Event banner
What's new in Active Directory
Event Ended
Tuesday, Nov 28, 2023, 10:00 AM PSTEvent details
Lean in as software developers from the Active Directory software engineering team dive into the latest improvements in Active Directory. We'll cover key areas of investment including scalability, se...
Char_Cheesman
Updated Dec 27, 2024
canix1
Nov 29, 2023Copper Contributor
Could it be to protect the "Forest Trust Accounts" from authenticating as a normal user and allow for access over a one-way trust?
Like the scenario that you could fix by using an Authentication Policy. See https://managedpriv.com/blog/securing-the-forest-boundary/
Lindakup
Nov 29, 2023Microsoft
Robin is correct, this is part of a security improvement for trusts. There are actually 2 new groups related to trusts - External Trust Accounts and Forest Trust Accounts. These are set as the primary group for corresponding trust account as a protection mechanism for trusts.
These groups operate in the same way as other well known groups - like 'Domain Controllers' for example in the sense that membership is a result of the primaryGroupId attribute.
Note that these don't apply to intra-forest trusts. They are for external and forest trusts respectively and should be left alone.
This was not part of the session because this session covered 'some' of the features and improvements - not all. There was just not enough time to cover everything in the 25mins we had and there is work that has also not made it to insider preview. So you may see other new things we did not yet mention as time goes along and we intend to document it all before the final release.