Forum Discussion

Jens Otto Hatlevold

Copper Contributor

Aug 22, 2019

Check user permissions for users in trusted domains

I have identified a change in how SharePoint handles the Check Permissions functionality from SharePoint 2013 to SharePoint 2016/2019. If you have users in domain A, and a SharePoint farm and securit...

sharepoint server

MVP

Aug 22, 2019

Is this cross forest? Adding users in a cross forest scenario to a security group in the remote forest has never worked as the users are added to the remote forest as a foreign security principal which SharePoint cannot resolve.

Jens Otto Hatlevold
Copper Contributor
Aug 22, 2019
Trevor SewardYes, it's cross forest. ~~It works in SharePoint 2013 if the People Picker properties SidHistorySafeMode and UseGlobalCatalog both are set to false (which is the default value).~~
It works in SharePoint 2013 because principal.GetAuthorizationGroups() is always called when getting the token groups.
The users are in the remote domain, and groups are in the local domain where SharePoint is installed.
- Matz Höög
  Copper Contributor
  Mar 25, 2021
  Jens Otto Hatlevold Did you get any more clarity in this?
  
  We have a 2016-farm (connected to Domain A) and users in Domain B-AD groups do not get access unless they click "Sign Out" on their user top right corner. The AD groups from Domain B are added as Edit-permission in SharePoint Permission Groups.
  
  Domain A and Domain B has two-way trust between them.
  
  UP sync works for settings against Domain B.
  - Jens Otto Hatlevold
    Copper Contributor
    Mar 29, 2021
    Matz Höög No, the company I worked for had plans for migrating into a new domain removing every domain trust that they had. After this was completed not long ago we did not have this issue anymore as all users, groups and SharePoint is now in the same domain.

Resources