?
Solved

windows 2003 - windows 2008 forest trust permissions issue

Posted on 2009-05-11
1
Medium Priority
?
511 Views
Last Modified: 2012-05-06
Hello,

I have a 2 way forest trust between a windows 2008 and windows 2003 system but running native.  The trust is fully in place and have created security groups on either forest and users from either forest can be added to the groups.  

My question is, i am a domain admin on forest a and i want to connect to a pc's c$ share on domain b.  When i try to do this, a username/password prompt appears.  Also, domain admins from site b cannot connect to a c$ share without a username/password prompt.

Why is this?

Kind Regards

Phil
0
Comment
Question by:philipfarnes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24355166

Hi Phil,

The trouble is....

Only Local Groups can contain foreign security principals (users from a trusted domain in this case).

Local Groups cannot contain other Local Groups. That means a local group on a PC cannot contain a domain local group.

By default, the only group with Administrative Rights on a domain member is "Domain Admins". Which is a Global Group (and cannot contain a user in a trusted domain), nor can it contain a local group on the domain.

Because of that lot, there's no reason you should have admin rights on a PC within a trusted domain unless you put something in place to take care of it. Hence the username / password prompt.

Chris
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question