Permissions within nested groups between trusted forests

lupodwdm used Ask the Experts™
We are running into an issue allowing members of a trusted domain to log onto our terminal servers using the domain credentials from their domain.  We created a one way outgoing trust to the other forest and I am able to enumerate their users from our side.  We have created a number of domain local groups on our side and then nested groups from the other domain into our local groups.  What would be he next step to allow these users to log into the terminal servers that we have on our side?  Do we just make the domain local groups on our side members of the remote desktop users group and power users?  Does the admin's from the other domain have to make their groups members of anything or can it all be done on our side?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Since you are assigning permissions it should be all on your side, assuming the necessary groups and accounts exist in the other domain.
Adding your domain local groups to the remote desktop users should indeed do the trick here.

If you can see them all in the group on your side, updating the remote desktop users group on the servers should be sufficient for them to login.


Make the users of the other domain (a member of domain globle group) in the other domain and then make that global group a member of your domain local group.
Now add this domain local group to the remote desktop users group and power users.
Add "Authenticated USers" in the "Allow log on to this machine through terminal service" policy on the terminal server.


11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

ARK-DS, bad idea! This would allow the admins in the other domain to freely add/remove users at will...

MouseWare, I would like to know any other way to achieve this where administrators of the other domain are not able to to add/remove users at will...


ARK-DS, Wonko_the_Sane had it correct. You would add external domain members to your own domain local group, and assign premisions to that group. This allows you to administer the users, not the external domain.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial