Gruup membership and trust relationships

Mario Nebbia 326 Reputation points

Let me ask a theoretical question about domains and trusts.
Imagine 2 domains member of different forests.
domain1.local trusts domain2.local
pc1.domain1.local is member of DOMAIN1.
user1@domain1.local can logon on pc1.domain1.local because he/she is member of the "Users" group in domain1.local and because the "Users" domain group is member of the "Users" local group in PC1.
My question is: how can I explain that user2@domain2.local can logon on PC1 (thanks the the trust relationship between DOMAIN1 and DOMAIN2) even if the "Users" domain group of DOMAIN2 is not member of the "Users" group of DOMAIN1 neither of the "Users" group of PC1

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,616 questions
No comments
{count} votes

Accepted answer
  1. Fan Fan 15,061 Reputation points

    For which users can log on to the computer:
    • On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
    As you can see ,the users include local domain users and authenticated users.Authenticated Users is a group that includes all users whose identities were authenticated when they logged on.
    That means all the users from the trusted domain/forest can logon to the workstation by default.
    If you want to restrict the logon users on the workstation , you can use the group policy following by add and remove groups for the workstation:
    Computer Configuration -> Policies -> Security Settings -> Local Policies -> User Rights Assignment:
    Deny log on locally – allows to restrict local logon to workstation for specific users or groups;
    Allow log on locally – contains the list of users who are allowed to log on to a computer locally.

    Best Regards,

1 additional answer

Sort by: Most helpful
  1. BOURBITA Thameur 12,011 Reputation points Microsoft MVP


    *user1@domain1.local can logon on pc1.domain1.local because he/she is member of the "Users" group in domain1.local *

    By default any domain user is member of domain user groups.
    You don't need to be member of the default group domain user to be able to logon on a computer .
    So another user from trusted domain can also logon on a computer.

    If you want control the logon right in members machines (server and/or workstation) you can use GPO to specify which users or groups are able or have the right to long on (locally or remotely) on a member machine.

    Don't forget to mark this reply as answer if it help you to fix your issue

    No comments