Can the below be accomplished and how? We have domain A that has a secondary zone to domain B. Users on Domain B have been set up in Domain A and there for they can access the programs being hosted by domain A. The question becomes on how can i have the users in Domain B authenticate in a such way that would also allow them access to drive mappings on Domain A without having them manually run a batch file that would map them to the neccessary drives?

Hello, to access resources of the domain, you have to create a trust relationship. For drive mapping, you can use GPP. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi Mr X, Currently users from domain B can access the software program being hosted by domain A because the users from Domain B have been set up in domain A using a different username and password than they use to login locally to their network. This was accomplished by creating a trusted router mapping, secondary zone and zone transfer between the DNS servers. The issue is when a user tries to access a network mapping on domain A they manually need to run a script that authenticates / grants them access to domain A. This can get messy if the user actually needs access to other mappings. I was wondering if there was a way to authenticate them right when they authenticate locally on their domain so that they do not need to run a script or call us every time they need to change their password? All of this would need to happen without having both domain creating a forest.

Hello, to access resources of the domain, you have to create a trust relationship. For drive mapping, you can use GPP. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi, There are trusting and trusted domains, trusted domain can access resource in trusting domain. It means that the group in trusted domain can have members from trusting domain. But the group should be a domain local group in trusted domain, the members should be added into universal group in trusting domain, and then add this universal group from trusting domain to the domain local group in the trusted domain. For more information, please refer to the following Microsoft TechNet articles: Domain Trust http://technet.microsoft.com/en-us/library/cc961481.aspx Group scope http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx In addition, you may also need to enable the “Allow Cross-Forest User Policy and Roaming User Profiles” Group Policy. If it does not work, please also read the following Microsoft KB article: A user in a trusted external domain cannot log on to a Windows Server 2003-based domain even though the "Allow Cross-Forest User Policy and Roaming User Profiles" Group Policy setting is enabled http://support.microsoft.com/kb/896683 For more information, please refer to the following Microsoft TechNet articles: Accessing resources across forests http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx Accessing resources across domains http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, There are trusting and trusted domains, trusted domain can access resource in trusting domain. It means that the group in trusted domain can have members from trusting domain. But the group should be a domain local group in trusted domain, the members should be added into universal group in trusting domain, and then add this universal group from trusting domain to the domain local group in the trusted domain. For more information, please refer to the following Microsoft TechNet articles: Domain Trust http://technet.microsoft.com/en-us/library/cc961481.aspx Group scope http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx In addition, you may also need to enable the “Allow Cross-Forest User Policy and Roaming User Profiles” Group Policy. If it does not work, please also read the following Microsoft KB article: A user in a trusted external domain cannot log on to a Windows Server 2003-based domain even though the "Allow Cross-Forest User Policy and Roaming User Profiles" Group Policy setting is enabled http://support.microsoft.com/kb/896683 For more information, please refer to the following Microsoft TechNet articles: Accessing resources across forests http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx Accessing resources across domains http://technet.microsoft.com/en-us/library/cc787646(WS.10).aspx Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.