Solved

cross domain security group lookups/auth

Posted on 2011-02-16
2
496 Views
Last Modified: 2012-05-11
I have one forest with 2 domain trees. Domain-A (root w/ domain partitions) and  Domain-B (tree in the forest).
I have Universal Security Groups in both domains. I have an application that use Domain-A security Groups and I need to add Domain-B users to those group. I have done so successfully. However, when you look at the properties of the Domain-B users accounts, you do not see that it is a part of Domain-A security group. You have to look at the properties of the Domain-A group to see that the Domain-B users is a part of that group.  -How can I resolve this?  I believe this is a 2 way trust between domains. Is this by design?
Im having an issues with Domain-B users logging into this Domain-A based application and the app is unable to auth the user because there are no Domain-B SG’s and the app does not look at Domain-A SG’s. There are hundreds of the SG’s in domain-A that we don’t want to re-create in domain-B, thus we need the app to look up domain-A SG’s… -Not sure if this is an issue with the app or AD? Any ideas?
0
Comment
Question by:DEFclub
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 500 total points
ID: 34923827
Dear DEFclub,

yes this works as designed, even with a 2 way trust between the domains.

The best practice for how to do this is as follows:

1. In Domain B (where the users reside), create a group (scope "Global"), e.g. naming that group "GroupInBMemberOfGroupInAForAppXYZ" (of course you can name it as you like, but worth here is to clearly indicate that it is a group in Domain B, to be member of the group in Domain A for the application or purpose).

2. Add the desired users in Domain B, to the group created in step '1'.

3. In Domain A, add the group created in step '1', to the security groups used by the application.

This way you have achived:
Through '1' and '2', you can on Domain B level, control who eventually will become (through inheritance) members of the "application groups" in Domain A.

Kind regards,
Soren
0
 

Author Closing Comment

by:DEFclub
ID: 34981862
thxs
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Make the most of your online learning experience.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question