Solved

cross domain security group lookups/auth

Posted on 2011-02-16
2
493 Views
Last Modified: 2012-05-11
I have one forest with 2 domain trees. Domain-A (root w/ domain partitions) and  Domain-B (tree in the forest).
I have Universal Security Groups in both domains. I have an application that use Domain-A security Groups and I need to add Domain-B users to those group. I have done so successfully. However, when you look at the properties of the Domain-B users accounts, you do not see that it is a part of Domain-A security group. You have to look at the properties of the Domain-A group to see that the Domain-B users is a part of that group.  -How can I resolve this?  I believe this is a 2 way trust between domains. Is this by design?
Im having an issues with Domain-B users logging into this Domain-A based application and the app is unable to auth the user because there are no Domain-B SG’s and the app does not look at Domain-A SG’s. There are hundreds of the SG’s in domain-A that we don’t want to re-create in domain-B, thus we need the app to look up domain-A SG’s… -Not sure if this is an issue with the app or AD? Any ideas?
0
Comment
Question by:DEFclub
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
ID: 34923827
Dear DEFclub,

yes this works as designed, even with a 2 way trust between the domains.

The best practice for how to do this is as follows:

1. In Domain B (where the users reside), create a group (scope "Global"), e.g. naming that group "GroupInBMemberOfGroupInAForAppXYZ" (of course you can name it as you like, but worth here is to clearly indicate that it is a group in Domain B, to be member of the group in Domain A for the application or purpose).

2. Add the desired users in Domain B, to the group created in step '1'.

3. In Domain A, add the group created in step '1', to the security groups used by the application.

This way you have achived:
Through '1' and '2', you can on Domain B level, control who eventually will become (through inheritance) members of the "application groups" in Domain A.

Kind regards,
Soren
0
 

Author Closing Comment

by:DEFclub
ID: 34981862
thxs
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question