Grant permissions to external trusted domain

Zac-M 1

Hi,

I'm trying to grant permissions to some users within an external trusted domain. I already have the trust set up and it has been for years so I don't think this is the problem.

I've been reading on some other posts that users should be added to a Global security first, and then that group should be added into a Domain Local security group to provide access. However, when I try to add users from our external domain, the only way I can find this possible is by using a Domain Local group within our AD, and then giving that group access to the share. But this doesn't seem to work, the users don't get the access they should, so I've been trying to find the "correct" method.

I'm no expert with AD so I might be doing something wrong.
How exactly should I be granting access to users in a trusted external domain, to a network share on our own domain?

Thanks,
Zac

jeremiahingram 0 Reputation points

2024-04-27T06:23:17.18+00:00
Granting access to users in a trusted external domain to a network share on your own domain involves a few steps, and understanding the Active Directory (AD) structure and security groups is crucial. Here is a detailed guide:

Ensure Trust Relationship: As you mentioned, you already have a trust relationship established between your domains. Verify that the trust is still active and functioning properly.

Create Global Security Groups: In your domain, create global security groups to represent the users or groups from the external domain that you want to grant access to. You can do this using Active Directory Users and Computers (ADUC) or PowerShell.

Add External Users to Global Groups: Add the users from the external domain to the global security groups you created in your domain. This step might involve contacting the administrators of the external domain to get the necessary information for adding users to groups.

Create Domain Local Security Groups: Create domain local security groups in your domain to manage access to the network share. These groups will contain the global groups from step 2.

Grant Permissions to Domain Local Groups: Assign appropriate permissions to the domain local security groups on the network share. You can do this by navigating to the properties of the shared folder, selecting the Security tab, and adding the domain local groups with the desired permissions (e.g., Read, Write, Modify, Full Control).

Test Access: After setting up the permissions, test access by logging in as a user from the external domain who is a member of the global group. Ensure that the user can access the network share and perform the intended actions (e.g., read, write, delete).

Troubleshoot: If access is not working as expected, troubleshoot by checking the following:

Ensure that the trust relationship is still active and functioning.

Verify that the users from the external domain are members of the global groups in your domain.

Double-check the permissions assigned to the domain local groups on the network share.

Check event logs for any relevant error messages or issues.

Monitor and Maintain: Regularly review and update permissions as needed. Monitor access to the network share to ensure security and compliance.

2 answers

Clément BETACORNE 2,031 Reputation points

2022-02-17T09:39:54.257+00:00

Hello,

For me it's normal if you can't add users from the trusted domain into a global group in the trusting domain it is not supported
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

So you will have to use domain local groups in the trusting domain in order to give access, you should also check if authenticated users is used on your network shares because trusted domain accounts is member of this group :
https://social.technet.microsoft.com/Forums/windowsserver/en-US/39f0d1f2-966f-4e24-b92e-c837ce0ccd1a/use-of-nt-authorityauthenticated-users-within-a-forest-trust?forum=winserverDS

You should check the trust configuration to ensure that SID filtering is disabled
https://social.technet.microsoft.com/Forums/windowsserver/en-US/53e615da-48bc-418e-85ee-bf9fb30c6104/how-to-see-sid-filtering-is-enabled?forum=winserverDS

Regards,
Please sign in to rate this answer.
Zac-M 1 Reputation point

2022-02-17T11:54:35.563+00:00

Hi Clement,

Thanks for the reply :)

I've checked the SID filtering and can confirm it's disabled.

I've tried adding the users to a Domain Local group within our trusting domain, but this doesn't work. This is the main problem I have, but I wasn't sure if I was doing it incorrectly.

We do not use the Authentication Users group on any network shares, as most of them are locked down to specific groups as you'd normally expect, or am I missing something here?

Do you have any other ideas?

Thanks

Clément BETACORNE 2,031 Reputation points

2022-02-17T13:35:07.43+00:00

When you say that you tried adding the users to a domain local group within our trusting domain but this doesn't work, can you provide more details ? You was not able to add the user or they were not able to access the share ?
Did you also try to logoff/login after the modification ?

Regards,

Zac-M 1 Reputation point

2022-02-17T14:30:41.93+00:00

Ah sorry, I was able to add the users to a Domain Local group successfully, and also apply this group to the permissions of our network share without issues

However when a user tries to map the drive, it simply says they don't have permission to access it

I should clarify something - these users are using Remote Desktop to connect to a PC which is on our domain and plugged directly into our network. They are logging into this PC using their own credentials from their domain, which works perfectly fine so far. The issue is just with mapping the drive

Hope this makes sense

Thanks

Clément BETACORNE 2,031 Reputation points

2022-02-22T13:53:51.22+00:00

Hello,

When the user try to access the share via file explorer without using the map drive did they succeed ?

Regards,

Zac-M 1 Reputation point

2022-02-23T11:45:10.687+00:00

No, unfortunately they still receive the same message about denied permissions
Could there be something wrong with our trust?
Sign in to comment
Gerb 1 Reputation point

2022-10-06T08:11:59.1+00:00

So I have this exact same issue. And it did not play any role on older versions of the windows server OS. It started when using 2016/2019.
Anyone an update on this?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment