Solved

How To Grant Access To Users In A Trusted External Forest

Posted on 2012-03-13
3
977 Views
Last Modified: 2012-03-14
I have two Active Directory domains named ONE and TWO in separate external forests that have a two-way trust relationship between them. How can I grant users in TWO access to resources in ONE? For example, how can I enable users in TWO to logon to workstations in ONE? Also, how can I grant users in TWO access to files in a shared folder on a server in ONE?

In case it makes a difference, the domain controllers in ONE are all Windows 2003 R2 and the forest is at functional level Windows Server 2003, while TWO's domain controllers are Windows 2008 R2 and the forest is at functional level Windows Server 2008 R2.

I have tried a lot of different things but nothing seems to work. I have made this sort of thing work before in domains in the same forest, but this is my first experience with external forests. Any help would be greatly appreciated!
0
Comment
Question by:jeff1946
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Expert Comment

by:Andrew Davis
ID: 37718800
you will need to create a trust between the forests see http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4520ad76-6514-4155-aa12-11b73c7b5bcc/

cheers
Andrew
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 37719348
Once the trust relationship is established, you should be able to add users and groups from TWO to file & folder DACLs in ONE just like you would normally.  It's easiest (to me) if you specify users/groups in the DOMAIN\UserName format, but you can also get there by setting your search context to Entire Directory when adding.

As for computer logon, you'll need to add the group TWO\Domain Users to the computer local Users group on the ONE domain member computers, assuming that's the level of access you want.
0
 
LVL 1

Author Comment

by:jeff1946
ID: 37719812
AndrewJDavis: Thanks for your reply, but as noted in my original post, there already is a working two-way trust between the forests.

netjgrnaut: Adding TWO's users and groups directly to ONE's file/folder DACLs does indeed provide the desired access permissions. Thank you for that good advice.

However, adding the group TWO\Domain Users to the computer local Users group on the ONE domain member computers has a little complication: the TWO domain does not appear in Computer Management > Local Users and Groups > Users > Users Properties > Add > Select Users, Computers, or Groups > Locations. But on the strength of your advice I tried just manually entering "TWO\Domain Users" in the object names text entry box on the Select panel; when I clicked the "Check names" button the host thought about it for approx 10 seconds but then added the confirming underline and I was good to go. So thank you for that too!

Is the fact that the TWO domain did not appear on the Locations list in the latter case evidence of a problem? (But I do get the TWO domain in similar contexts, such as in the DACL dialog, and I have a number of other indications that the forest-to-forest trust is working properly.) Perhaps it's just because the computer "Local Users and Groups" is a local object, not a domain object....

Thanks again!
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question