Archived from groups: microsoft.public.win2000.active_directory (
More info?)
"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
news:OyXRHnB#EHA.2596@tk2msftngp13.phx.gbl...
> GPOs can be linked to Site objects.
True but irrelevant to inheritance across domains boundaries.
> Sites can contain multiple domains,
Not really true -- site neither contain domains nor
do domains contain sites.
The machines for a domain may be in a single site
of course, but the concept doesn't apply to domains.
Microsoft specifically invented sites to help BREAK
the direct connection between Domains and Locations.
> then
> the particular gpo will be applied to multiple domains or objects within
> multiple domains.
The second is the case -- to the machines in a domain,
in no way is it linked to the domain and a (very) few
items MUST be linked at the domain level to have an
effect.
> The limination is its only available to domains within
> same forest.
???
--
Herb Martin
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
>
http://www.chrisse.se - Active Directory Tips
>
> "Herb Martin" <news@LearnQuick.com> skrev i meddelandet
> news:u7hOgZB%23EHA.208@TK2MSFTNGP12.phx.gbl...
> > "Eric Hunter" <EricHunter@discussions.microsoft.com> wrote in message
> > news:70EB3CF6-1B57-4833-9E69-77F4A767A240@microsoft.com...
> >> I want to add a user from a child domain to a Group on the parent
domain.
> > Is
> >> this possible?
> >
> > Yes. There is an automatic (domain) trust
> > between each parent and child domain and
> > these are transitive so in effect every domain
> > of the forest trusts every other.
> >
> >
> >> More info: I have an exchange server in the Child domain and a number
of
> >> accounts in the child domain used to administer the exchange server.
> > There
> >> was a group created in the parent domain when installing exchange named
> >> Exchange Admins. I would like to give the child domain users full
> > exchange
> >> admin rights but do not want to give them parent domain accounts.
> >
> > Create a Global group in the domain with users
> > and place this group in the Local group Exchange
> > Admins* (in whichever domain holds it.)
> >
> > I am presuming this is a Local group of your parent
> > domain.
> >
> > BTW, this has nothing to do with GPOs (directly).
> >
> > GPO inheritance does NOT flow across domain
> > boundaries (i.e., down domain trees.)
> >
> > If you wish to use a GPO in multiple domains you
> > must either (preferred) copy it to and link it to each
> > domain OR (usually poor choice) Link to each domain
> > from the source domain.
> >
> > The latter is technically a legal choice but don't do it
> > that way.
> >
> > Example: 4 domains, you must (still) LINK it 4 times
> > if you wish it to apply throughout the forest.
> > --
> > Herb Martin
> >
> >
> >>
> >> Thanks for the help.
> >>
> >> E
> >
> >
>
>