Accessing Shared Folder over External Trust

  • 178 Views
  • Last Post 22 January 2018
Biju_Babu posted this 22 January 2018

Hello,

Forest1DomainA has one way External trust to Forest2DomainB
No firewall's between computers for now; both DFL & FFL in Server 2008R2.

Scenario: Forest1DomainA\User member of Forest1DomainA\Universal group accessing the shared folder set up in a Win 7 PC in Forest2DomainB.

Shared folder ACL as follows
Share Permission - Everyone - Full Control
NTFS -- Forest1
DomainA\Universal - Full Control
NTFS -- System - Full Control
NTFS -- PC\Administrators - Full Control

When Forest1DomainA\User access the shared folder from a computer in Forest1DomainA , I am seeing Access denied error message.

Forest1_DomainA\User can successfully access the shared folder;
If you add User identity directly to ACL
Or
If you add user identity nested through a global security group to ACL

I thought universal groups can be used to permission resource across forest, is that not the case? Or am I missing something here?

http://www.activedir.org/thread/cross-forest-trust-universal-groups - This is an old post I could find, where it says the Universal group should be able to work when adding to ACL directly.

Appreciate any thoughts.

Rgds
Biju




��)ߢm������+�v*�롹^�˧���r���x���i٢�f���-�����+

Order By: Standard | Newest | Votes
Biju_Babu posted this 22 January 2018

Thanks Brain.

 



·        

User right: logon over the network? –

Authenticated Users has logon over the network



·        

Selective Authentication is not on? If it is on, then user right: allowed to authenticate is required. –

No Selective Authentication



·        

NTLM – I think the compatibility should be fine, but will validate it.



I have not specifically mentioned the above things earlier, thinking if they are not correct, user should not be able to access regardless

of whether he is member of Global group , Universal group or directly added to ACL. Hope it make sense.



Rgds



 

 

show

barkills posted this 22 January 2018



  • User right: logon over the network?
  • Selective Authentication is not on? If it is on, then user right: allowed to authenticate is required.
  • What authentication method is used? If NTLM, then LMCompatibilityLevel settings for every computer involved need to be compatible (i.e. all DCs, the client, and server--which in this case is win7)


 

All of those causes can produce the access denied error message and none of them are mentioned in your email which is why I'm asking. J

 

Brian



 

show

cduers posted this 22 January 2018

Domain local groups are the way to go

Chris Duers
XL Catlin Global Technology
Identity, Directory, Security Infrastructure
M: 203-979-3914

> On Jan 22, 2018, at 7:45 AM, Biju Babu wrote:
>
> Hello,
>
> Forest1DomainA has one way External trust to Forest2DomainB
> No firewall's between computers for now; both DFL & FFL in Server 2008R2.
>
> Scenario: Forest1DomainA\User member of Forest1DomainA\Universal group accessing the shared folder set up in a Win 7 PC in Forest2DomainB.
>
> Shared folder ACL as follows
> Share Permission - Everyone - Full Control
> NTFS -- Forest1
DomainA\Universal - Full Control
> NTFS -- System - Full Control
> NTFS -- PC\Administrators - Full Control
>
> When Forest1DomainA\User access the shared folder from a computer in Forest1DomainA , I am seeing Access denied error message.
>
> Forest1DomainA\User can successfully access the shared folder;
> If you add User identity directly to ACL
> Or
> If you add user identity nested through a global security group to ACL
>
> I thought universal groups can be used to permission resource across forest, is that not the case? Or am I missing something here?
>
> http://www.activedir.org/thread/cross-forest-trust-universal-groups - This is an old post I could find, where it says the Universal group should be able to work when adding to ACL directly.
>
> Appreciate any thoughts.
>
> Rgds
> Biju
>
>
>
>
> ��)ߢm������+�v*�롹^�˧���r���x���i٢�f���-�����+

show

Close