Trans-Domain Resource Access


Tutorial: Accessing Resources Across Domains

In this tutorial, we create a new shared folder on the domain controller for the denver.guinea.pig domain. We wish to share this folder with the marketing group in the guinea.pig domain.

  1. On the denver domain controller, create a new folder named shares . Give it NTFS permissions of Full Control for the Administrators group only.

  2. Inside the shares folder, create a new folder named guinea_shares . This folder inherits the NTFS file permissions of its parent folder.

  3. Share the guinea_shares folder using network share permissions of Full Control for Administrators and Modify (read and write access) permissions for the Everyone group.

  4. Open Active Directory Users and Computers and create an OU named Cross Domain Objects .

  5. Create a new group inside the Cross Domain Objects OU. Name it guinea.pig Marketing Group . Under Group scope, select Domain Local and ensure that Security is selected for Group type. Click OK when finished.

    click to expand
  6. Right-click this new group and select Properties . Click the Members tab.

  7. Click Add . In order to add the Marketing group from the guinea.pig domain, we must tell our new domain controller where to find it. We can use either of these two syntaxes:

    object name@domain name

    or

    domain name\object name

    For our example here, we can type:

    marketing@guinea.pig

    or

    guinea.pig\marketing

    Enter either one of these examples and click Check Names . Windows replaces what you have typed with the name of the group you are adding. In this case, the word Marketing now appears:

    click to expand
  8. Click OK twice to dismiss the dialog boxes.

    We have added our first domain local group to the denver.guinea.pig domain. We have also nested a global group from the guinea.pig domain inside this new domain local group.

  9. Close Active Directory Users and Computers . Navigate back to the local path of the guinea_share folder (for example, C:\shares\guinea_shares) and give the new guinea.pig Marketing Group Modify NTFS file permissions, shown here:

    click to expand
  10. Boot up one of our test Windows client computers and log on to the guinea.pig domain as a member of the Marketing group.

  11. Navigate to the shared folder on the denver domain controller at \\denver.guinea.pig\guinea_share and create a new folder inside the share. As a member of the domain local group inside the denver domain, you have the permissions to create and delete files and folders inside this share.

  12. Log out and log back in as a member of the art department and navigate to the share located on denver's domain controller. Notice that you are denied access, as the art group was never added to the domain local group on the denver domain controller.




Active Directory By The Numbers. Windows Server 2003
Active Directory By the Numbers: Windows Server 2003
ISBN: 0974759309
EAN: 2147483647
Year: 2003
Pages: 88
Authors: Marc Hoffman

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net