alsace
asked on
Clarification on group membership across forest trusts
Hi,
I posted a query relating to trusts a little while ago here:
https://www.experts-exchange.com/questions/23884036/Help-with-Forest-Trusts.html
In summary we have a lab with 2 forests, containing one domain each (intenallab.internal and externallab.external). The external domain is hosting a sharepoint site and we wanted to set up a one-way forest trust whereby the EXTERNAL domain is the TRUSTING domain, as it contains the resource that needs to be accessed (the web based application). The INTERNAL domain is the TRUSTED domain, as it contains the user accounts that require access. We set up the trust whereby users in the INTERNAL domain can authenticate in the EXTERNAL domain, but not the other way around.
I set up the group membership as follows:
- On the INTERNAL domain, I placed the users requiring access in a GLOBAL GROUP, and then made that group a member of a UNIVERSAL GROUP
- On the EXTERNAL domain, I added the internal domain UNIVERSAL GROUP to a DOMAIN LOCAL group (the internal domain can be browsed care of the trust). Then added that Domain Local group to the ACL of the resource (the SharePoint site)
I did this according to http://technet.microsoft.com/en-us/library/cc772808.aspx and it works a treat!
HOWEVER....
I want to know what the real benefits are to this method. From what I can see the only 2 benefits are:
1. Less GC replication
2. More flexibility (only need to add/remove groups to the internal Gloval security group)
But as we will be having multiple team sites on the external sharepoint server, it will require multiple universal and global security roups internally. To make matters worse we have external users (non-employees) that access the sharepoint sites too....so we will need to create corresponding security groups on the external domain as well and assign them directly to the ACL of the sharepoint site.
Wouldn't it be easier to create the external groups and add give them access to the sharepoint site, and then in the same group just browse the internal AD (across the trust) and add users directly? Rather than having to create universal groups...Global security groups etc etc?
Is this viable...?
Have I missed something glaringly obvious?
A picture tells a thousand words so please also see attached...
Thanks,
Alsace
Group-membership-across-trust.PDF
I posted a query relating to trusts a little while ago here:
https://www.experts-exchange.com/questions/23884036/Help-with-Forest-Trusts.html
In summary we have a lab with 2 forests, containing one domain each (intenallab.internal and externallab.external). The external domain is hosting a sharepoint site and we wanted to set up a one-way forest trust whereby the EXTERNAL domain is the TRUSTING domain, as it contains the resource that needs to be accessed (the web based application). The INTERNAL domain is the TRUSTED domain, as it contains the user accounts that require access. We set up the trust whereby users in the INTERNAL domain can authenticate in the EXTERNAL domain, but not the other way around.
I set up the group membership as follows:
- On the INTERNAL domain, I placed the users requiring access in a GLOBAL GROUP, and then made that group a member of a UNIVERSAL GROUP
- On the EXTERNAL domain, I added the internal domain UNIVERSAL GROUP to a DOMAIN LOCAL group (the internal domain can be browsed care of the trust). Then added that Domain Local group to the ACL of the resource (the SharePoint site)
I did this according to http://technet.microsoft.com/en-us/library/cc772808.aspx and it works a treat!
HOWEVER....
I want to know what the real benefits are to this method. From what I can see the only 2 benefits are:
1. Less GC replication
2. More flexibility (only need to add/remove groups to the internal Gloval security group)
But as we will be having multiple team sites on the external sharepoint server, it will require multiple universal and global security roups internally. To make matters worse we have external users (non-employees) that access the sharepoint sites too....so we will need to create corresponding security groups on the external domain as well and assign them directly to the ACL of the sharepoint site.
Wouldn't it be easier to create the external groups and add give them access to the sharepoint site, and then in the same group just browse the internal AD (across the trust) and add users directly? Rather than having to create universal groups...Global security groups etc etc?
Is this viable...?
Have I missed something glaringly obvious?
A picture tells a thousand words so please also see attached...
Thanks,
Alsace
Group-membership-across-trust.PDF
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Decided to create a Domain Local group on the external domain and add the internal users directly into that.
Then we could add those groups to the WSS Team Site ACL's
Cheers,
Alsace