AD Users from another domain

John Tan 41 Reputation points
2021-07-02T03:18:15.52+00:00

Hi,

Currently, I have a Domain A which manages Users and Resources (PC/Servers) for Domain A.

I will need to create another Domain B to manage another set of resources that Domain A has no visibility to and likewise Domain B has no visibility to the resources in Domain A. They are separately managed by different domain admin.

There are only 1 set of users to manage and that will come from Domain A.
Domain A will assign it own resources for users in Domain A and Domain B's resources will be assigned to certain users as well.

Final state: When a user login and authenticate against Domain A, he/she will be able to access resources assign to him/her from different domain.

Qns: Is this achievable and how can I do this?

Thanks
John

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,098 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fan Fan 15,306 Reputation points Microsoft Vendor
    2021-07-12T04:39:43.927+00:00

    Hi,

    If you are the admin of domain B, yes, you can assign the resource permission to users in domain B.
    If there are trust relationship, the admin in domain B can assign resource to users from domain A.

    I'm not sure i understand you correctly when you said: users replicated from domain A to Domain B.
    User objects can't replicate across domain/forests.

    But the admin in domain B can assign resource to users from domain A if Domain A is the trusted domain.

    Best Regards,


4 additional answers

Sort by: Most helpful
  1. Parvez Gadhia 1 Reputation point
    2021-07-03T05:54:26.037+00:00

    Yes, you need to establish one way trust between domains A to B so users in domain A can slog on or access resources in domain B.

    Establish the trust one way incoming in domain A and , one way outgoing in domain B

    Now create a share folder in domain B , and create a domain local group in domain B and add on share and security tab with read permission or more relaxed permission.

    Go to domain A and create a global group with same name you created in domain B, add user in this group.

    Now go back to domain B and open the security group you created and add member , select domain A from browse/search option and select a global group you created in which you add user of domain A. That’s it. Now user from domain A can access that shared folder from domain A


  2. Parvez Gadhia 1 Reputation point
    2021-07-04T07:40:31.367+00:00

    yes, follow the same process which I mentioned previously.
    For example, username John --> add into a Global Group named GG_DomanB_Folder_Access in domain A
    Create a Domain Local Group named DL_DomainB_Folder_Access in Domain B now
    create a folder named data1 --> share --> everyone --> change .
    Now go to security tab of the Data1 folder --> add DL_DomainB_Folder_Access group and select read permission.
    Now you can add Domain A group into DL_DomainB_Folder_Access group as a member so members of GG_DomainB_Folder_Access from domain A can access data1 folder in domain B.

    One thing to remember that you would need an admin user who has access to both domains to perform this activity.

    0 comments No comments

  3. Fan Fan 15,306 Reputation points Microsoft Vendor
    2021-07-05T02:11:25.847+00:00

    Hi,
    If you want to share the resource across forests, a trust relationship is needed.
    By default, all the Users have read permission to resources in the forest with trust relationship.

    If you only want the specific users from domain A to access resource in domain B, we need to restrict the share permission on the resource folders to prevent all the users to have access.

    Frist, add the specific users to a Global Group in domain A, add the group into a Domain Local group in Domain B.
    On the folder in Domain B>Share permission
    Change everyone to the group: users\domainB
    Add the Domain Local group in domain B which containing Global groups from Domain A
    Then all the users from Domain B can access the folder but only the specific users from domain A can access the shared folder in Domain B.

    Best Regards,

    0 comments No comments

  4. John Tan 41 Reputation points
    2021-07-08T17:01:14.167+00:00

    Have an issue with the solution because Domain A is managed by another team and Domain B is managed by my team.
    Is it possible to assign all users from Domain A to Domain B and then my team can assign the users accordingly to resources in Domain B?