Solved

Loging on to a trusted domain

Posted on 2011-03-10
26
348 Views
Last Modified: 2012-05-11
I have 4 domains that I want to setup with a full trust. Do I need to create a user ID in each seperate domain for me to log into those domains or will my login credentials be shared between the trusted domains from the one domain I have credentials on?
0
Comment
Question by:raffie613
  • 13
  • 13
26 Comments
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35099865
In  order to setup a two way trust you should have an account in each of those domains as "domain admins".
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35099883
After the trust has been established you can log on to a trusted domain's resource (i.e workstation etc) if the account you are using has right to log on. Note that trust does not mean "rights". Rights still need to be manually  granted on whichever resource with the trusted credential.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35099901
Credentials are not shared, Trusts merely provide a way for an resource to be ACL'd with trusted account(s).
0
 

Author Comment

by:raffie613
ID: 35099979
oh, so If domain A and domain B were in a full trust relationship and I am a user with credentials at domain A, can I log on while on site location at domain B?
thanks.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35100115
On a workstation in Domain B with the credential of Domain A ? Yes if the Domain A credentials have been added to either local Users, Administrators, Power Users etc Groups on that Domain B's workstation.
0
 

Author Comment

by:raffie613
ID: 35100658
so just go to the uysers under control panel on a workstation in domain B and when I add new user, it will have users lists from domain A drop down for me to add them to that machine?
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35110674
Sorry for a late reply. No you do not need to create a user account in the trusted domain in order for you to be able to log on to it.

Go to the trusted workstation's local administrators groups from "local users and groups", i.e computer mgmt. and add the Domain A user to that group.

What is your end goal here?
0
 

Author Comment

by:raffie613
ID: 35111365
precisley that. To have certain users from Domain A, be able to log in while on site visiting at Domain B without having to create new user logins for them in Domain B.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35112218
That will do then.
0
 

Author Comment

by:raffie613
ID: 35155855
RickSheikh:
what if I am using a laptop with xp pro which is from domain A? how do I log on while I am visiting at domain b?
thanks
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35157114
Laptop as in not connected to either network i.e domain A or B ?

Then the cached profiles work exactly as they do for all Domain A users while in Domain A.

If the Domain A user's account is (as discussed above) is part of the local administrators (or any builtin group that allow logon privileges i.e Power Users) group on a computer in domain B and that user from domain A had once logged to this laptop (where the laptop was on Network in domain B) then the profile/credential will be cached.

http://support.microsoft.com/kb/172931
0
 

Author Comment

by:raffie613
ID: 35159529
No the laptop belongs to domain A. I need him to be able to logon while being on site at domain B.

So as long as i add local user rights to the laptop for domain B, he can do it?

0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35159555
Are these two domains by an chance from same parent (forest) ?
0
 

Author Comment

by:raffie613
ID: 35167386
no different parent domains. I established a two way trust between them. When I try to share a resource to the trusted domain group users, it is not seeing it. I do see the trusted domain in the shared folder properties>security>add>locations. but when I type in a users name it can't find it.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35167462
You are probably running into the group nesting restrictions across a trust. For instance a Global Group will not accept users from a trusted domain. Domain Local will. For all restrictions see my post :

http://www.shariqsheikh.com/blog/index.php/200909/group-nesting-reference-chart/
0
 

Author Comment

by:raffie613
ID: 35168316
ok so how to get get around it to allow users from one domain to log onto and access resources on the trusted domain?
thanks.
0
 
LVL 11

Accepted Solution

by:
RickSheikh earned 500 total points
ID: 35168390
To follow the nesting restrictions. Use a "Domain Local" group to nest trusted users in it. Your question did deviate a bit. All along we had been talking about how a trusted user can log on to a trusted workstation, but now we are talking about resources access (such as a "share"). Pretty much same rules applies but the key thing to note here is that a local admin group on a workstation will accept a trusted user but an AD Global Group would.

Sorry I am kind of lost with your end goal.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35168394
* the key thing to note here is that a local admin group on a workstation will accept a trusted user but an AD Global Group would NOT.
0
 

Author Comment

by:raffie613
ID: 35182315
MY end goal is just to have a user who belongs to Domain A, be able to logon using his Laptop which runs XP, while visitng on site at domain B.

Do I create a "Domain local" group on a DC or on the user's laptop?

If on a DC, which domain do I create the "Domain Local" group on, A or B?
Thanks.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35182378
Yes you can create a "domain local" security group in Domain A (add users to it), and take that group and nest it into the Domain B's workstation' local administrators group.
0
 

Author Comment

by:raffie613
ID: 35182619
ok, but My user is a member of Domain A with his laptop belonging to domain A as well. So how do I do the nesting to get him to be able to logon with his laptop while visiting at Domain B?
sorry for the confusion..
thanks..
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35182761
So this is your third scenario and If I understand correctly, nothing is required.

If a user from domain A logs on to domain A workstation while visiting a location (such as Domain B's) where the Domain A's DC don't exist, than the logons will be facilitated via Trust with the Domain A's DC.

0
 

Author Comment

by:raffie613
ID: 35183092
That has been my question all along. Sorry for the confusion.
I am testing it, and I am unable to login while at Domain B, using my user credentials from Domain A on the laptop.
0
 

Author Comment

by:raffie613
ID: 35190950
RickSheikh:
Any ideas why I am not able to logon to domain B with my xp laptop that belongs to domain A? The domains are trusted two ways.
thanks.
0
 

Author Comment

by:raffie613
ID: 35445667
How do I do the nesting process again. it seems your instructions were deleted from here.
0
 

Author Comment

by:raffie613
ID: 35896055
RickSheikh:
Why is Nesting needed when during the trust proces, one of the options it asks is to automatically allow users from the trusted domain to have access to all resources on this domain?
Thanks again.
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now