AD Users from another domain

John Tan 41 Reputation points


Currently, I have a Domain A which manages Users and Resources (PC/Servers) for Domain A.

I will need to create another Domain B to manage another set of resources that Domain A has no visibility to and likewise Domain B has no visibility to the resources in Domain A. They are separately managed by different domain admin.

There are only 1 set of users to manage and that will come from Domain A.
Domain A will assign it own resources for users in Domain A and Domain B's resources will be assigned to certain users as well.

Final state: When a user login and authenticate against Domain A, he/she will be able to access resources assign to him/her from different domain.

Qns: Is this achievable and how can I do this?


Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,098 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fan Fan 15,306 Reputation points Microsoft Vendor


    If you are the admin of domain B, yes, you can assign the resource permission to users in domain B.
    If there are trust relationship, the admin in domain B can assign resource to users from domain A.

    I'm not sure i understand you correctly when you said: users replicated from domain A to Domain B.
    User objects can't replicate across domain/forests.

    But the admin in domain B can assign resource to users from domain A if Domain A is the trusted domain.

    Best Regards,

4 additional answers

Sort by: Most helpful
  1. Parvez Gadhia 1 Reputation point

    Yes, you need to establish one way trust between domains A to B so users in domain A can slog on or access resources in domain B.

    Establish the trust one way incoming in domain A and , one way outgoing in domain B

    Now create a share folder in domain B , and create a domain local group in domain B and add on share and security tab with read permission or more relaxed permission.

    Go to domain A and create a global group with same name you created in domain B, add user in this group.

    Now go back to domain B and open the security group you created and add member , select domain A from browse/search option and select a global group you created in which you add user of domain A. That’s it. Now user from domain A can access that shared folder from domain A

  2. Parvez Gadhia 1 Reputation point

    yes, follow the same process which I mentioned previously.
    For example, username John --> add into a Global Group named GG_DomanB_Folder_Access in domain A
    Create a Domain Local Group named DL_DomainB_Folder_Access in Domain B now
    create a folder named data1 --> share --> everyone --> change .
    Now go to security tab of the Data1 folder --> add DL_DomainB_Folder_Access group and select read permission.
    Now you can add Domain A group into DL_DomainB_Folder_Access group as a member so members of GG_DomainB_Folder_Access from domain A can access data1 folder in domain B.

    One thing to remember that you would need an admin user who has access to both domains to perform this activity.

    0 comments No comments

  3. Fan Fan 15,306 Reputation points Microsoft Vendor

    If you want to share the resource across forests, a trust relationship is needed.
    By default, all the Users have read permission to resources in the forest with trust relationship.

    If you only want the specific users from domain A to access resource in domain B, we need to restrict the share permission on the resource folders to prevent all the users to have access.

    Frist, add the specific users to a Global Group in domain A, add the group into a Domain Local group in Domain B.
    On the folder in Domain B>Share permission
    Change everyone to the group: users\domainB
    Add the Domain Local group in domain B which containing Global groups from Domain A
    Then all the users from Domain B can access the folder but only the specific users from domain A can access the shared folder in Domain B.

    Best Regards,

    0 comments No comments

  4. John Tan 41 Reputation points

    Have an issue with the solution because Domain A is managed by another team and Domain B is managed by my team.
    Is it possible to assign all users from Domain A to Domain B and then my team can assign the users accordingly to resources in Domain B?