Re: External Trust - Can't see share contents

From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
Date: Wed, 31 Dec 2008 17:39:45 +0000 (UTC)

Hello bstillion,

Use the universal groups to configure the share access permissions. So that the other forest users use there own account which has to be added to the universal group that are configured on the share.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Goal: users in another forest can browse to a server share to view the
folders contents. The user should browse to \\servername\share and be
prompted for
username and password. There are local accounts on the server that
then allow
them to access the share.
Environment
Windows Server 2003 Domain with an External Trust to the remote
domain.
Connection is a point-to-point (TLS) being used primarily to
store/retrieve
information on the servers here from the users there and is working
fine.
Remote user experience
user can browse to server, but when they double click the share they
get
an "Access Denied" error.
Troubleshooting steps taken
Share and NTFS permissions have been checked numerous times and
are Share = Local group with local accounts have Change. NTFS = Local
group
with local accounts have Modify access.
Confirmed "Selective Authentication" is applied to the External Trust
but
cannot add the "allow to authenticate" permission to the local group
(can't
browse to it.)
Confirmed that no ACL or firewall settings are blocking access or
authentication.
Got this to work from another domain but don't see the difference
between
the trusts.
Any help is greatly appreciated.

References:
- External Trust - Can't see share contents
  - From: bstillion

Prev by Date: Re: Override time sync on a few workstations
Next by Date: Re: addon
Previous by thread: RE: External Trust - Can't see share contents
Next by thread: Domain Migration (Preserve Resource Access)
Index(es):
- Date
- Thread

Relevant Pages

401.3 Unauthorized: Logon Failed
... There is a subdirectory within this site on the web server ... Granting these accounts an elevated level of access on ... permissions as they relate to troubleshooting 401.3 ... Netscape doesn't support Windows Integrated Authentication ...
(microsoft.public.inetserver.iis.security)
Re: W2K3 local accounts lost on domain demotion?
... Once you demote a server you ... get new SAM database with new accounts and all old accounts are lost. ... >I think the local accounts were created when the server was part of the ...
(microsoft.public.windows.server.general)
Re: Permission migration to new domain
... The server will not be reloaded, ... So we need a way change all the existing permissions to ... DOMAIN_A\Accounts has access to the Accounts folder. ...
(microsoft.public.windows.server.active_directory)
Re: First Grade Basics Needed
... Unless you have deliberately disabled cached logins on the workstations ... > I think I will rename the local accounts to avoid confusion with the ... > local account, mike, and made a user account mike on the server. ...
(microsoft.public.windows.server.sbs)
Re: SSH without password - problems with particular userid
... without a password with no problem for most accounts - i.e., ... generated keys, set up authorized_keys files, set the appropriate ... permissions on directories, etc. ... Run a server with the same configuration in debug mode. ...
(comp.security.ssh)