AD Users from another domain

Question

Hi,

Currently, I have a Domain A which manages Users and Resources (PC/Servers) for Domain A.

I will need to create another Domain B to manage another set of resources that Domain A has no visibility to and likewise Domain B has no visibility to the resources in Domain A. They are separately managed by different domain admin.

There are only 1 set of users to manage and that will come from Domain A.
Domain A will assign it own resources for users in Domain A and Domain B's resources will be assigned to certain users as well.

Final state: When a user login and authenticate against Domain A, he/she will be able to access resources assign to him/her from different domain.

Qns: Is this achievable and how can I do this?

Thanks
John

Answer 1

Hi,

If you are the admin of domain B, yes, you can assign the resource permission to users in domain B.
If there are trust relationship, the admin in domain B can assign resource to users from domain A.

I'm not sure i understand you correctly when you said: users replicated from domain A to Domain B.
User objects can't replicate across domain/forests.

But the admin in domain B can assign resource to users from domain A if Domain A is the trusted domain.

Best Regards,

Answer 2

Yes, you need to establish one way trust between domains A to B so users in domain A can slog on or access resources in domain B.

Establish the trust one way incoming in domain A and , one way outgoing in domain B

Now create a share folder in domain B , and create a domain local group in domain B and add on share and security tab with read permission or more relaxed permission.

Go to domain A and create a global group with same name you created in domain B, add user in this group.

Now go back to domain B and open the security group you created and add member , select domain A from browse/search option and select a global group you created in which you add user of domain A. That’s it. Now user from domain A can access that shared folder from domain A

Answer 3

yes, follow the same process which I mentioned previously.
For example, username John --> add into a Global Group named GG_DomanB_Folder_Access in domain A
Create a Domain Local Group named DL_DomainB_Folder_Access in Domain B now
create a folder named data1 --> share --> everyone --> change .
Now go to security tab of the Data1 folder --> add DL_DomainB_Folder_Access group and select read permission.
Now you can add Domain A group into DL_DomainB_Folder_Access group as a member so members of GG_DomainB_Folder_Access from domain A can access data1 folder in domain B.

One thing to remember that you would need an admin user who has access to both domains to perform this activity.

Answer 4

Hi,
If you want to share the resource across forests, a trust relationship is needed.
By default, all the Users have read permission to resources in the forest with trust relationship.

If you only want the specific users from domain A to access resource in domain B, we need to restrict the share permission on the resource folders to prevent all the users to have access.

Frist, add the specific users to a Global Group in domain A, add the group into a Domain Local group in Domain B.
On the folder in Domain B>Share permission
Change everyone to the group: users\domainB
Add the Domain Local group in domain B which containing Global groups from Domain A
Then all the users from Domain B can access the folder but only the specific users from domain A can access the shared folder in Domain B.

Best Regards,

Answer 5

Have an issue with the solution because Domain A is managed by another team and Domain B is managed by my team.
Is it possible to assign all users from Domain A to Domain B and then my team can assign the users accordingly to resources in Domain B?