Solved

user permissions in domain trusts

Posted on 2014-09-19
5
241 Views
Last Modified: 2014-11-21
I have a domain trust in my environment and I want to add a user from domain-B to a shared folder on a server in domain-A.  As a test, I added domain-b\user to the shared folder of dc2.domain-A.local which is a DC server.  No problems there.  Active Directory appears to be working.  

However, if I go to a non-DC server than I cannot add the Trusted domain-B user to my domain-A server folders.  Users from domain-B won't even populate the add user window when I try find users.  

What am I missing?

Mike
0
Comment
Question by:GabicusC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40334438
You you tried using groups? Put domain-B\user into domain-A\domain_local_group, and then assign permissions to domain-A\domain_local_group. The user may need to logout after you make the group membership change.
0
 
LVL 12

Expert Comment

by:zalazar
ID: 40334451
When on the security tab and in Add... mode (Select Users, Computers, Service Accounts, or Groups).
Did you click on the button named "Locations...".
It's necessary to select Domain-B  there and press OK.
After that type the users name and click on "Check Names" and the lookup should be possible.

When working with AD groups in Domain-A where users of Domain-B should be member of, the group type should be "Domain local/Security".
0
 

Author Comment

by:GabicusC
ID: 40372086
Kevinhsieh and Zalazar - Yes, to both and it works, however, I need to be able to access users without using local groups.  I need to be able to put Domain-B\user instead.  A developer who makes a software we are using made a change to their system and they no longer can use Groups.

Again thanks! Both answers were correct.  However, my case needs the actual user from Domain-B since the developer made their change.

As a test, I opened the LDAP port on our firewall directly to their domain controller and it did authenticate and display users from Domain-B.  However, that is not how TRUSTS are supposed to work so I've been in contact with Microsoft and they agree that there is a problem so they are investigating but at their standard price.
0
 
LVL 12

Accepted Solution

by:
zalazar earned 500 total points
ID: 40374171
Thank you very much for the background information.
You are mentioning that it shouldn't be necessary for the member (non-DC) server to access their Domain Controller.
My experience with domain trusts is a little different and from what I know it's indeed necessary that the computer, which needs to lookup or verify the authentication of the trusted user, must be able to directly contact the trusted DC's.
But let's see what Microsoft will come up with.
0
 

Author Comment

by:GabicusC
ID: 40458142
Final Solution,
if I needed to add a single user from Domain-B\user to my Domain-A\Server ... I did have to open up authentication directly from the Domain-A\server to the Domain-B\DC.

Basically, there are two methods to adding users in a TRUSTED domain.

Method #1
Using Domain-A\groups and having Domain-B\users as members and then adding that Domain-A\group for permissions.  This was described by both Kevinhsieh and Zalazar.

Method #2
My case here which is adding Domain-B\User directly to Domain-A\server (no groups)
Zalazar called this one and "Yes" after days of testing with Microsoft this was the only solution (open authentication directly from Domain-A\server to Domain-B\DC).
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question