Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1543
  • Last Modified:

Forest/Domain Trusts

Is there anyway to accomplish the following:

Users in Forest A-Domain 1 need access to resources in Forest B Domain 1...

There is a one way trust between these domains....
ForestB Domain 1 - Trusts ForestA Domain 1

What I wanted to be able to do was add users in Forest A Domain 1 to a global group that exists in Forest B Domain 1...  However, I can't see resources in Forest A Domain 1.  I can add them by creating a Domain local group in Forest B Domain 1, but I cannot then add that Domain Local Group to the Global Group.

What I have come up with is creating the Domain Local Group in Forest B Domain 1, adding members to it from Forest A Domain 1 and then adding that domain local group to the local administrator group of the 5 servers that they need access to.
 Is this the only way this will work or is there some other way.

Take into account that for legal reason there cannot be a two way trust established AND we can't establish a Forest Trust because ForestA is a Windows 2000 domain/Forest and Forest B is Native Windows 2003.
  • 2
1 Solution
No additional trust requirements exist; you're good as you are on the trust front.  The issues with group membership across the trust boundary are by design I'm afraid since Global Groups only permit members from the same domain as they exist themselves.  Your solution (assuming you intended on granting admin.-level privs.) is by the book.  You could group the users in ForestAdomain1 into a global group first and add that global to your domain local but it only buys you a neglible reduction in administrative effort.
Global groups can only contain users from within the same domain as the group.

In a multi-forest environment, the most scalable way to assign permissions is:

Account in Domain A goes into Global Group in Domain A.
Account in Domain B goes into Global Group in Domain B.

Global Group in Domain A goes into Universal Group in Domain A.
Global Group in Domain B goes into Universal Group in Domain B.

Universal Group in Domain A goes into Domain Local Group in Domain B.
Universal Group in Domain B goes into Domain Local Group in Domain B.

Domain Local Group in Domain B receives permissions to resource in Domain B.

By nesting your groups in this manner, when you add new users to DomainA or DomainB, you only need to add them to the appropriate Global Group in their respecitve domains.

Errr...what Dean said.  :-)
dspentAuthor Commented:
Thanks.. I figured I was on the right track.  Just needed someone else to say it.  Since I have no access to Forest 1's environment.  I'll have to do it the way I stated.


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now