Problem solve Get help with specific problems with your technologies, process and projects.

Granting access to resources in a multiple domain environment

We have four servers with Windows Server 2003. In every server there is a domain with Exchange Server 2003. The main domain is in the CITY and every domain has the server address,,, When one user logs into other servers or finds any resources in other servers, a message appears that they have no privileges for this resource. We revised the DNS in every server and applied Microsoft patches, but the problem persists. What can we do to resolve this?

One thing I'm not clear on is whether you have multiple domains. It appears that you do and I'm going to work on that assumption as it fits with what I think is likely happening. A common misconception with Windows domains is that if trusts exist between domains, users can access any resources, any where. This is commonly due to an expectation that comes from a single domain environment.

In a single domain environment, all users are by default a member of the Domain Users group which is in turn automatically a member of the local Users group. This allows all users to access all resources (by default) with out much effort. This is not the case in a multiple domain environment however. No "automatic" group memberships occur between domains. Consequently, you have to explicitly grant access to resources for users in members of another domain.

So, let's say you have DOMAIN1 and DOMAIN2 and you want users in DOMAIN1 to access resources on SERVER1 in DOMAIN2.

  1. You need to create a Global Security Group in DOMAIN1 and add the users that should have access to the resources on SERVER1 to it.
  2. Next, on SERVER1 create a local group that has the appropriate rights to the resources in question.
  3. Finally, make the Global Security Group from step 1 a member of the local group from step 2. Have the users logoff and then log back on again and they should be able to access the resources.

Dig Deeper on User passwords and network permissions