Trouble Browsing Accounts in Trusted Domain

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

We have Domain A and Domain B trusted through a two-way
trust. Domain A can browse Domain B's accounts through
User Manager, but Domain B cannot browse Domain A's
accounts. When we try to connect using User Manager, we
get "Access Denied".

Here's what I have verified:

Entries in WINS (1c accounts pointing to each domain's
PDCs) are fine.
I have entries in LMHOSTS on both sides
I have used NLTest to check on the secure connection - OK
I have broken and re-established the trust.

Anyone have any suggestions?

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Check and be sure to add the domain B "domain admin"
group to the local administrator on domain A.

"Jason Hunt" <shibuii@hotmail.com> wrote in message
news:209d01c49a64$15f7e070$a401280a@phx.gbl...
> We have Domain A and Domain B trusted through a two-way
> trust. Domain A can browse Domain B's accounts through
> User Manager, but Domain B cannot browse Domain A's
> accounts. When we try to connect using User Manager, we
> get "Access Denied".
>
> Here's what I have verified:
>
> Entries in WINS (1c accounts pointing to each domain's
> PDCs) are fine.
> I have entries in LMHOSTS on both sides
> I have used NLTest to check on the secure connection - OK
> I have broken and re-established the trust.
>
> Anyone have any suggestions?

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

We (being domain B) don't want to administer Domain A. We
just want to be able to browse the domain user account
listing and select certain users for permissions.

Is it absolutely necessary to put the domain admin group
in there? We don't have it for any other domains we trust.

I'll try it and report back. In the meantime, is there
any other way around it?

Thanks.

Jason
>-----Original Message-----
>Check and be sure to add the domain B "domain admin"
>group to the local administrator on domain A.
>
>"Jason Hunt" <shibuii@hotmail.com> wrote in message
>news:209d01c49a64$15f7e070$a401280a@phx.gbl...
>> We have Domain A and Domain B trusted through a two-way
>> trust. Domain A can browse Domain B's accounts through
>> User Manager, but Domain B cannot browse Domain A's
>> accounts. When we try to connect using User Manager, we
>> get "Access Denied".
>>
>> Here's what I have verified:
>>
>> Entries in WINS (1c accounts pointing to each domain's
>> PDCs) are fine.
>> I have entries in LMHOSTS on both sides
>> I have used NLTest to check on the secure connection -
OK
>> I have broken and re-established the trust.
>>
>> Anyone have any suggestions?
>
>
>.
>

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

It worked, but I don't feel comfortable being the domain
admin of a remote domain that we don't control.

Is there any reason why this would happen? It obviously
seems to be a permissions issue, but where would the
problem lie?

We haven't done this with any other domain we trust, and
we can browse their accounts perfectly.

Jason
>-----Original Message-----
>We (being domain B) don't want to administer Domain A.
We
>just want to be able to browse the domain user account
>listing and select certain users for permissions.
>
>Is it absolutely necessary to put the domain admin group
>in there? We don't have it for any other domains we
trust.
>
>I'll try it and report back. In the meantime, is there
>any other way around it?
>
>Thanks.
>
>Jason
>>-----Original Message-----
>>Check and be sure to add the domain B "domain admin"
>>group to the local administrator on domain A.
>>
>>"Jason Hunt" <shibuii@hotmail.com> wrote in message
>>news:209d01c49a64$15f7e070$a401280a@phx.gbl...
>>> We have Domain A and Domain B trusted through a two-way
>>> trust. Domain A can browse Domain B's accounts through
>>> User Manager, but Domain B cannot browse Domain A's
>>> accounts. When we try to connect using User Manager,
we
>>> get "Access Denied".
>>>
>>> Here's what I have verified:
>>>
>>> Entries in WINS (1c accounts pointing to each domain's
>>> PDCs) are fine.
>>> I have entries in LMHOSTS on both sides
>>> I have used NLTest to check on the secure connection -
>OK
>>> I have broken and re-established the trust.
>>>
>>> Anyone have any suggestions?
>>
>>
>>.
>>
>.
>

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hi Jason,

You can't browse the properties of a remote domain
and change permissions on that domain without
administrative privileges on that domain.

"Jason Hunt" <shibuii@hotmail.com> wrote in message
news:213a01c49a7f$90e72cd0$a301280a@phx.gbl...
> It worked, but I don't feel comfortable being the domain
> admin of a remote domain that we don't control.
>
> Is there any reason why this would happen? It obviously
> seems to be a permissions issue, but where would the
> problem lie?
>
> We haven't done this with any other domain we trust, and
> we can browse their accounts perfectly.
>
> Jason
> >-----Original Message-----
> >We (being domain B) don't want to administer Domain A.
> We
> >just want to be able to browse the domain user account
> >listing and select certain users for permissions.
> >
> >Is it absolutely necessary to put the domain admin group
> >in there? We don't have it for any other domains we
> trust.
> >
> >I'll try it and report back. In the meantime, is there
> >any other way around it?
> >
> >Thanks.
> >
> >Jason
> >>-----Original Message-----
> >>Check and be sure to add the domain B "domain admin"
> >>group to the local administrator on domain A.
> >>
> >>"Jason Hunt" <shibuii@hotmail.com> wrote in message
> >>news:209d01c49a64$15f7e070$a401280a@phx.gbl...
> >>> We have Domain A and Domain B trusted through a two-way
> >>> trust. Domain A can browse Domain B's accounts through
> >>> User Manager, but Domain B cannot browse Domain A's
> >>> accounts. When we try to connect using User Manager,
> we
> >>> get "Access Denied".
> >>>
> >>> Here's what I have verified:
> >>>
> >>> Entries in WINS (1c accounts pointing to each domain's
> >>> PDCs) are fine.
> >>> I have entries in LMHOSTS on both sides
> >>> I have used NLTest to check on the secure connection -
> >OK
> >>> I have broken and re-established the trust.
> >>>
> >>> Anyone have any suggestions?
> >>
> >>
> >>.
> >>
> >.
> >

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Michael -

I'm not looking to change permissions on that domain.
Maybe I'm misstating myself.

I'm looking to add the members of Domain A to groups in
Domain B. Problem is that I can't do that...every time I
try and pull up Domain B's account list in User Manager, I
get an "Access Denied" message.

Domain A can browse Domain B's accounts, and put them in
groups on their servers. It's just not working the other
way around.

I guess you could consider us a resource domain, and the
members of Domain A need to be added to groups here to get
access.

Thanks in advance for all your help.

Jason
>-----Original Message-----
>Hi Jason,
>
>You can't browse the properties of a remote domain
>and change permissions on that domain without
>administrative privileges on that domain.
>
>"Jason Hunt" <shibuii@hotmail.com> wrote in message
>news:213a01c49a7f$90e72cd0$a301280a@phx.gbl...
>> It worked, but I don't feel comfortable being the domain
>> admin of a remote domain that we don't control.
>>
>> Is there any reason why this would happen? It obviously
>> seems to be a permissions issue, but where would the
>> problem lie?
>>
>> We haven't done this with any other domain we trust, and
>> we can browse their accounts perfectly.
>>
>> Jason
>> >-----Original Message-----
>> >We (being domain B) don't want to administer Domain A.
>> We
>> >just want to be able to browse the domain user account
>> >listing and select certain users for permissions.
>> >
>> >Is it absolutely necessary to put the domain admin
group
>> >in there? We don't have it for any other domains we
>> trust.
>> >
>> >I'll try it and report back. In the meantime, is there
>> >any other way around it?
>> >
>> >Thanks.
>> >
>> >Jason
>> >>-----Original Message-----
>> >>Check and be sure to add the domain B "domain admin"
>> >>group to the local administrator on domain A.
>> >>
>> >>"Jason Hunt" <shibuii@hotmail.com> wrote in message
>> >>news:209d01c49a64$15f7e070$a401280a@phx.gbl...
>> >>> We have Domain A and Domain B trusted through a two-
way
>> >>> trust. Domain A can browse Domain B's accounts
through
>> >>> User Manager, but Domain B cannot browse Domain A's
>> >>> accounts. When we try to connect using User
Manager,
>> we
>> >>> get "Access Denied".
>> >>>
>> >>> Here's what I have verified:
>> >>>
>> >>> Entries in WINS (1c accounts pointing to each
domain's
>> >>> PDCs) are fine.
>> >>> I have entries in LMHOSTS on both sides
>> >>> I have used NLTest to check on the secure
connection -
>> >OK
>> >>> I have broken and re-established the trust.
>> >>>
>> >>> Anyone have any suggestions?
>> >>
>> >>
>> >>.
>> >>
>> >.
>> >
>
>
>.
>

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

You in effect are attempting to add permissions to accounts
on a remote domain. You can't do this without admin privileges.

"Jason Hunt" <shibuii@hotmail.com> wrote in message news:
> I'm not looking to change permissions on that domain.
> Maybe I'm misstating myself.
>
> I'm looking to add the members of Domain A to groups in
> Domain B. Problem is that I can't do that...every time I
> try and pull up Domain B's account list in User Manager, I
> get an "Access Denied" message.
>
> Domain A can browse Domain B's accounts, and put them in
> groups on their servers. It's just not working the other
> way around.
>
> I guess you could consider us a resource domain, and the
> members of Domain A need to be added to groups here to get
> access.
>
> Thanks in advance for all your help.

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Then how am I able to do this on 5 other domains without
adding this entry?

And I'm not adding permissions to accounts on a remote
domain. It's my domain that they are trying to get to.
The permissions are on my server - they are not
transferred through the trust.

As far as I understand it, when the person passes through
the trust to my domain, it checks their incoming
username/pw against the permissions I have set up on my
shares/files. I'm not adding anything to their domain.
>-----Original Message-----
>You in effect are attempting to add permissions to
accounts
>on a remote domain. You can't do this without admin
privileges.
>
>"Jason Hunt" <shibuii@hotmail.com> wrote in message news:
>> I'm not looking to change permissions on that domain.
>> Maybe I'm misstating myself.
>>
>> I'm looking to add the members of Domain A to groups in
>> Domain B. Problem is that I can't do that...every time
I
>> try and pull up Domain B's account list in User
Manager, I
>> get an "Access Denied" message.
>>
>> Domain A can browse Domain B's accounts, and put them in
>> groups on their servers. It's just not working the
other
>> way around.
>>
>> I guess you could consider us a resource domain, and the
>> members of Domain A need to be added to groups here to
get
>> access.
>>
>> Thanks in advance for all your help.
>
>
>.
>

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

<anonymous@discussions.microsoft.com> wrote in message news:
> Then how am I able to do this on 5 other domains without
> adding this entry?

Probably because you are using a duplicate account (same user
nameand password).

>
> And I'm not adding permissions to accounts on a remote
> domain. It's my domain that they are trying to get to.
> The permissions are on my server - they are not
> transferred through the trust.

Call it whatever you like you are adding perms to
the remote users which requires a security change
on the remote domain. The credentials are passed
back to the DC of the remote domain for authentication.


>
> As far as I understand it, when the person passes through
> the trust to my domain, it checks their incoming
> username/pw against the permissions I have set up on my
> shares/files. I'm not adding anything to their domain.

No it passes the credentials back to a DC of it's
domain for authentication then checks for necessary
permissions but this is irrelevant.