SOLVED

Active Directory on-premise, basic rules.

%3CLINGO-SUB%20id%3D%22lingo-sub-1426577%22%20slang%3D%22en-US%22%3EActive%20Directory%20on-premise%2C%20basic%20rules.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426577%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone!%20Not%20sure%20this%20is%20correct%20place%20to%20ask%20but%20i%20didn't%20found%20more%20suitable%20group.%20I%20want%20to%20ask%20a%20question%20regarding%20Active%20Directory%20groups%20basics.%20Everyone%20remember%20the%20rule%3A%20if%20we%20have%20two%20AD%20domains%20(in%20one%20tree)%2C%20and%20we%20want%20to%20add%20some%20user%20from%20first%20domain%20into%20the%20group%20in%20the%20second%2C%20we%20need%20to%20create%20a%20group%20in%20the%20first%20domain%20add%20the%20user%20into%20it%20and%20add%20this%20group%20into%20the%20group%20in%20the%20other%20domain.%20But%20not%20the%20other%20way%3A%20to%20add%20a%20user%20directly%20from%20the%20first%20domain%20into%20the%20group%20in%20the%20second%20domain.%20I%20want%20to%20ask%20everyone%2C%20is%20this%20rule%20actual%20in%202020%3F%20This%20rule%20basically%20based%20on%20the%20technical%20limitations%20or%20this%20is%20just%20the%20best%20practice%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1426577%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ead%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGroups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERules%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430399%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20on-premise%2C%20basic%20rules.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430399%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F513410%22%20target%3D%22_blank%22%3E%40aero2466%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFound%20the%20article%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-authsod%2Fd3ca79c3-0386-42f8-979b-4376977dcd5e%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-authsod%2Fd3ca79c3-0386-42f8-979b-4376977dcd5e%3C%2FA%3E%3C%2FP%3E%3CP%3EThis%20groups%20named%20%22nested%22%2C%20and%20this%20thing%20called%20to%20simplify%20AD%20administration.%20But%20not%20any%20technical%20limitations%20for%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello everyone! Not sure this is correct place to ask but i didn't found more suitable group. I want to ask a question regarding Active Directory groups basics. Everyone remember the rule: if we have two AD domains (in one tree), and we want to add some user from first domain into the group in the second, we need to create a group in the first domain add the user into it and add this group into the group in the other domain. But not the other way: to add a user directly from the first domain into the group in the second domain. I want to ask everyone, is this rule actual in 2020? This rule basically based on the technical limitations or this is just the best practice?

1 Reply
Highlighted
Best Response confirmed by aero2466 (Contributor)
Solution

@aero2466 

Found the article https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/d3ca79c3-0386-42f8-979b-4376...

This groups named "nested", and this thing called to simplify AD administration. But not any technical limitations for this.