Solved

How To Grant Access To Users In A Trusted External Forest

Posted on 2012-03-13
3
959 Views
Last Modified: 2012-03-14
I have two Active Directory domains named ONE and TWO in separate external forests that have a two-way trust relationship between them. How can I grant users in TWO access to resources in ONE? For example, how can I enable users in TWO to logon to workstations in ONE? Also, how can I grant users in TWO access to files in a shared folder on a server in ONE?

In case it makes a difference, the domain controllers in ONE are all Windows 2003 R2 and the forest is at functional level Windows Server 2003, while TWO's domain controllers are Windows 2008 R2 and the forest is at functional level Windows Server 2008 R2.

I have tried a lot of different things but nothing seems to work. I have made this sort of thing work before in domains in the same forest, but this is my first experience with external forests. Any help would be greatly appreciated!
0
Comment
Question by:jeff1946
3 Comments
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 37718800
you will need to create a trust between the forests see http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4520ad76-6514-4155-aa12-11b73c7b5bcc/

cheers
Andrew
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 37719348
Once the trust relationship is established, you should be able to add users and groups from TWO to file & folder DACLs in ONE just like you would normally.  It's easiest (to me) if you specify users/groups in the DOMAIN\UserName format, but you can also get there by setting your search context to Entire Directory when adding.

As for computer logon, you'll need to add the group TWO\Domain Users to the computer local Users group on the ONE domain member computers, assuming that's the level of access you want.
0
 
LVL 1

Author Comment

by:jeff1946
ID: 37719812
AndrewJDavis: Thanks for your reply, but as noted in my original post, there already is a working two-way trust between the forests.

netjgrnaut: Adding TWO's users and groups directly to ONE's file/folder DACLs does indeed provide the desired access permissions. Thank you for that good advice.

However, adding the group TWO\Domain Users to the computer local Users group on the ONE domain member computers has a little complication: the TWO domain does not appear in Computer Management > Local Users and Groups > Users > Users Properties > Add > Select Users, Computers, or Groups > Locations. But on the strength of your advice I tried just manually entering "TWO\Domain Users" in the object names text entry box on the Select panel; when I clicked the "Check names" button the host thought about it for approx 10 seconds but then added the confirming underline and I was good to go. So thank you for that too!

Is the fact that the TWO domain did not appear on the Locations list in the latter case evidence of a problem? (But I do get the TWO domain in similar contexts, such as in the DACL dialog, and I have a number of other indications that the forest-to-forest trust is working properly.) Perhaps it's just because the computer "Local Users and Groups" is a local object, not a domain object....

Thanks again!
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question