Hello, with part 2 of Administering a Trust Relationship, we just created a one-way trust between SnoOpy.org/.net domains.
Now before we start to authenticate users from SnoOpy.net to .org, take a look at how to assign permissions to trusted identities (users of SnoOpy.net).
[00:10] In the meantime, I recommend you review how Trust Relationship models and resources accessing work:https:/www.serverbrain.org/managing-security-2003/designing-trust-relationships-between-domains-and-forests.html” target=”_new”>>https://www.serverbrain.org/managing-security-2003/designing-trust-relationships-between-domains-and-forests.html_
This is a step to implement "Selective Authentication" of the Trust, rather than "Domain-wide" as default. With selective trusts, administrators can make flexible access control decisions between external domains.
We are assigning permissions about users in SnoOpy.org forest to itself objects.
Then let do the same for users in SnoOpy.net to ensure that SnoOpy.org can authenticate users/objects from SnoOpy.net via one-way trust relationship just created as it does with its users (this is the spirit of Trust).
[00:55] Create a local user account then assign permissions about directories, computer accounts.
Computer Account requires the Advanced Mode of ADUC console.
Now switch the Trust Authentication mode from Domain-wide to Selective to allow authentications in remote users instead of all users like Domain-wide.
Then assign permissions about that foreign users from SnoOpy.net to objects of SnoOpy.org
[03:30] Create a user account in SnoOpy.net (Y) to perform permission assignments in SnoOpy.org forest side (X).
[04:08] Switch to DC machine of SnoOpy.org then add that remote user DuongMinhThang in the Security section of Contract folder as we had done with the local user DMT, firstly.
[04:58] By defining Selective Authentication, we need to allow objects (users) to be authenticated with the DC of SnoOpy.org (gatekeeper) implicitly, also.
[05:26] You need to prefix that remote user with its domain to let Check Names function work.
[05:34] Enter the administrative credential about SnoOpy.net forest to verify this user.
[05:50] Remote user's rights have been assigned successfully!
[05:56] In fact, we have an extra step to do is log on to a machine of SnoOpy.net forest with that foreign user account, then access the shared folder "Contract" of SnoOpy.org to verify that the Trust makes two domains are seamless; permissions take effect as defined.
However, I guarantee that it gonna works, though, we set them up as guidelines.
[06:03] More info about the trust relationship:
I'm sure that you will get more excitements with AD RMS and AD FS as better candidates against Trust, keep track on my YouTube channel :3