Does AD one-way trust demand admin priviliges on both domains?
Say I'm domain admin for domain A, and I want to give user from domain B access to stuff on domain A, which they can reach by VPN. From what I understand that can be done by setting up a trust, but does it require being admin on both domains?
Best Answer
The only permissions you require for incoming trust is to be a member of the
Incoming Forest Trust Builders
.This can also be achieved through the higher permissions groups of
Enterprise Admins
orDomain Admins
in the forest root domain.For the outgoing trust you need to have one of either
Enterprise Admins
orDomain Admins
in the forest root domain.So to recap, the
trusting
domain requires more permissions than thetrusted
domain, but the easiest way to do this is to use eitherEnterprise
orDomain
admins on both sides.Create a forest trust KB gives a bit of information on the subject.