Account required for changes across new Forest Trust

Following the setting up of a one-way Forest Trust between our domain and our associated company, I have created some universal groups and asked the other company to nest our universal groups inside universal groups in their domain so our users get access to resources on their side. They say they need an account to enable them to do this. Do I just give them an account with Account Operator privileges? Surely this will enable them to make any changes to accounts on our Domain? Do I just disable this account after they have made the changes, and then re-enable it when I wish them to make changes in the future? I want to maintain security as best as possible. Thanks.
hqpsystemsAsked:
Who is Participating?
 
Chris DentPowerShell DeveloperCommented:

Apologies, should have seen it was Universal on both sides.

Universal Groups cannot contain foreign security principals, only Domain Local Groups can do that. However, if they create Domain Local Groups they will be able to add either Global or Universal groups from your own domain into that.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

I fail to see why they will need rights to make changes on your domain at all to be honest.

You had intended that they add groups on your domain as members to groups on theirs?

Chris
0
 
hqpsystemsAuthor Commented:
Exactly. I totally agree, and didn't believe they would need an account to add groups from our domain into groups in their domain. I follow this up. Cheers.
0
 
hqpsystemsAuthor Commented:
Just to clarify then, and could you confirm that my understanding is correct. I have a one-way incoming trust set up on my root domain and the corresponding one way out-going trust is set-up on their root domain. So users in our domain should be able to access resources in their domain, once the appropriate access has been granted. I created Universal Groups in our domain and asked them to add these Universal Groups from our domain into the corresponding universal groups in their domain to nest them. At no point then should they require any account with rights on our domain, as the trust should allow my universal groups to become nested in their universal groups? Thanks.
0
 
hqpsystemsAuthor Commented:
Apologies from my end! I actually meant Domain Local groups at their end, not Universal groups. Thanks for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.