-1

My knowledge of Active Directory and network setup is limited. In the environment of this example, there are multiple domains under one forest. It has come up that users of Domain A have access to network file shares on Domain B, Domain C, etc.

What causes this cross domain access? I initially thought it was due to the 'Everyone' AD group being assigned access rights to various network shares, but there are instances of access where the 'Everyone' group is not present.

Ultimately, how would you go about securing file access so that Domain A does not have access to the network file shares of another Domain under the Forest? Any insight into what is causing this event or how to better secure access so that cross Domain file access is not possible would be highly appreciated.

Thanks.

JohnSmith
  • 1
  • 1
  • 1
  • 1
    at a very base level you can have a group specifically for each domain and only put users in that domain in it, then make sure the root level and inherited permissions in each share reflect your domain groups before considering more specific OUs – mael' Jul 17 '19 at 14:04
  • Authenicated Users would also do it – Semicolon Jul 17 '19 at 17:21
  • 1
    You'll probably need to rephrase your question - because you are essentially asking "how does default AD behavior work?" The Forest is the logical security boundary. There should be no assumption that users in one domain can't access resources in or information about another related domain. For instance (by default) a user from Domain A would be able to logon to workstation in Domain B. If this is news to you, then what you're looking for (a process to secure related domains from eachother) is probably outside the scope of a single question. – Semicolon Jul 17 '19 at 17:25
  • Each domain in the same Forest intrinsically and transitively trusts every other domain in the Forest. – joeqwerty Jul 18 '19 at 01:04

1 Answers1

0

It sounds like you are writing about domain trusts. With a Windows Active Directory Forest, Domain Trusts can be one way (Domain B trusts Domain A) or two way (Domain A and Domain B trust one another). The result of a one way trust is that accounts from the trusted domain can authenticate against the trusting domain’s Domain Controller. You should check the NTFS permissions on the folder in question and see in which domain the user or group in the Access Control List exists.

This blog has some good information which you might find helpful. https://blogs.msmvps.com/acefekay/2016/11/02/active-directory-trusts/

Here is Microsoft’s documentation on trusts. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731335(v=ws.11)

user5870571
  • 3,094
  • 2
  • 12
  • 35
  • Thanks for the info, so if i understand correctly the access between Domains is due to them all being under the same forest. So if i wanted to go about securing the network file shares in a manner that only Domain A has access to Domain A's file shares, I would need to add a Group of users for that specific domain as opposed to setting up security for 'Domain Users', 'Authenticated Users', 'Users', etc.? Because if those groups are used, then anyone on the network would authenticate off any Domain Controller in the environment? – JohnSmith Jul 19 '19 at 16:52