Windows Domain Trust Query

swain90 · 11 May 2021 at 13:37

Hi All,

I was wondering if anyone had any ideas with the situation I have...

I currently have two separate forests with a trust setup between them (bidirectional).

Both the Domain and Forest functional levels on each forest are at 2003.

Forest A is running Server 2003, and Forest B is running Server 2008R2.

I can create a Domain Local User Group on Forest B (Server 2008R2) and add users from Forest A (Server 2003), so as far as I can tell the trust is functioning as expected and there's no permission issues.

We have a bespoke application running on Forest B which for some reason does not recognise Domain Local User Groups. Additionally this application requires users to be added to the user group natively. This means that I can't create a Domain Local Group, add the users I need from Forest A and then add that Domain Local User Group to a Global/Universal User Group so that the bespoke application can see the users.

I think I already know the answer to my question, but is there any way of adding the users from Forest A into a Global/Universal User Group in Forest B? As this would allow the bespoke application to see/read the users from Forest A.

The bespoke application isn't something I've developed, I've had a look through some of the source code but can't see anything obvious as to how it reads the User Groups.

Thanks,

Swain90

Django x2 · 11 May 2021 at 17:09

It will likely be an LDAP lookup which will only take the CN of the domain the application is installed to.

Quartz · 12 May 2021 at 11:41

swain90 said:
I can create a Domain Local User Group on Forest B (Server 2008R2) and add users from Forest A (Server 2003), so as far as I can tell the trust is functioning as expected and there's no permission issues.

Can you not create a group in Forest A then add that group to the group in Forest B?

swain90 said:
Additionally this application requires users to be added to the user group natively

Ah, that limitation would prevent my suggestion from working.

swain90 said:
I've had a look through some of the source code but can't see anything obvious as to how it reads the User Groups.

Theoretically this is quite simple: if you're doing it directly, just check each entry for being a group or not and recurse. Put in a depth counter to prevent infinite recursion. But I haven't done any serious coding in decades, hence the theoretically.

Django x2 said:
It will likely be an LDAP lookup which will only take the CN of the domain the application is installed to.

If that's the case then this might help:

https://ldapwiki.com/wiki/Active Di...edSecurityGroupsRequiresAtLeastWindows2003SP2

Note the requirement for Server 2003 SP2.

swain90 · 14 May 2021 at 10:07

Forest A also runs the same bespoke software (but an earlier version) and needs the User Group to also be Global/Universal for it to work so I couldn't add them the other way around.

I'm going to creating a a new domain in forest A and see if that gives me what I need.

It's not LDAP, having gone a bit further, the applications uses lmaccess.h and uses functions within that API.