Hi,
we use PCNS Exclusion groups to exclude some high privilege accounts from pwd forwarding.
I know that it is possible to add a group as member of the exclusion group. No issue at least when the nested group is part of the same domain.
But what about cross-domain group nesting?
My situation:
- We have a multi-domainforest. Lets say forest contoso.com, domains DomA, DomB, DomC. In all the domains we use PCNS.
- We have several small locations (= AD sites) around the world where only a domain controller of the user's domain is located, let's say domain DomB or DomC. There are WAN connections to the corporate net.
- Some or our users have two personal accounts, both in the same domain. One of them is used for administrative tasks. These "admin accounts" should be excluded from PCNS.
- In DomA there is a universal group 'AdminAccounts' which contains all of these admin accounts.
Now my idea would be to simply add the group DomA\AdminAccounts to each PCNS Exclusion group (scope domain-local) in the other domains.
What do you think, would this work?
Thanks
Walter