General discussion

Locked

Inter Domain Permissions

By RonMM ·
I think I'm being put on by someone:

If you create the SAME userid & password for user a in NT domains X & Y, does X\a get the permissions given to Y\a? I know the SIDs are different, but does NT "sync up" or pass the permissions from domain Y tothe user logged into X\a somehow?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Inter Domain Permissions

by Nivek R. In reply to Inter Domain Permissions

We recently had to do this in order to get our in-house mail server to talk to our off-site Citrix server, and by giving user Y\a the same user id and password, he now has user X\a's permissions in domain X.

Collapse -

Inter Domain Permissions

by RonMM In reply to Inter Domain Permissions

Restatment of question saying it worked - and the detail conflicts with what appears to be a more thorough answer (#2).

Collapse -

Inter Domain Permissions

by RonMM In reply to Inter Domain Permissions

If this bit of arcanum is true, please point me to anything in MS docs/technet that discusses it.

Collapse -

Inter Domain Permissions

by timwalsh In reply to Inter Domain Permissions

Couple of different issues here:
What you probably heard about is "Pass-through authentication." This is not the same as permissions being passed from 1 domain to another. It's usefulness mainly applies to down-level Windows clients (Win9x/ WinME). It is mainly used to allow a single sign-on to multiple domains and works in the following manner:

Domain X and domain Y each have a user account (user A) with the same user ID and password. User A's computer is set up to not specify a domain to log-on to (i.e. only provide user ID and password). User A (normally connected to domain X) provides a user ID and password at log-on that is recognized by domain X and is thus given the permissions assigned to the user account A on Domain X. Later. user A attempts to connect to a shared resource on domain Y. Because user A has already provided a user ID and password that is recognized by domain Y, user A is allowed to connect, BUT only with those permissions set for the user A account on that domain.

In this scenario, even though user A has been authenticated by both domains, he only has those permissions specific to each domain.

2. Even if you have a trust relationship between 2 domains (where domain X recognizes and "trusts" user accounts in domain Y and vice-versa), a user still only has those permissions assigned to him in each domain. In this scenario, a user could be an administrator in domain X. Even though domains X & Y have trust relationships with each other (i.e. recognize and accept user authentication), unless the user is specifically given administrator permissions in domain Y, he will be logged on as a normal user.
(continued)

Collapse -

Inter Domain Permissions

by timwalsh In reply to Inter Domain Permissions

In Answer 1, there is a slightly separate issue.
It appears that the users have the same permissions on both domains only because the same permissions were applied to the user's account in both domains not because both accounts have the same userID and password. This was done so that users need provide only a single set of credentials to use both resources. The credentials supplied at the beginning of the current session are being "passed through" to the other resource.

Hope this clears things up a little.

Collapse -

Inter Domain Permissions

by RonMM In reply to Inter Domain Permissions

Very clear & detailed answer - thanks. Looked up pass through authentication in MS Knowledgebase & got more detail - thanks for providing correct term.

Collapse -

Inter Domain Permissions

by RonMM In reply to Inter Domain Permissions

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums