Hi @KK
Did you get the same behavior when you use the computer management ?
Please don't forget to accept helpful answer
Active Directory External One Way Trust Permission Problem
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 53%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
KK
25
Reputation points
Hello,
We have the following situation / issue:
Domain A has a working external one way trust with domain B.
In domain A the global group G-1 exists
In domain B the local group L-1 exists which contains the G-1 group of domain A\L-1
The group L-1 is a member of the administrator group of domain B
The server SRV-1 ist joined the domain B
The group L-1 is a member of the local administrators group on the SRV-1
A user of the domain A who ist member of the group A\L-1 (and therefore has the local administrator permission on the server and the administrator permission on the domain) wants to add another group from the domain B to the local administrator group on the server SRV-1.
When he searches for the group in domain B in the corresponding add dialog (netplwiz - group administrators - add) he gets a login prompt and after entering his correct login data the error message "During the usage of the provided Username and Password an error occured: Username or Password is incorrect".
At the same time, the firewall shows that SRV-1 wants to communicate with the domain controllers of domain A on ports 88 and 389 and not with those of domain B.
Is this a design or conifg error?
Unfortunately, I can't find any comparable cases / information on this issue.
I can provide further information / screenshots if required.
I look forward to any feedback.
Regards
Kai
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
Answer accepted by question author
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,526 Reputation points Moderator2024-01-03T11:35:56.0033333+00:00
-
KK 25 Reputation points
2024-01-03T19:41:03.61+00:00 Its the same behavior with the local user management under computer management
-
Thameur-BOURBITA 36,526 Reputation points Moderator
2024-01-03T23:16:44.4833333+00:00 @KK •
It seems that the one way trust is not enough. Try to create the trust on other way and check if you still have the same behavior.
Please don't forget to accept helpful answer
-
KK 25 Reputation points
2024-01-04T08:11:57.8766667+00:00 Thanks for the suggestion. However, this is a DMZ network infrastructure architecture in which a two-way trust can't be implemented.
-
Thameur-BOURBITA 36,526 Reputation points Moderator
2024-01-04T09:28:15.7133333+00:00 @KK •
Try to check the network flow between target server and trusted domain.
You can also use Group Policy Preference to add members in local administrators group. Using Group policy to manage memberof local group on member server can be a solution for your case
Please don't forget to accept helpful answer
-
KK 25 Reputation points
2024-01-04T10:25:06.58+00:00 We have analyzed the traffic on the firewall live and during the process it tries to communicate with the dcs of domain A and not B by mistake.
The assignment of local admin authorizations works via GPO.
-
Thameur-BOURBITA 36,526 Reputation points Moderator
2024-01-04T10:50:42.62+00:00 @KK •
In this case you two options, use GPO or open network flow.
Please don’t forget to accept helpful answer
-
Thameur-BOURBITA 36,526 Reputation points Moderator
2024-01-12T21:28:32.9+00:00 @KK • Just checking if there is any progress.
---Please don't forget to accept helpful answer
Sign in to comment -