Grant permissions to external trusted domain

Question

question

ZacM-3412 asked Feb 15, '22 ZacM-3412 commented Feb 23, '22

Grant permissions to external trusted domain

Hi,

I'm trying to grant permissions to some users within an external trusted domain. I already have the trust set up and it has been for years so I don't think this is the problem.

I've been reading on some other posts that users should be added to a Global security first, and then that group should be added into a Domain Local security group to provide access. However, when I try to add users from our external domain, the only way I can find this possible is by using a Domain Local group within our AD, and then giving that group access to the share. But this doesn't seem to work, the users don't get the access they should, so I've been trying to find the "correct" method.

I'm no expert with AD so I might be doing something wrong.
How exactly should I be granting access to users in a trusted external domain, to a network share on our own domain?

Thanks,
Zac

windows-active-directory windows-server-2012

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-02-17T09:39:54.257Z

ClementBETACORNE answered Feb 17, '22 ZacM-3412 commented Feb 23, '22

Hello,

For me it's normal if you can't add users from the trusted domain into a global group in the trusting domain it is not supported
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

So you will have to use domain local groups in the trusting domain in order to give access, you should also check if authenticated users is used on your network shares because trusted domain accounts is member of this group :
https://social.technet.microsoft.com/Forums/windowsserver/en-US/39f0d1f2-966f-4e24-b92e-c837ce0ccd1a/use-of-nt-authorityauthenticated-users-within-a-forest-trust?forum=winserverDS

You should check the trust configuration to ensure that SID filtering is disabled
https://social.technet.microsoft.com/Forums/windowsserver/en-US/53e615da-48bc-418e-85ee-bf9fb30c6104/how-to-see-sid-filtering-is-enabled?forum=winserverDS

Regards,

· 5

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZacM-3412 · Feb 17 at 11:54 AM

Hi Clement,

Thanks for the reply :)

I've checked the SID filtering and can confirm it's disabled.

I've tried adding the users to a Domain Local group within our trusting domain, but this doesn't work. This is the main problem I have, but I wasn't sure if I was doing it incorrectly.

We do not use the Authentication Users group on any network shares, as most of them are locked down to specific groups as you'd normally expect, or am I missing something here?

Do you have any other ideas?

Thanks

0 ·

ClementBETACORNE ZacM-3412 · Feb 17 at 01:35 PM

When you say that you tried adding the users to a domain local group within our trusting domain but this doesn't work, can you provide more details ? You was not able to add the user or they were not able to access the share ?
Did you also try to logoff/login after the modification ?

Regards,

0 ·

ZacM-3412 ClementBETACORNE · Feb 17 at 02:30 PM

Ah sorry, I was able to add the users to a Domain Local group successfully, and also apply this group to the permissions of our network share without issues

However when a user tries to map the drive, it simply says they don't have permission to access it

I should clarify something - these users are using Remote Desktop to connect to a PC which is on our domain and plugged directly into our network. They are logging into this PC using their own credentials from their domain, which works perfectly fine so far. The issue is just with mapping the drive

Hope this makes sense

Thanks

0 ·

Show more comments

question