Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Recommended methods to permit account lookups and interactive logons across forests

View products that this article applies to.


When you implement a forest trust between your Windows Server 2003 forests instead of using an external trust as you might have in earlier versions of Windows, user authentication for access to resources and for the assignment of permissions is performed differently. This article describes the methods that you can use to make sure that the cross-forest authentication is successful.

↑ Back to the top

More information

To permit cross-forest account lookup operations for the purpose of setting permissions

Use the following methods to add users from other forests to access control lists (ACLs) and share permissions.

Microsoft Windows 2000

To perform these operations on Windows 2000-based computers:
  • Use the Xcacls.exe command-line utility to assign share permissions.
  • Assign the share permissions by using a Windows XP-based computer.
  • Use the Net.exe command to add users in other forests to local groups on the Windows 2000-based computer.
  • Use a Windows XP-based computer to open the Local Users and Groups Microsoft Management Console (MMC) snap-in of the Windows 2000-based computer, and then add the users from the remote forest to the local users and groups of the Windows 2000-based computer.
To permit looking up users in a cross-forest topology, install Windows 2000 Service Pack 4 (SP4).

↑ Back to the top

Keywords: KB816467, kbinfo

↑ Back to the top

Article Info
Article ID : 816467
Revision : 5
Created on : 9/11/2008
Published on : 9/11/2008
Exists online : False
Views : 110