In our organization, we have two Active Directory forests, A and B, without any trust relationship between them. Now, we need to have a Sharepoint 2010 installation which allows users from both domains to login.
IT is mentioning a trusted relationship between two forests is a breach of security as it can't provide data/service isolation. Is this correct? Is it possible to configure this without a trusted relationship between two forests?
Best Answer
Creating a trust relationship gives you the possibility of authorizing and/or denying access to users and groups from the new domain. A trust relationship does not guarantee access to anything for anyone in the new domain.
Keep in mind that the built-in "Authenticated Users" and "Everyone" groups do include users from other trusted domains, whereas "Domain Users" does not. If your network permissions were set up correctly in the first place, this will not present any problems.
If you or your IT colleagues have any doubts at all, set up a test account on the trusted domain and use it to verify that access is denied wherever you expect it to be denied.