question

JohnTan-3986 avatar image
0 Votes"
JohnTan-3986 asked JohnTan-3986 commented

AD Users from another domain

Hi,

Currently, I have a Domain A which manages Users and Resources (PC/Servers) for Domain A.

I will need to create another Domain B to manage another set of resources that Domain A has no visibility to and likewise Domain B has no visibility to the resources in Domain A. They are separately managed by different domain admin.

There are only 1 set of users to manage and that will come from Domain A.
Domain A will assign it own resources for users in Domain A and Domain B's resources will be assigned to certain users as well.

Final state: When a user login and authenticate against Domain A, he/she will be able to access resources assign to him/her from different domain.

Qns: Is this achievable and how can I do this?


Thanks
John

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered JohnTan-3986 commented

Hi,

If you are the admin of domain B, yes, you can assign the resource permission to users in domain B.
If there are trust relationship, the admin in domain B can assign resource to users from domain A.

I'm not sure i understand you correctly when you said: users replicated from domain A to Domain B.
User objects can't replicate across domain/forests.

But the admin in domain B can assign resource to users from domain A if Domain A is the trusted domain.

Best Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ParvezGadhia-1089 avatar image
0 Votes"
ParvezGadhia-1089 answered JohnTan-3986 commented

Yes, you need to establish one way trust between domains A to B so users in domain A can slog on or access resources in domain B.

Establish the trust one way incoming in domain A and , one way outgoing in domain B

Now create a share folder in domain B , and create a domain local group in domain B and add on share and security tab with read permission or more relaxed permission.

Go to domain A and create a global group with same name you created in domain B, add user in this group.

Now go back to domain B and open the security group you created and add member , select domain A from browse/search option and select a global group you created in which you add user of domain A. That’s it. Now user from domain A can access that shared folder from domain A

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PravezGadhia,

Thanks for your response.

What I want is to have a small group of users in Domain A to be able to access the resources in Domain B and the control of who to access the resource in Domain B is done at Domain B side. So basically, like replication the users from Domain A to Domain B and granting access from Domain B to Domain B resources.

Domain A should not have access to resources in Domain B and no visibility.

In this case on way forward is a better option or user replication?

0 Votes 0 ·
ParvezGadhia-1089 avatar image
0 Votes"
ParvezGadhia-1089 answered

yes, follow the same process which I mentioned previously.
For example, username John --> add into a Global Group named GG_DomanB_Folder_Access in domain A
Create a Domain Local Group named DL_DomainB_Folder_Access in Domain B now
create a folder named data1 --> share --> everyone --> change .
Now go to security tab of the Data1 folder --> add DL_DomainB_Folder_Access group and select read permission.
Now you can add Domain A group into DL_DomainB_Folder_Access group as a member so members of GG_DomainB_Folder_Access from domain A can access data1 folder in domain B.

One thing to remember that you would need an admin user who has access to both domains to perform this activity.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT edited

Hi,
If you want to share the resource across forests, a trust relationship is needed.
By default, all the Users have read permission to resources in the forest with trust relationship.

If you only want the specific users from domain A to access resource in domain B, we need to restrict the share permission on the resource folders to prevent all the users to have access.

Frist, add the specific users to a Global Group in domain A, add the group into a Domain Local group in Domain B.
On the folder in Domain B>Share permission
Change everyone to the group: users\domainB
Add the Domain Local group in domain B which containing Global groups from Domain A
Then all the users from Domain B can access the folder but only the specific users from domain A can access the shared folder in Domain B.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnTan-3986 avatar image
0 Votes"
JohnTan-3986 answered JohnTan-3986 commented

Have an issue with the solution because Domain A is managed by another team and Domain B is managed by my team.
Is it possible to assign all users from Domain A to Domain B and then my team can assign the users accordingly to resources in Domain B?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Resource is managed in Domain B, i'm afraid we can't do this if you are not an amin account on the resource server.
Best Regards,

0 Votes 0 ·

What I meant is Domain A is managed by a group of domain admin and Domain B is managed by another group of domain admin.
Can all the users be replicated over to Domain B from Domain A, and then Domain B admin will manage the resources in Domain B.
This will solve the issue of segregation of duties by the different Domain admin group. Is this doable?

0 Votes 0 ·