Hi, We currently have two forests with an one way outgoing external trust connecting them. I have added the domain admins from domain A (Trusted) to domain B (Trusting) builtin administrators group. Our plan is with this model is to only have one domain admin account to manage mutiple forests. The trusted domain is server 2003 (S2003 Funtional for domain and forest) and the trusting is server 2008 r2 (2008 R2 Funtiona level for forest and domain. When connecting to group policy console on the trusting domain logged on as a user from the trusted domain i can view policies on the trusted forest. I guess this is correct because you are logged on with account which has access to the trusted domain What i am confused about is what is the one way trust actually achieving in this instance. I am concerned in someone manages to compromise an account in the trusted domain that they will have access to both forests. Is this correct or am i missing something here? Any Help would be much appreciated Stuart.