Event banner
Event details
When the pDC is moved to the new 2025 (Vnext DC) , a new group is created "Forest Trust Accounts" . Any special reason for this group or anything we should be aware of ?
Could it be to protect the "Forest Trust Accounts" from authenticating as a normal user and allow for access over a one-way trust?
Like the scenario that you could fix by using an Authentication Policy. See https://managedpriv.com/blog/securing-the-forest-boundary/
- Lindakup
Microsoft
Robin is correct, this is part of a security improvement for trusts. There are actually 2 new groups related to trusts - External Trust Accounts and Forest Trust Accounts. These are set as the primary group for corresponding trust account as a protection mechanism for trusts. These groups operate in the same way as other well known groups - like 'Domain Controllers' for example in the sense that membership is a result of the primaryGroupId attribute. Note that these don't apply to intra-forest trusts. They are for external and forest trusts respectively and should be left alone. This was not part of the session because this session covered 'some' of the features and improvements - not all. There was just not enough time to cover everything in the 25mins we had and there is work that has also not made it to insider preview. So you may see other new things we did not yet mention as time goes along and we intend to document it all before the final release.
