Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

cross domain security group lookups/auth

Posted on 2011-02-16
2
Medium Priority
?
497 Views
Last Modified: 2012-05-11
I have one forest with 2 domain trees. Domain-A (root w/ domain partitions) and  Domain-B (tree in the forest).
I have Universal Security Groups in both domains. I have an application that use Domain-A security Groups and I need to add Domain-B users to those group. I have done so successfully. However, when you look at the properties of the Domain-B users accounts, you do not see that it is a part of Domain-A security group. You have to look at the properties of the Domain-A group to see that the Domain-B users is a part of that group.  -How can I resolve this?  I believe this is a 2 way trust between domains. Is this by design?
Im having an issues with Domain-B users logging into this Domain-A based application and the app is unable to auth the user because there are no Domain-B SG’s and the app does not look at Domain-A SG’s. There are hundreds of the SG’s in domain-A that we don’t want to re-create in domain-B, thus we need the app to look up domain-A SG’s… -Not sure if this is an issue with the app or AD? Any ideas?
0
Comment
Question by:DEFclub
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 2000 total points
ID: 34923827
Dear DEFclub,

yes this works as designed, even with a 2 way trust between the domains.

The best practice for how to do this is as follows:

1. In Domain B (where the users reside), create a group (scope "Global"), e.g. naming that group "GroupInBMemberOfGroupInAForAppXYZ" (of course you can name it as you like, but worth here is to clearly indicate that it is a group in Domain B, to be member of the group in Domain A for the application or purpose).

2. Add the desired users in Domain B, to the group created in step '1'.

3. In Domain A, add the group created in step '1', to the security groups used by the application.

This way you have achived:
Through '1' and '2', you can on Domain B level, control who eventually will become (through inheritance) members of the "application groups" in Domain A.

Kind regards,
Soren
0
 

Author Closing Comment

by:DEFclub
ID: 34981862
thxs
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
How does someone stay on the right and legal side of the hacking world?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question