Solved

cross domain security group lookups/auth

Posted on 2011-02-16
2
488 Views
Last Modified: 2012-05-11
I have one forest with 2 domain trees. Domain-A (root w/ domain partitions) and  Domain-B (tree in the forest).
I have Universal Security Groups in both domains. I have an application that use Domain-A security Groups and I need to add Domain-B users to those group. I have done so successfully. However, when you look at the properties of the Domain-B users accounts, you do not see that it is a part of Domain-A security group. You have to look at the properties of the Domain-A group to see that the Domain-B users is a part of that group.  -How can I resolve this?  I believe this is a 2 way trust between domains. Is this by design?
Im having an issues with Domain-B users logging into this Domain-A based application and the app is unable to auth the user because there are no Domain-B SG’s and the app does not look at Domain-A SG’s. There are hundreds of the SG’s in domain-A that we don’t want to re-create in domain-B, thus we need the app to look up domain-A SG’s… -Not sure if this is an issue with the app or AD? Any ideas?
0
Comment
Question by:DEFclub
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
ID: 34923827
Dear DEFclub,

yes this works as designed, even with a 2 way trust between the domains.

The best practice for how to do this is as follows:

1. In Domain B (where the users reside), create a group (scope "Global"), e.g. naming that group "GroupInBMemberOfGroupInAForAppXYZ" (of course you can name it as you like, but worth here is to clearly indicate that it is a group in Domain B, to be member of the group in Domain A for the application or purpose).

2. Add the desired users in Domain B, to the group created in step '1'.

3. In Domain A, add the group created in step '1', to the security groups used by the application.

This way you have achived:
Through '1' and '2', you can on Domain B level, control who eventually will become (through inheritance) members of the "application groups" in Domain A.

Kind regards,
Soren
0
 

Author Closing Comment

by:DEFclub
ID: 34981862
thxs
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
LDAP and ADFS 1 23
Trasfering FSMO roles 8 76
PCI scan - CIFS NULL Session Permitted 10 34
ACTIVE DIRECTORY 3 27
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now