2

Does AD one-way trust demand admin priviliges on both domains?

Say I'm domain admin for domain A, and I want to give user from domain B access to stuff on domain A, which they can reach by VPN. From what I understand that can be done by setting up a trust, but does it require being admin on both domains?

1 Answers1

1

The only permissions you require for incoming trust is to be a member of the Incoming Forest Trust Builders.
This can also be achieved through the higher permissions groups of Enterprise Admins or Domain Admins in the forest root domain.

For the outgoing trust you need to have one of either Enterprise Admins or Domain Admins in the forest root domain.

So to recap, the trusting domain requires more permissions than the trusted domain, but the easiest way to do this is to use either Enterprise or Domain admins on both sides.

Create a forest trust KB gives a bit of information on the subject.

Reaces
  • 5,547
  • 4
  • 36
  • 46
  • Ok, does that apply to one-way trusts too? And does the other domain have to be added on both sides? Too bad the KB articles don't mention requirements. – suleimanforever Nov 16 '15 at 12:22
  • @suleimanforever Even for one way trusts, the incoming trust and the outgoing trust both need to be established with the required permissions. – Reaces Nov 16 '15 at 12:23