Help and Support
 

powered byLive Search

Recommended methods to permit account lookups and interactive logons across forests

View products that this article applies to.
Article ID:816467
Last Review:September 11, 2008
Revision:5.0
On This Page

SUMMARY

When you implement a forest trust between your Windows Server 2003 forests instead of using an external trust as you might have in earlier versions of Windows, user authentication for access to resources and for the assignment of permissions is performed differently. This article describes the methods that you can use to make sure that the cross-forest authentication is successful.

Back to the top

MORE INFORMATION

To permit cross-forest account lookup operations for the purpose of setting permissions

Use the following methods to add users from other forests to access control lists (ACLs) and share permissions.

Microsoft Windows 2000

To perform these operations on Windows 2000-based computers:
Use the Xcacls.exe command-line utility to assign share permissions.
Assign the share permissions by using a Windows XP-based computer.
Use the Net.exe command to add users in other forests to local groups on the Windows 2000-based computer.
Use a Windows XP-based computer to open the Local Users and Groups Microsoft Management Console (MMC) snap-in of the Windows 2000-based computer, and then add the users from the remote forest to the local users and groups of the Windows 2000-based computer.
To permit looking up users in a cross-forest topology, install Windows 2000 Service Pack 4 (SP4).

Back to the top

Microsoft Windows XP

To perform these operations from a Windows XP Professional-based computer:
Use the user principal name (UPN) format (user@domain.com) to specify the user from the remote forest when you assign permissions.
Use the Universal Naming Convention (UNC) format (Domain\User) to specify the user from the remote forest when you assign permissions.

Back to the top

To permit cross-forest interactive logons

To log on to a domain in another forest:

Windows 2000

Log on by entering your credentials in the UPN format. For example, user@domain.com.

Windows XP

Log on by entering your credentials in the UPN format. For example, user@domain.com.

To permit using the UNC format when you enter your credentials, install Windows XP SP2. The UNC format is Domain\User.

Back to the top

To permit cross-forest account lookup operations from Microsoft SharePoint Portal Server 2001

To permit cross-forest account queries from a SharePoint Portal Server 2001 server that is running on Windows 2000 Server, update Windows 2000 Server to Service Pack 4 (SP4) or update SharePoint Portal Server 2001 to SharePoint Portal Server 2001 Service Pack 3 (SP3).

Back to the top

APPLIES TO
Microsoft Windows Server 2003, 64-Bit Datacenter Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows XP Professional
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server

Back to the top

Keywords: 
kbinfo KB816467

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by E-mail, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.