Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

cross domain security group lookups/auth

I have one forest with 2 domain trees. Domain-A (root w/ domain partitions) and  Domain-B (tree in the forest).
I have Universal Security Groups in both domains. I have an application that use Domain-A security Groups and I need to add Domain-B users to those group. I have done so successfully. However, when you look at the properties of the Domain-B users accounts, you do not see that it is a part of Domain-A security group. You have to look at the properties of the Domain-A group to see that the Domain-B users is a part of that group.  -How can I resolve this?  I believe this is a 2 way trust between domains. Is this by design?
Im having an issues with Domain-B users logging into this Domain-A based application and the app is unable to auth the user because there are no Domain-B SG’s and the app does not look at Domain-A SG’s. There are hundreds of the SG’s in domain-A that we don’t want to re-create in domain-B, thus we need the app to look up domain-A SG’s… -Not sure if this is an issue with the app or AD? Any ideas?
0
DEFclub
Asked:
DEFclub
1 Solution
 
slemmesmiCommented:
Dear DEFclub,

yes this works as designed, even with a 2 way trust between the domains.

The best practice for how to do this is as follows:

1. In Domain B (where the users reside), create a group (scope "Global"), e.g. naming that group "GroupInBMemberOfGroupInAForAppXYZ" (of course you can name it as you like, but worth here is to clearly indicate that it is a group in Domain B, to be member of the group in Domain A for the application or purpose).

2. Add the desired users in Domain B, to the group created in step '1'.

3. In Domain A, add the group created in step '1', to the security groups used by the application.

This way you have achived:
Through '1' and '2', you can on Domain B level, control who eventually will become (through inheritance) members of the "application groups" in Domain A.

Kind regards,
Soren
0
 
DEFclubAuthor Commented:
thxs
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now