0

I have setup a two way transitive forest trust between two domains (Domain A & Domain B) successfully. Now when I try to RDP as a user in domain A (admin@domainA.com) into domain B it is connecting but displaying an error message stating "the connection was denied because the author is not authorized to perform remote login". How can I overcome this? I'm unable to add other domain users in the remote login group too as other domain users are not even listed. What am I missing here?

UPDATE:

Here is a screenshot of locations when I try to add users to RDP group enter image description here

Here is a screenshot of locations when I try to give permissions to a file in domain B. enter image description here

vishal
  • 113
  • 7
  • Is the domainA admin in the computers(in domB) admin or rdp groups? By default only the domain admin group for that domain gets added (so would only be DomB admins in the admin group on the computer). You would need to add DomA admins into comp-in-domB admin or rdp group. (there are other ways but this should test the trust) – Smock Oct 14 '19 at 12:43
  • @Smock Nope . That's exactly what I want to do here but don't know how to add them. Because other domain user names are not even listed when I try to add them in the rdp group – vishal Oct 14 '19 at 12:45
  • In the 'Select users, computers, service ...etc' box can you click 'Location and choose the other domain? – Smock Oct 14 '19 at 12:55
  • @Smock Exactly in the locations the other domain is not at all displayed. However when I try to give access to files the other domain is displayed in the locations. Ill add the respective screenshots to the question now. – vishal Oct 14 '19 at 13:01
  • @Smock Have edited the question now. Why is this happening? Have you encountered this before? – vishal Oct 14 '19 at 13:07
  • Ahh, so you can't see the other forests when trying to add the users. Hmm not sure if that's a limitation or a setup issue sorry :( – Smock Oct 14 '19 at 13:23

1 Answers1

0

Ok I've found a way to overcome this. First the reason why the other domain didn't get listed is because I was trying to add the user in the "Domain Admins" group whose scope was set as "Global".

So in order to make the other domain user login, we have to add the user in the built-in groups (eg: Administrators, Remote desktop Users etc..). These groups have their scope set to "Domain Local" and hence under locations other domains are also displayed. I was able to login once I added the user in the Administrators group. (Remote Desktop Users group alone was not enough for whatever reasons and I'm not sure why.)

vishal
  • 113
  • 7