Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How To Grant Access To Users In A Trusted External Forest

Posted on 2012-03-13
3
Medium Priority
?
1,031 Views
Last Modified: 2012-03-14
I have two Active Directory domains named ONE and TWO in separate external forests that have a two-way trust relationship between them. How can I grant users in TWO access to resources in ONE? For example, how can I enable users in TWO to logon to workstations in ONE? Also, how can I grant users in TWO access to files in a shared folder on a server in ONE?

In case it makes a difference, the domain controllers in ONE are all Windows 2003 R2 and the forest is at functional level Windows Server 2003, while TWO's domain controllers are Windows 2008 R2 and the forest is at functional level Windows Server 2008 R2.

I have tried a lot of different things but nothing seems to work. I have made this sort of thing work before in domains in the same forest, but this is my first experience with external forests. Any help would be greatly appreciated!
0
Comment
Question by:jeff1946
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 19

Expert Comment

by:Andrew Davis
ID: 37718800
you will need to create a trust between the forests see http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4520ad76-6514-4155-aa12-11b73c7b5bcc/

cheers
Andrew
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 2000 total points
ID: 37719348
Once the trust relationship is established, you should be able to add users and groups from TWO to file & folder DACLs in ONE just like you would normally.  It's easiest (to me) if you specify users/groups in the DOMAIN\UserName format, but you can also get there by setting your search context to Entire Directory when adding.

As for computer logon, you'll need to add the group TWO\Domain Users to the computer local Users group on the ONE domain member computers, assuming that's the level of access you want.
0
 
LVL 1

Author Comment

by:jeff1946
ID: 37719812
AndrewJDavis: Thanks for your reply, but as noted in my original post, there already is a working two-way trust between the forests.

netjgrnaut: Adding TWO's users and groups directly to ONE's file/folder DACLs does indeed provide the desired access permissions. Thank you for that good advice.

However, adding the group TWO\Domain Users to the computer local Users group on the ONE domain member computers has a little complication: the TWO domain does not appear in Computer Management > Local Users and Groups > Users > Users Properties > Add > Select Users, Computers, or Groups > Locations. But on the strength of your advice I tried just manually entering "TWO\Domain Users" in the object names text entry box on the Select panel; when I clicked the "Check names" button the host thought about it for approx 10 seconds but then added the confirming underline and I was good to go. So thank you for that too!

Is the fact that the TWO domain did not appear on the Locations list in the latter case evidence of a problem? (But I do get the TWO domain in similar contexts, such as in the DACL dialog, and I have a number of other indications that the forest-to-forest trust is working properly.) Perhaps it's just because the computer "Local Users and Groups" is a local object, not a domain object....

Thanks again!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question