This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 88%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGA%3C/text%3E%3C/svg%3E)
I am trying to setup a multiple domains environment on Windows, here is my setup:
My requirement is that users in parent domain (b1cloud.smes.sap.corp) can list users of its sub domains(child.b1cloud.smes.sap.corp, atlas.b1cloud.smes.sap.corp), but users in different sub domain can not list users of other domain, means users in child.b1cloud.smes.sap.corp can not list users in atlas.b1cloud.smes.sap.corp.
The actually behavior is that the different sub domain can list the user of other domain, it seems sub domains trust each others by default, is it possible to disable this trust? Is there any setting on Windows for this? Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello Gong, Allen,
Thank you for posting in Q&A forum.
You can right click child.b1cloud.smes.sap.corp or atlas.b1cloud.smes.sap.corp and click the Properties, then check Trusts tab and check the trust relationship between child.b1cloud.smes.sap.corp and atlas.b1cloud.smes.sap.corp.
If both child domains are listed under Trusts tab, it seems sub domains trust each others by default.
In a Microsoft Active Directory (AD) environment, a parent domain and its child (sub) domains inherently trust each other in a hierarchical structure. This is known as a transitive trust.
By default, these trusts are two-way and transitive, meaning that a parent domain trusts its child domains and vice versa. This transitive nature extends the trust to all domains within the parent-child hierarchy. If you want to manage or restrict the trust relationships between subdomains, maybe there are possible methods, but it's important to understand the implications as this can significantly impact your domain's functionality and security. Modifying or disabling the default trust relationships between parent and child domains is uncommon and not generally recommended because it can disrupt many AD functionalities.
If you do not want users in one child domain to list users in the other child domain, you can try to block it via permissions on child Domain Controllers. For example: try to set block "Read" permission in the child domain.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
@Daisy Zhou Thanks for your response, would you please tell me more detail about how to block "Read" permission in the child domain, I can not find it, thanks a lot.
Hello
Good day!
In one child domain controller, right click domain name (set it on domain name, it will restrict all the users in domain)
Principle: Everyone or domain users (in the other child domain).
Type: Deny
Applies to: All user objects.
Permissions: full control
Note: Please test it in lab, if it works fine, then you can deploy it in production.
Best Regards,
Daisy Zhou