Could someone explain me an access token creation process for user with two AD forests (2003 - 2008R2) that are joined by forest trust.
Domain and Forest functional levels are 2003 native and 2008 R2 respectively.
http://technet.microsoft.com/en-us/library/cc780455(v=ws.10).aspx
As I understood from the link above (not only from there), when user logs on to the domain joined computer the LSA subsystem constructs the user’s access token by virtue of netlogon.dll that communicates with localDC+GC+ForestRootDC to get:
- user’s own SID;
- user’s SIDhistory attribute, if any
- SIDs of all the groups that the user is member of (global, universal, domain local, computer local) along with their SIDs, if any
- well-known groups’ SIDs (depending on access type)
- privileges and other pieces
If I add user (DOM1\User1) from one forest to “domain local” group of the second forest (DOM2\DL-Group2) (for assigning permissions to resources in DOM2) this will lead toForeignSecurityPrincipals object creation in the second forestDOM2.
This foreign object will be seen as part of part of a particular DOM2\DL-Group2 group and vice versa.
The question is the following:
How “LSA + netlogon.dll + something else (WHAT ? )” know that user is member of some group in different AD forest so that to include SID of that group into user’s access token ?
Could someone provide me with a detailed mechanisms and processes that are taking place that cover inter-forest resource access in conjunction with cross-forest access token creation?
1. When DOM1\User1 logs on to DOM1\PC1and access resources in foreign forest
2. When DOM1\User1 logs on to DOM2\PC2and access resources in foreign forest
Any help is appreciated!