Trust Relationship Problem

G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hello

I'm hoping someone might be able to point me in the right direction...

I have two Windows NT 4.0 SP6 domains.

I have created a one-way trust between them. DomainA trusts DomainB.

The Administrator of DomainB has created a Global Group containing the users
who need access to a share in DomainA.

I have created a Domain Local Group in DomainA that contains the Global
Group from DomainB.

I have assigned Change permissions to a share on DomainA's PDC at both the
share and NTFS levels to the DomainA Local Group.

When a member of the DomainB Global Group tries to access the share in
DomainA from DomainB's PDC they get an 'Access Denied' message.

If they type \\DomainA-PDC they are able to list the shares, but cannot go
into any of them.

They are able to map to the share using a DomainA user account which rules
out connectivity problems.

LMHOSTS files are being used for name resolution. There are entries for all
the DCs as well as 1b and 1c entries.

The trust looks like it's ok, as all the LSA secrets and passwords are in
the registries of the DCs.

I have no idea why we're getting the 'Access Denied' error. I'm starting to
think I've missed something really obvious!

Any help would be greatly appreciated!

Thanks,

Lisa
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.domain (More info?)

There is a "change" permission on the share but not on
the NTFS permissions. Can we assume you chose
modify.

"Lisa" <Lisa@nospam> wrote in message
news:%230mKLUhUEHA.2716@tk2msftngp13.phx.gbl...
> Hello
>
> I'm hoping someone might be able to point me in the right direction...
>
> I have two Windows NT 4.0 SP6 domains.
>
> I have created a one-way trust between them. DomainA trusts DomainB.
>
> The Administrator of DomainB has created a Global Group containing the
users
> who need access to a share in DomainA.
>
> I have created a Domain Local Group in DomainA that contains the
Global
> Group from DomainB.
>
> I have assigned Change permissions to a share on DomainA's PDC at both
the
> share and NTFS levels to the DomainA Local Group.
>
> When a member of the DomainB Global Group tries to access the share in
> DomainA from DomainB's PDC they get an 'Access Denied' message.
>
> If they type \\DomainA-PDC they are able to list the shares, but
cannot go
> into any of them.
>
> They are able to map to the share using a DomainA user account which
rules
> out connectivity problems.
>
> LMHOSTS files are being used for name resolution. There are entries
for all
> the DCs as well as 1b and 1c entries.
>
> The trust looks like it's ok, as all the LSA secrets and passwords are
in
> the registries of the DCs.
>
> I have no idea why we're getting the 'Access Denied' error. I'm
starting to
> think I've missed something really obvious!
>
> Any help would be greatly appreciated!
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hi Michael,

Sorry, it was Modify at the NTFS level.

Thanks,

Lisa

"Michael Giorgio - MS MVP" <Michael.Giorgio@NoSpam.mayerson.com> wrote in
message news:unPE1IiUEHA.2692@TK2MSFTNGP09.phx.gbl...
> There is a "change" permission on the share but not on
> the NTFS permissions. Can we assume you chose
> modify.
>
> "Lisa" <Lisa@nospam> wrote in message
> news:%230mKLUhUEHA.2716@tk2msftngp13.phx.gbl...
> > Hello
> >
> > I'm hoping someone might be able to point me in the right direction...
> >
> > I have two Windows NT 4.0 SP6 domains.
> >
> > I have created a one-way trust between them. DomainA trusts DomainB.
> >
> > The Administrator of DomainB has created a Global Group containing the
> users
> > who need access to a share in DomainA.
> >
> > I have created a Domain Local Group in DomainA that contains the
> Global
> > Group from DomainB.
> >
> > I have assigned Change permissions to a share on DomainA's PDC at both
> the
> > share and NTFS levels to the DomainA Local Group.
> >
> > When a member of the DomainB Global Group tries to access the share in
> > DomainA from DomainB's PDC they get an 'Access Denied' message.
> >
> > If they type \\DomainA-PDC they are able to list the shares, but
> cannot go
> > into any of them.
> >
> > They are able to map to the share using a DomainA user account which
> rules
> > out connectivity problems.
> >
> > LMHOSTS files are being used for name resolution. There are entries
> for all
> > the DCs as well as 1b and 1c entries.
> >
> > The trust looks like it's ok, as all the LSA secrets and passwords are
> in
> > the registries of the DCs.
> >
> > I have no idea why we're getting the 'Access Denied' error. I'm
> starting to
> > think I've missed something really obvious!
> >
> > Any help would be greatly appreciated!
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Okay Lisa,

How exactly did you create the one way trust relationship
e.g., you have to add DomainB to the trusted domains
field in DomainA.

"Lisa" <Lisa@nospam> wrote in message
news:Ot7hWOiUEHA.2944@tk2msftngp13.phx.gbl...
>
> Sorry, it was Modify at the NTFS level.
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hi Michael,

Yes,

DomainB is in the Trusted Domains field in Trust Relationships in User
Manager for DomainA.

DomainA is in the Trusting Domains field in DomainB's User Manager.

The administrator of DomainB added DomainA to the trusting domains field and
set the password. I then added DomainB to the trusted domains field in
DomainA.

When the trust was created the dialog box popped up saying that the Trust
Relationship was created successfully.

Thanks for your help,

Lisa


"Michael Giorgio - MS MVP" <Michael.Giorgio@NoSpam.mayerson.com> wrote in
message news:%23UxSo3iUEHA.2724@TK2MSFTNGP11.phx.gbl...
> Okay Lisa,
>
> How exactly did you create the one way trust relationship
> e.g., you have to add DomainB to the trusted domains
> field in DomainA.
>
> "Lisa" <Lisa@nospam> wrote in message
> news:Ot7hWOiUEHA.2944@tk2msftngp13.phx.gbl...
> >
> > Sorry, it was Modify at the NTFS level.
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Well that rules out the obvious.. <g> If I follow you..

DomainB\user is a member of a DomainB global group
which belongs to a DomainA local group. Domain A
local group has "change" share level access to a share on
the Domain A PDC and "modify" NTFS permissions to
the directory? DomainB\user attempts to access the
Domain A share while physically logged on to the PDC
or a Domain B client machine? There are no duplicate
accounts e.g., same username and password? If they
are attempting to access from a Domain B client machine
try editing the lmhosts on the client machine as well to
see if this resolves your issue.

"Lisa" <Lisa@nospam> wrote in message
> Yes,
>
> DomainB is in the Trusted Domains field in Trust Relationships in User
> Manager for DomainA.
>
> DomainA is in the Trusting Domains field in DomainB's User Manager.
>
> The administrator of DomainB added DomainA to the trusting domains
field and
> set the password. I then added DomainB to the trusted domains field
in
> DomainA.
>
> When the trust was created the dialog box popped up saying that the
Trust
> Relationship was created successfully.
>
> Thanks for your help,
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hi Michael.

All you have stated is correct. That is the way it's set up.

DomainB\user is logged onto DomainB PDC which has all the necessary lmhosts
entries. DomainB\user is also a member of DomainB domain admins, although
this probably isn't relevant.

DomainB\user has also tried from a client PC with the lmhosts entries.

There are no duplicate accounts.

Thank-you for your help.

Lisa


"Michael Giorgio - MS MVP" <Michael.Giorgio@NoSpam.mayerson.com> wrote in
message news:%23tOmaQxUEHA.2972@TK2MSFTNGP12.phx.gbl...
> Well that rules out the obvious.. <g> If I follow you..
>
> DomainB\user is a member of a DomainB global group
> which belongs to a DomainA local group. Domain A
> local group has "change" share level access to a share on
> the Domain A PDC and "modify" NTFS permissions to
> the directory? DomainB\user attempts to access the
> Domain A share while physically logged on to the PDC
> or a Domain B client machine? There are no duplicate
> accounts e.g., same username and password? If they
> are attempting to access from a Domain B client machine
> try editing the lmhosts on the client machine as well to
> see if this resolves your issue.
>
> "Lisa" <Lisa@nospam> wrote in message
> > Yes,
> >
> > DomainB is in the Trusted Domains field in Trust Relationships in User
> > Manager for DomainA.
> >
> > DomainA is in the Trusting Domains field in DomainB's User Manager.
> >
> > The administrator of DomainB added DomainA to the trusting domains
> field and
> > set the password. I then added DomainB to the trusted domains field
> in
> > DomainA.
> >
> > When the trust was created the dialog box popped up saying that the
> Trust
> > Relationship was created successfully.
> >
> > Thanks for your help,
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.domain (More info?)

Time to start experimenting a bit to try an isoloate
the issue. Change the share level access to full
control and give it a shot. If no change; change the
NTFS to full control and try it. Any luck? Next try
adding the domain B "domain admin" group to the
Domain A local group. Also you may want to enable
auditing on each domain for logon/logoff success and
failure then check the security log in the event viewer
on both PDCs to get more details of why access is
being denied.

"Lisa" <Lisa@nospam> wrote in message news:
>
> All you have stated is correct. That is the way it's set up.
>
> DomainB\user is logged onto DomainB PDC which has all the necessary
lmhosts
> entries. DomainB\user is also a member of DomainB domain admins, although
> this probably isn't relevant.
>
> DomainB\user has also tried from a client PC with the lmhosts entries.
>
> There are no duplicate accounts.
>