SOLVED

Active Directory on-premise, basic rules.

Contributor

Hello everyone! Not sure this is correct place to ask but i didn't found more suitable group. I want to ask a question regarding Active Directory groups basics. Everyone remember the rule: if we have two AD domains (in one tree), and we want to add some user from first domain into the group in the second, we need to create a group in the first domain add the user into it and add this group into the group in the other domain. But not the other way: to add a user directly from the first domain into the group in the second domain. I want to ask everyone, is this rule actual in 2020? This rule basically based on the technical limitations or this is just the best practice?

2 Replies
best response confirmed by aero2466 (Contributor)
Solution

@aero2466 

Found the article https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/d3ca79c3-0386-42f8-979b-4376...

This groups named "nested", and this thing called to simplify AD administration. But not any technical limitations for this.

@aero2466 

 

Yes, this is more like a best practice for managing users in AD Groups .

The limitation is trying to add a User from Forest A into a Group that is in Forest B. Most of the deployments keep users in a Single Domain and Groups in another Domain within the Same Forest of Active Directory. Hope this helps answer the question.

 

 

www.000webhost.com