Questions: Trust and Domain Local group with respect to access token

Hello IT Engineers,

Scenario 1: A trust relationship is a link that is established between domains to enable users in one domain to be authenticated by a domain controller in the other domain. Trust relationships are authentication pipelines that must be present so that users in one domain can be authorized for access to resources in another domain.

Suppose there are 2 domains Domain A and Domain B. Domain A is trusting domain and Domain B is trusted domain. It means users in Domain B can access resources in Domain A. Before accessing resources, users in Domain B must be authenticated by Domain A. According to above definition, Domain B users must be authenticated by Domain Controller in Domain A.

Question 1: How does authentication of Domain B users takes place by Domain Controller in Domain A as user account of Domain B users does not reside in Domain Controller of Domain A. How exactly that authentication happens with respect to trust? How exactly trusted domain user able to access resources in trusting domain? Is it because of group membership in trusting domain OR is this because of adding trusted domain security principals to ACLs in trusting domain?

Scenario 2: Suppose if user is added to Global group and that Global group is nested inside Domain Local group. Domain Local group is applied in resource ACL. Server containing resource and user account both resides in same domain. If user login to same domain joined workstation as server's domain and try to access resource, then initial access token will include Sid of Domain Local group of server's domain as server's domain and workstation domain both are same.

Question 2: While trying to access resource on server(same domain as workstation and user), is new access token generated by server as well & access is possible because of new access token having Sid of Domain Local group of server's domain? OR access is possible because of initial token (after logging to workstation) having Sid of Domain Local group of server's domain (since workstation and server both in same domain) ?

Please provide specific answers and explain. 

Parents Reply Children
No Data