Adding Users or Groups from a Trusted Forest

In most cases, when you create a profile for a user or group in a zone, the Active Directory account already exists in the local Active Directory forest. You can, however, also add profiles for remote users and groups to a zone without adding them to the local forest. If you have established a one-way or two-way trust relationship with a remote or external Active Directory forest, you can add users and groups from that forest to a selected Delinea zone.

You add remote or external users and groups to the zone in the same way you add profiles for local Active Directory users and groups except that you must select the remote forest or domain before searching for the user or group account. For example, at Step 4 of the procedure To create a group profile for an Active Directory group using Access Manager, click Browse to select a trusted external forest or a specific domain in the trusted forest.

If you have defined a one-way or two-way trust between a local forest (wonder.land) and a remote forest (w2k3r2.dev), you can select the remote forest in the Browse for container dialog box to add groups from that forest (w2k3r2.dev) to the currently selected zone.

Add groups from the forest

If you use attribute variables to define any part of the user profile, keep in mind that the Delinea Agent cannot directly read any of the attributes for a user from a one-way trusted forest. The agent can retrieve the userPrincipalName and sAMAccountName from the zone profile for the user. However, the agent cannot retrieve other user attributes. If the agent cannot resolve a variable in the user profile, the agent leaves the attribute value undefined. For example, if you use the displayName variable to define the GECOS attribute, that attribute will be undefined for all users from an external forest with a one-way trust.

Identifying users from remote forests

You can identify the Active Directory users who have been added from a remote or external forest by checking the icon displayed in the Access Manager console. If a user is added from a remote or external forest, the user name displays the following icon:

Remote or external forest

Valid login names for users from a remote forest

If you add users from an external forest to a zone, you should be aware that those users can only log on or be identified using the following information:

  • A valid UNIX profile name that has a complete set of profile attributes.

  • The full Active Directory user name including the user’s external forest domain name.

When users are defined in a local forest, they can be located in Active Directory by their UNIX profile name, their userPrincipalName, or their sAMAccountName in the form of their user logon name alone or in the format of domainname\username, so any of these login name formats can be used to access user information or to log on to a Delinea-managed computer.

To identify a user from a trusted external forest, however, you must use either the user’s UNIX profile name for the zone or the user’s sAMAccountName followed by the user’s external domain name in the form of sAMAccountName@domainname. Using the UNIX profile name or the sAMAccountName@domainname ensures the name is unique when there are cross-forest trust relationships. For example, if an Active Directory user from a trusted external forest (sierra.org) has the Active Directory logon name of sofia.perez and a UNIX profile name of sofiapz, the user can be identified using:

  • sofia.perez@sierra.org

  • sofiapz

You cannot use sierra\sofia.perez or sofia.perez without the domain to retrieve information or authenticate from a remote forest. In addition, the userPrincipalName (username@domainname) for any user might be different from the sAMAccountName@domainname. For example, if you use alternate UPN suffixes, the domain name used in the userPrincipalName might be different from the domain name that uniquely identifies the user. Similarly, a user’s logon name (sAMAccountName) might be different from the user name used in the userPrincipalName. For example, if the Active Directory user sofia.perez@sierra.org has a user logon name of SIERRA\perez.s, that user would be found as perez.s@sierra.org.