Forum Discussion
Active Directory on-premise, basic rules.
Hello everyone! Not sure this is correct place to ask but i didn't found more suitable group. I want to ask a question regarding Active Directory groups basics. Everyone remember the rule: if we have two AD domains (in one tree), and we want to add some user from first domain into the group in the second, we need to create a group in the first domain add the user into it and add this group into the group in the other domain. But not the other way: to add a user directly from the first domain into the group in the second domain. I want to ask everyone, is this rule actual in 2020? This rule basically based on the technical limitations or this is just the best practice?
Found the article https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/d3ca79c3-0386-42f8-979b-4376977dcd5e
This groups named "nested", and this thing called to simplify AD administration. But not any technical limitations for this.
- aero2466Brass Contributor
Found the article https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/d3ca79c3-0386-42f8-979b-4376977dcd5e
This groups named "nested", and this thing called to simplify AD administration. But not any technical limitations for this.
- aliat_IMANAMIBrass Contributor
Yes, this is more like a best practice for managing users in AD Groups .
The limitation is trying to add a User from Forest A into a Group that is in Forest B. Most of the deployments keep users in a Single Domain and Groups in another Domain within the Same Forest of Active Directory. Hope this helps answer the question.
- TaranK360Copper ContributorPlease also check basics of a domain in AD environment https://mindmingle40.wordpress.com/2024/07/27/forest-and-domain-chapter-2/