Solved

How To Grant Access To Users In A Trusted External Forest

Posted on 2012-03-13
3
940 Views
Last Modified: 2012-03-14
I have two Active Directory domains named ONE and TWO in separate external forests that have a two-way trust relationship between them. How can I grant users in TWO access to resources in ONE? For example, how can I enable users in TWO to logon to workstations in ONE? Also, how can I grant users in TWO access to files in a shared folder on a server in ONE?

In case it makes a difference, the domain controllers in ONE are all Windows 2003 R2 and the forest is at functional level Windows Server 2003, while TWO's domain controllers are Windows 2008 R2 and the forest is at functional level Windows Server 2008 R2.

I have tried a lot of different things but nothing seems to work. I have made this sort of thing work before in domains in the same forest, but this is my first experience with external forests. Any help would be greatly appreciated!
0
Comment
Question by:jeff1946
3 Comments
 
LVL 18

Expert Comment

by:Andrew Davis
Comment Utility
you will need to create a trust between the forests see http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4520ad76-6514-4155-aa12-11b73c7b5bcc/

cheers
Andrew
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
Comment Utility
Once the trust relationship is established, you should be able to add users and groups from TWO to file & folder DACLs in ONE just like you would normally.  It's easiest (to me) if you specify users/groups in the DOMAIN\UserName format, but you can also get there by setting your search context to Entire Directory when adding.

As for computer logon, you'll need to add the group TWO\Domain Users to the computer local Users group on the ONE domain member computers, assuming that's the level of access you want.
0
 
LVL 1

Author Comment

by:jeff1946
Comment Utility
AndrewJDavis: Thanks for your reply, but as noted in my original post, there already is a working two-way trust between the forests.

netjgrnaut: Adding TWO's users and groups directly to ONE's file/folder DACLs does indeed provide the desired access permissions. Thank you for that good advice.

However, adding the group TWO\Domain Users to the computer local Users group on the ONE domain member computers has a little complication: the TWO domain does not appear in Computer Management > Local Users and Groups > Users > Users Properties > Add > Select Users, Computers, or Groups > Locations. But on the strength of your advice I tried just manually entering "TWO\Domain Users" in the object names text entry box on the Select panel; when I clicked the "Check names" button the host thought about it for approx 10 seconds but then added the confirming underline and I was good to go. So thank you for that too!

Is the fact that the TWO domain did not appear on the Locations list in the latter case evidence of a problem? (But I do get the TWO domain in similar contexts, such as in the DACL dialog, and I have a number of other indications that the forest-to-forest trust is working properly.) Perhaps it's just because the computer "Local Users and Groups" is a local object, not a domain object....

Thanks again!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Resolve DNS query failed errors for Exchange
OfficeMate Freezes on login or does not load after login credentials are input.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now