users group.

      However, a Local Group is not a resource, it is it's own thing, a local group. This blog outlines local groups and trusts well https://blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy/ The only group that can be added is a Global Group (which of course means it is a group from the trusted domain).

      The Remote Desktop Users group, grants certain Remote Desktop Services permission https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753032(v=ws.11)
      So those permissions is where I would need to use Domain Local groups. Apparently those permissions can only be assigned if you have the Remote Desktop role installed, unless you plan on spending some serious time on doing some reverse engineering.

      1 Reply Last reply Reply Quote 0
      • ObsolesceO
        Obsolesce
        last edited by Obsolesce

        I use Domain Local groups for access control to local resources. You can have other group types as members, as well as groups from other trusted domains.

        F 1 Reply Last reply Reply Quote 0
        • F
          flaxking @Obsolesce
          last edited by

          @Obsolesce said in Domain Trust Group Permissions:

          I use Domain Local groups for access control to local resources. You can have other group types as members, as well as groups from other trusted domains.

          Right, but you can't then add that Domain Local group that has members from the trusted domain to a local group on the server.

          ObsolesceO 1 Reply Last reply Reply Quote 0
          • ObsolesceO
            Obsolesce @flaxking
            last edited by

            @flaxking said in Domain Trust Group Permissions:

            @Obsolesce said in Domain Trust Group Permissions:

            I use Domain Local groups for access control to local resources. You can have other group types as members, as well as groups from other trusted domains.

            Right, but you can't then add that Domain Local group that has members from the trusted domain to a local group on the server.

            Right, you wouldn't want to.

            1 Reply Last reply Reply Quote 0
            • 1 / 1
            • First post
              Last post